Points: 292

Tags: pwn 

Poll rating:


ActionRatingAuthor team
Read writeup
not rated
Read writeup
Read writeup
the cr0wn
You need to authenticate and join a team to post writeups theKidOfArcraniaOct. 22, 2018, 7:59 p.m.

Nice job on the writeup!

I exploited the second part of abyss slightly differently. I realized that the kernel memory actually directly mapped to offset 0 in the hypervisor memory; the virtual address of the kernel is just ORed with 0x800000 or something like that. So actually I ended up using writing a "read" request to hypervisor to overwrite address zero of kernel and then passing that to "open"