pwnhard

babbaboon

miptctf

Task: SpiderMonkey js shell with custom ArrayBuffer.prototype.merge() that has a stale length bug on self-merge. Solution: Use S=3 buffer for minimal 3-byte OOB write to flip RESIZABLE flag on adjacent regular ArrayBuffer, enabling resize to overlap next buffer metadata for AAR/AAW, then hijack native function pointer for code execution.

$ ls tags/ techniques/

type_confusion oob_write spidermonkey arraybuffer resizable_arraybuffer heap_corruption browser_exploitation javascript_engine

self_merge_oobflags_corruptionresizable_flag_flipgc_heap_sprayarbitrary_read_writefunction_pointer_hijacknative_function_overwrite

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]