Rating:

In this challenge, a small virtual machine engine is provided and we need get the shell by providing the virtual machine metadata and byte-codes. The vulnerability I exploited is an OOB access by moving index to got table and changing function pointer stored in got table to one_gadget. We cannot write to got table directly but can only increment and decrement the value, so the idea is to increment or decrement a constant offset. However, since functions imported in this binary are quite far from one_gadget, and the problem is program counter is only an int16_t, so maximum size of program is not enough to increment or decrement the constant offset as large as that. The idea is to re-execute the main function to increment or decrement for several times so that we can reach desired pointer.