logo

2020

Learning DIE: Fuzzing with aspect-preserving mutation
Fuzzing typer.cc with fuzzilli
Typer bugs summary: Issue 880207, 906043, 1028863, 1051017
Deep into a Turbofan Typer bug: Chrome Issue 1086890
RopeTwo: V8 part
Query Oriented Programming: Qiangwang Sqlop
UAF to SBX: PlaidCTF 2020 Mojo
From PartitionAlloc to SBX: 0CTF 2020 Chromium Fullchain
Study Chrome's PartitionAlloc
Forget the sandbox escape: Abusing browsers from code execution
Escape sandbox with UAF and heap spray: 0CTF 2020 Chromium SBX
Learn about Chrome sandbox escape exploit chain
V8 Exploit Basics
UAF in v8:0CTF/TCTF 2020 Chromiun RCE
Elimination redundant Map checks: 34C3CTF v9
KVM Basics
Write to kernel address zero: HITCON 2018 Abyss II
Escape from Stack VM: HITCON 2018 Abyss I
SGXPECTRE:Leaking Enclave Secrets
Escape from seccomp-sandbox and container
AEG:De1CTF 2020 code_runner & Wangding 2020 faster0
Use printf to getshell: House of Husk from ptr-yudai
CBC Byte Reversal Attack: EFAIL
Debugging with GNU libc source code
HITB GSEC CTF Windows Pwn: BABYSTACK
QEMU Pwn: Blizzard CTF 2017 Strng
QEMU Pwn: Basics

2019

PlaidCTF 2018: roll a d8
StarCTF 2019: oob Part 2
StarCTF 2019: oob Part 1
Installing V8 on Ubuntu19.04
Hitcon CTF 2019: LazyHouse Part 2
Hitcon CTF 2019: LazyHouse Part 1
Backdoor CTF babyheap,babytcache,miscpwn
Browser Pwn: Start from webkit
ret2_dl_runtime_resolve
House of orange
Linux kernel pwn: Setup enviroment
Leak libc with Unlink+StackPivot+ROP
HITCON CTF Quals 2014: stkof
HITCON CTF Quals 2016: SleepyHolder
0ctf Quals 2017: babyheap
9447 CTF 2015: Search Engine