The stack contains an array of heap pointers, as well as a const limit variable that appears to decompilers, like IDA, as a primitive value, due to the const marker. A negative OOB write from the array can overwrite this limit, which then grants us positive OOB read/write, which we can use to do leaks, double free, and RCE.

PHP deserialization to get RCE by calling arbitrary statements in SQLite engine and creating a fake database file, containing PHP webshell inside

Exploit a UAF in usage of cJSON library, and exploit the cJSON object struct (with a bit of unsorted chunk feng shui) to get heap leak, libc leak via an arbitrary read in valuestring, arbitrary free via the child pointer pointing to a fake object, and finally, RCE via House of Apple. Writeup here!

Turn a simple primitive, OOB write from a tuple’s backing buffer, into a fakeobj primitive, and with the help of bytestrings construct a fake type to forge the fake object’s vtable and get shell. Writeup here!