tl;dr
- The patch adds a vulnerable virtio device
- The device accesses pointers without bound check
- Abuse OOB pointer access to setup arb r/w primitive
- Craft open,read,write ropchain on heap
- Overwrite virtqueue handler with stack pivoting gadget
tl;dr
Full solution of Batman Investigation II - Gotham Underground Corruption from bi0sctf 2024
tl;dr
tl;dr
tl;dr
incoming_queue
incoming_queue
causing UAFtl;dr
/internal
endpoint/okay
endpoint to access the internal docker registry host.vec
service.core
service is cross-mounted, we can modify the index.html file from vec service to get RCE on the core service.tl;dr
tl;dr
tl;dr
tl;dr