Exploiting a Use-After-Free vulnerability in a JavaScript engine to get a libc leak and mount a Tcache poison attack to get RCE. All of it through JavaScript :D

Reverse engineer a Verilog VM and bruteforce an authentication key.

Null byte overflow on a heap chunk, which enables a use-after-free. Use unsafe-unlink to get a libc leak and a shell.

The program 2-shot format string: 1) bypass PIE; 2) modify srand seed and function pointer. The new seed lets us control the RIP so we can land on our shellcode.

Exploit a buffer overflow to bypass a login check, into a format string vulnerability to dump the binary and libc. Exploit another buffer overflow into a ROP-chain to get a shell.

Out-of-bounds read (OOBR) allows ASLR leaks and double free. We use the OOBR to mount a Tcache poison attack and eploit the __free_hook pointer to get a shell.