The stack contains an array of heap pointers, as well as a const limit variable that appears to decompilers, like IDA, as a primitive value, due to the const marker. A negative OOB write from the array can overwrite this limit, which then grants us positive OOB read/write, which we can use to do leaks, double free, and RCE.

Using PHP deserialization, we craft an object that when extracted, exploits the provided SQLite database interface to create a new SQLite database file. This file contains our PHP webshell hence leading to RCE.

Exploit a UAF in usage of cJSON library, and exploit the cJSON object struct (with a bit of unsorted chunk feng shui) to get heap leak, libc leak via an arbitrary read in valuestring, arbitrary free via the child pointer pointing to a fake object, and finally, RCE via House of Apple. Writeup here!

Turn a simple primitive, OOB write from a tuple’s backing buffer, into a fakeobj primitive, and with the help of bytestrings construct a fake type to forge the fake object’s vtable and get shell. Writeup here!

The challenge moves an object and replaces it with a locked object, rendering the object unusable. We exploit the negative size of ob_size in longs, allowing for negative OOB. The negative OOB allows us to modify the copy size of the attacker object, which causes us to read out-of-bounds from the original attacker object and overwrite into another lock object’s buffer, eventually leading to fakeobj primitive. Writeup here!