A repo storing a few fun CTF exploits (Mostly browser-based)
| Challenge Name | CTF | Short Writeup |
|---|---|---|
| oob-v8 | StarCTF 2019 | Chromium (v8) challenge, off-by-one OOB read/write on a JSArray, use this to change map of another array's metadata and cause a type confusion (by confusing an object with a float). This can be use to create addrof/fakeobj primitives, and then arbitrary r/w. |
| jsfordummies | zh3r0CTF 2021 | A beginner-friendly set of MuJS challenges, the first bug allows an OOB r/w on the heap via incorrect type casting, and the second bug is a UAF. |
| shapes | Midnightsun Quals 2021 | A type confusion between two types of custom objects, allowing you to overwrite the size of one, giving you OOB r/w on the heap, use this for a tcache poison. |
| Liars and Cheats | PlaidCTF 2021 | No bounds check for negative indices relative to the heap, and stack buffer overflow after beating the game. Leak libc and canary, beat the game, smash the stack. |
| Outfoxed | CoRCTF 2021 | Firefox challenge, an 'oob()' function that allows you to read/write OOB on a JSArray, use this to overwrite the backing pointer of a typed array to get arbitrary r/w. |
| DeadlyFastGraph | InCTFi 2021 | WebKit (JSC) challenge, a type confusion between two objects, use this to overwrite the butterfly of the next object in memory to obtain arbitrary r/w. |
| pyast64 | SECCON CTF 2021 | An unintended bug in the pyast64 compiler, improper implementation of += and -= with an array object allows a large OOB r/w on the stack. |