S_TYPE opcodes lead to OOB when addr >
- Get libc and stack pointers and offset to obtain RIP offset and base
- Write ropchain on stack using libc gadgets
- Perform ORW on flag file
- Giving custom array size of NaN, passes checks while allowing OOB r/w
- Use OOB r/w to get libc, stack (environ) addresses
- Craft fake chunk on array and overwrite fastbin fd
- Reset machine to allocate register context on fake chunk
- Overwrite VM sp with real stack
- Push ropchain onto stack and halt VM to execute ropchain
- Giving size > 48 causes heap OOB r/w of 16 bytes
- Use OOB r/w get leaks and overwrite objects for rip control
- Simple typer bug, range of BitAnd opcode is assumed to be [1, operand] when in reality it is [0, operand].
- Use range assumptions to create unchecked integer underflow.
- Bypass array bounds checks and obtain OOB write, overwrite size of array to get overlap.
- Use double & object array overlap to create addrOf & fakeObj primitives.
- Create overlapping fake array using StructureID leak to obtain arbitrary R/W.
- Race condition to change the
- Leak using uninitialized memory and get rip with overflow.
- Heap Overflow in glob function while handling
- Abuse null byte overflow to gain RCE.
- Use the integer overflow to trigger a kernel heap overflow.
- Use the heap overflow to overwrite
tty structure function pointers to get code execution.
- Jemalloc heap challenge
- A buggy implementation of
merge allows for an overwrite onto the next region
- Arbitrary type confusion in DFG JIT
- Bug eliminates a single CheckStructure node
- Abusing a stack overflow on a RISC-V binary to then return to shellcode.