This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug. Resources on VScript can be found here. Here is the exploit script. UAF by resizing array in sort compare function The sort function of squirrel array is array_sort in sqbaselib.cpp, which will call _qsort: // v: VM, o: array object, func: compare func _qsort(v, o, 0, _array(o)->Size()-1, func); The r index passed into _qsort is fixed at the beginning, so by abusing array.| nyancat0131
Introduction This post will cover the exploitation chain I used to attack Source 1 Dedicated Servers. I have verified the exploit against these games: Left 4 Dead Left 4 Dead 2 Counter-Strike: Global Offensive Source Engine file system Source Engine allows games to “mount” multiple directories as the file search path. For example, we have a and b directories. When we mount those directories to the file system, the game will access both directories under the same virtual root (like virtual...| nyancat0131