Tags: pwn mujs
Rating:
Garbage collector for UInt32Array causes a UAF scenario because UInt32Array can share a buffer with ArrayBuffers. Use this to overlap a buffer with a `js_Object`, allowing us to achieve a PIE leak from the property pointer and arb read/write by modifying the buffer pointer, from which one can leak libc and write a ROP chain.