Write-up 🔥”Counter Strike: Squirrel Offensive” – ALLES! CTF 2021

September 6, 2021

This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug. UAF by resizing array in sort compare function The sort function of squirrel array is array_sort in sqbaselib.cpp, which will call _qsort: The r index passed into _qsort is fixed at the beginning, so by abusing array.resize in compare function, we can retrieve dangling reference […]

→