This is the final BinHex exploit path. It achieved full broker success in job 20260429-104010-9091c27f and returned:

flag{1t5_jus7_m0zill4_0n_vms}

This is a status writeup for the current BinHex exploit path. It is not a completed broker solve yet. The exploit has achieved reliable command execution on the scratch/debug CSWB guest, but the exact broker dispenser command is still not stable enough to return the broker marker/flag.

The current path uses a memory corruption bug in Mozilla/CSWB's BinHex decoder.

Status: partial local exploit success, no real broker flag recovered.

The target is HP/Compaq Secure Web Browser / CSWB 1.7-13 on OpenVMS Alpha. The broker accepts an http:// URL and the intended goal is to make the browser execute:

RUN SYS$LOGIN:ANCIENTS$DISPENSE_FLAG.EXE

This is the Array.sort solution path for the Ancients Solaris challenge. It does not use the Gopher+ vulnerability.

The target is Internet Explorer 5 running on Solaris 2.6/SPARC. The broker visits one submitted HTTP URL and returns the flag when the browser executes:

/usr/local/bin/dispense_flag

This challenge was solved with a memory corruption bug in Internet Explorer 5 for Solaris/SPARC, specifically in libwininet.so's Gopher+ handling.

The short version is:

• a crafted Gopher+ reply lets FUN_0004e1c8 write a second logical body line through a shifted pointer into a fixed stack buffer
• that second line overflows out of the current frame and corrupts a caller's

This file is a self-contained snapshot of the bug families currently tracked in LEADS.md. It is meant to preserve what is actually known today: bug class, reachability story, supporting decompilation, and current status.

The snippets below are trimmed from the current decompiler corpus for readability. Variable names are Ghidra's unless otherwise noted.

This is still the most important area. There are at least two real bug families here:

Flag: flag{h4x_0n_4_v4x}

The default player path is:

• browser: mosaic24
• HTTP mode: slirp_proxy

Working exploit: manual-work/exploit67_inline.html

Local playtest flag: flag{0ld3r_bu7_n0t_w1s3r}

The current challenge bug is not the old stale-zero bug from OLD_WRITEUP.md. The live bug is an out-of-bounds 12-byte copy in input_setProperty: if a stale Option object from a <select> is assigned back into the same <select> after the select has been shrunk, Netscape copies optionData[stale_index] out of the current options array without checking that stale_index is still in bounds.

The bug is a stale pointer in the select.length grow path. When Netscape grows the lo_FormElementOptionData array, it calls realloc() and then zeroes the newly-added slots through the old pointer. That gives a controlled heap overwrite.

I used that overwrite to corrupt option.value pointers, then turned later option.value = ... assignments into controlled frees inside NSPR's old prmalloc allocator. From there I forged a struct pginfo for the 32-byte bucket, made the allocator hand me a chunk at the GOT, overwrote strdup@GOT with system@plt, and finally triggered:

/usr/local/bin/dispense_flag;/bin/false

Category: Crypto / Pwn Author: Brendan Dolan-Gavitt (moyix) Description: Get into the server, Shinji. Or Rei will have to do it again.

NERV Center is a stripped x86-64 Linux binary that implements an Evangelion-themed server with RSA-based authentication. The server generates a 1024-bit RSA key on each connection, and the flag is only accessible after authenticating by signing a random challenge. The flag is then sent encrypted with AES-256-GCM, with the AES key RSA-encrypted using the session's public key.