For number and string it will just return the value. But there are other instance objects too, and we have no way to be sure that it’s a CScriptKeyValues object.įortunately, the tostring method will return the type name and the address in memory of any object. Addresses leakingĪs we have a long string by using UAF bug above, we can just spray a lot of CScriptKeyValues and find one of them using last 2 bytes of SQInstance::vtable as they will not be affected by Windows ASLR, then use confusion to watch for changes to _userpointer field. So we can call _regexp_* functions using any instance object (examples: self-defined classes, external library classes like CS:GO script classes). The typetag parameter is 0, means that it will not check for type mismatch.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |