tl;dr

• Sanitizing request causes null byte overflow which corrupts type
• Processing corrupted request doesn’t remove it from incoming_queue
• Reaping corrupted request still leaves it in incoming_queue causing UAF
• Setup crosscache to abuse UAF
• UAF provides free primitive through double reset

tl;dr

• Adding the last character to a tab causes null byte overflow
• Use said overflow to unset prev_inuse bit
• Coalesce upwards with fake chunk to perform unlink attack
• Unlink attack places .bss pointer in place of heap pointer
• Editing .bss allows for Arbitrary R/W

tl;dr

• Giving size > 48 causes heap OOB r/w of 16 bytes
• Use OOB r/w get leaks and overwrite objects for rip control

tl;dr

• Race condition to change the type.
• Leak using uninitialized memory and get rip with overflow.

tl;dr

• Heap Overflow in glob function while handling Tilde operator.
• Abuse null byte overflow to gain RCE.

tl;dr

• Jemalloc heap challenge
• A buggy implementation of strncat in merge allows for an overwrite onto the next region

tl;dr

• UAF in chess game, overwrite __malloc_hook to one_gadget

tl;dr

• Overflow from stdin stucture till main_arena.
• Create fake fastbin chunks to get overlapping chunk and leak.
• Overwrite __malloc_hook using fastbin attack.

tl;dr

• overflow the char candle counter stored in the wax structure and trigger uaf.
• Use the uaf to trigger double free and get shell.