zer0pts CTF 2023 flipper (pwn) Author's Writeup
Written by [Xion]
Linux kernel heap-relative 1-bit flip primitive, LPE to read flag.
Xion leesh3288
leesh3288
/ !zer0pts_ctf_2023_flipper_author_writeup.md
Last active
July 29, 2023 09:15
zer0pts CTF 2023 flipper (pwn) Author's Writeup
leesh3288
/ vm2_3.9.19_sandbox_escape_2.md
Last active
November 15, 2024 03:49
Sandbox Escape in [email protected] via custom inspect function
Sandbox Escape in [email protected] via custom inspect function
In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.
leesh3288
/ vm2_3.9.19_sandbox_escape_1.md
Last active
November 15, 2024 03:49
Sandbox Escape in [email protected] via `Promise[@@species]`
Sandbox Escape in [email protected] via Promise[@@species]
In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed with @@species accessor property allowing attackers to escape the sandbox and run arbitrary code.
leesh3288
/ vm2_3.9.16_sandbox_escape.md
Last active
November 15, 2024 03:50
Sandbox Escape in [email protected]
Sandbox Escape in [email protected]
There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside handleException() which can be used to escape the sandbox and run arbitrary code in host context.
leesh3288
/ vm2_3.9.15_sandbox_escape.md
Last active
November 29, 2023 10:51
Sandbox Escape in [email protected]
Sandbox Escape in [email protected]
There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass handleException() and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context.