A blind safe-link PROTECT_PTR bypass I came across a while ago.
It requires a strong primitive, namely control of the t-cache metadata.
It references another technique called "House of Water" which I will open a PR asap.
It is a technique for getting t-cache control leakless and also indexing a libc pointer leakless.
A sample of these two techniques can be found in the CTF challenge I wrote specifically with them in mind here: Tamagoyaki
A blind safe-link PROTECT_PTR bypass I came across a while ago.
It requires a strong primitive, namely control of the t-cache metadata.
It references another technique called "House of Water" which I will open a PR asap. It is a technique for getting t-cache control leakless and also indexing a libc pointer leakless.
A sample of these two techniques can be found in the CTF challenge I wrote specifically with them in mind here: Tamagoyaki