Action | Rating | Author team |
---|---|---|
Read writeup |
not rated
|
CSG |
Read writeup |
4.0
|
BFKinesiS |
Read writeup |
5.0
|
the cr0wn |
Nice job on the writeup!
I exploited the second part of abyss slightly differently. I realized that the kernel memory actually directly mapped to offset 0 in the hypervisor memory; the virtual address of the kernel is just ORed with 0x800000 or something like that. So actually I ended up using writing a "read" request to hypervisor to overwrite address zero of kernel and then passing that to "open"