Tags: pwn mujs 


Garbage collector for UInt32Array causes a UAF scenario because UInt32Array can share a buffer with ArrayBuffers. Use this to overlap a buffer with a `js_Object`, allowing us to achieve a PIE leak from the property pointer and arb read/write by modifying the buffer pointer, from which one can leak libc and write a ROP chain.

Original writeup (https://cor.team/posts/Zh3r0%20CTF%20V2%20-%20All%20Pwnable%20Writeups).