tl;dr

• Leak with Format String bug.
• Use the arbitrary heap pointer write to overwrite __GI__IO_file_jumps.
• Inject shellode in heap and get code execution in dfprintf.

tl;dr

• Out-of bounds index write allows byte-by-byte overwrite of return address

tl;dr

• Carefully arranging structs on stack so as to overwrite saved rip , without corrupting the stack canary.
• Leak libc with puts and execute a ret2libc to get shell

Writeup from InCTFi 2019 bartender

tl;dr Windows 32-bit SEH exploitation

tl;dr 2 element overflow in Array when jit compiled

tl;dr

• Exploit code for a vulnerability in Firefox, found by saelo and coinbase security.
• IonMonkey does not check for indexed elements on the current element’s prototypes, and only checks on ArrayPrototype. This leads to type-confusion after inlining Array.pop.
• We confuse a Uint32Array and a Uint8Array to get a overflow in an ArrayBuffer and proceed to convert this to arbitrary read-write and execute shellcode.

tl;dr

This post will describe how I exploited CVE-2019-14378, which is a pointer miscalculation in network backend of QEMU. The bug is triggered when large IPv4 fragmented packets are reassembled for processing. It was found by code auditing.