pwnhard

Garden

dicega

Task: Custom VM with mark-and-compact GC, off-heap objects, and limited stack operations. Solution: Exploit null-reference GC corruption to trigger cascading memmove that corrupts object headers, expand off-heap object size for OOB access, leak libc via unsorted bin, and achieve RCE via House of Apple 2 FSOP.

$ ls tags/ techniques/

heap_exploitation custom_vm glibc_2.39 oob_write gc_corruption memmove_cascade house_of_apple_2 fsop vm_escape

gc_null_reference_corruptioncascading_memmove_exploitationoob_length_expansionunsorted_bin_libc_leakhouse_of_apple_2_fsop

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]