I got a bug on Windows where userland code is freeing (heap block pointer + static offset). Never seen that before! How exploitable is this?
-
-
And the process is not corrupted after this executes (in terms of any immediate or delayed observable weird changes)?
-
Not sure where you're going. Windows' heap allocator appears to detect it and terminates the process, even without page heap.
-
but I'm interested in whether anyone has seen this before and exploited it. It seems like a completely new class of bugs to me.
-
Okay, so it always crashes there, and you found a way to actually get that code executed.
-
I'd say it's programming bug and QA never got that branch executed.
-
As for exploitation, it seems you'll have to first bypass heap allocator's heap corruption detection.
-
In other words, good luck! ;)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.