One of the FIDL IPC commands we can execute is the GetContent call, which is supposed to read the contents of a particular item from the storage service. What this call actually does, however, is receive a handle to a virtual memory object (VMO) from the storage service and map this VMO into caidanti's memory space - basically, a shared memory mapping. Reversing caidanti-storage-service, we found that this VMO region contained the entire "database" C++ object which implemented the storage service. This included a virtual function table pointer, a pointer to the shared memory region (in the address space of the service), a pointer to a stack object, and all 16 of the key-value pairs which made up the database.

**Full Writeup:** [https://github.com/pwning/public-writeup/tree/master/rwctf2019/caidanti](https://github.com/pwning/public-writeup/tree/master/rwctf2019/caidanti)

Original writeup (https://github.com/pwning/public-writeup/tree/master/rwctf2019/caidanti).