tl;dr

• LOAD and S_TYPE opcodes lead to OOB when addr > DRAM_BASE+DRAM_SIZE
• Get libc and stack pointers and offset to obtain RIP offset and base
• Write ropchain on stack using libc gadgets
• Perform ORW on flag file

tl;dr

• Giving custom array size of NaN, passes checks while allowing OOB r/w
• Use OOB r/w to get libc, stack (environ) addresses
• Craft fake chunk on array and overwrite fastbin fd
• Reset machine to allocate register context on fake chunk
• Overwrite VM sp with real stack
• Push ropchain onto stack and halt VM to execute ropchain

tl;dr

• Double fetch race Condition in store_note function.
• overwrite size during race window to get buffer overflow.
• Do SROP for execve(“/bin/sh\x00”)

tl;dr

• Giving size > 48 causes heap OOB r/w of 16 bytes
• Use OOB r/w get leaks and overwrite objects for rip control

tl;dr

• Simple typer bug, range of BitAnd opcode is assumed to be [1, operand] when in reality it is [0, operand].
• Use range assumptions to create unchecked integer underflow.
• Bypass array bounds checks and obtain OOB write, overwrite size of array to get overlap.
• Use double & object array overlap to create addrOf & fakeObj primitives.
• Create overlapping fake array using StructureID leak to obtain arbitrary R/W.

tl;dr

• Race condition to change the type.
• Leak using uninitialized memory and get rip with overflow.

tl;dr

• Heap Overflow in glob function while handling Tilde operator.
• Abuse null byte overflow to gain RCE.

tl;dr

• Use the integer overflow to trigger a kernel heap overflow.
• Use the heap overflow to overwrite tty structure function pointers to get code execution.

tl;dr

• Jemalloc heap challenge
• A buggy implementation of strncat in merge allows for an overwrite onto the next region

tl;dr

• Arbitrary type confusion in DFG JIT
• Bug eliminates a single CheckStructure node