This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug. Resources on VScript can be found here. Here is the exploit script. UAF by resizing array in sort compare function The sort function of squirrel array is array_sort in sqbaselib.cpp, which will call _qsort: // v: VM, o: array object, func: compare func _qsort(v, o, 0, _array(o)->Size()-1, func); The r index passed into _qsort is fixed at the beginning, so by abusing array.
