0x00 Overview Last weekend we played 0CTF/TCTF Quals and got 4th place, which is awesome. As a browser security researcher, I solved Chromium RCE and SBX, and it is my first time to exploit the Chromium SBX, so I think it is worthy to do a writeup. In this challenge, a UAF is caused by improper use of unique_ptr::get, and by manipulating base::queue we can allocate a buffer with same size as the UAF object, which allows us to completely control the UAF object. Then the heap address can be leaked...