(static offset falls well within the heap block, but (some of the) block contents near the offset may be controlled).
-
-
-
is this a double free? If you can reallocate in between, could be exploitable
-
No. AFAICT it is simply this: RtlFreeHeap(hHeapHandle, 0, pHeapBase+sizeof(VOID*));
-
That is some strange code...looks like somebody tried to implement his own mem management on top of normal heap?
-
I think the same
-
or maybe just a list of pointers stored on the heap and a missing deref..garbage collector?
-
looks like it's freeing a str that is part of a struct { PVOID* pUnknown WCHAR[] szString } free(szString);
-
are struct values before that str controllable?
- 1 more reply
New conversation -
-
-
Does this code execute under normal circumstances (without destabilizing the process)? Or have you found a broken branch?
-
I've not checked, but the stack looks like this is a normal code path.
-
And the process is not corrupted after this executes (in terms of any immediate or delayed observable weird changes)?
-
Not sure where you're going. Windows' heap allocator appears to detect it and terminates the process, even without page heap.
-
but I'm interested in whether anyone has seen this before and exploited it. It seems like a completely new class of bugs to me.
-
Okay, so it always crashes there, and you found a way to actually get that code executed.
-
I'd say it's programming bug and QA never got that branch executed.
-
As for exploitation, it seems you'll have to first bypass heap allocator's heap corruption detection.
- 1 more reply
New conversation -
-
-
on linux that could enable you to create a nice fake heap I guess. Not sure on Windows though (are there canaries?)..
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
you mean something like mem=malloc(X) and free(mem+x)?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.