I got a bug on Windows where userland code is freeing (heap block pointer + static offset). Never seen that before! How exploitable is this?
-
-
Replying to @berendjanwever
(static offset falls well within the heap block, but (some of the) block contents near the offset may be controlled).
1 reply 0 retweets 1 like -
Replying to @berendjanwever
is this a double free? If you can reallocate in between, could be exploitable
1 reply 0 retweets 0 likes -
Replying to @saidelike
No. AFAICT it is simply this: RtlFreeHeap(hHeapHandle, 0, pHeapBase+sizeof(VOID*));
1 reply 0 retweets 0 likes -
Replying to @berendjanwever @saidelike
That is some strange code...looks like somebody tried to implement his own mem management on top of normal heap?
1 reply 0 retweets 0 likes -
I think the same
1 reply 0 retweets 1 like -
or maybe just a list of pointers stored on the heap and a missing deref..garbage collector?
1 reply 0 retweets 0 likes -
looks like it's freeing a str that is part of a struct { PVOID* pUnknown WCHAR[] szString } free(szString);
1 reply 0 retweets 0 likes -
are struct values before that str controllable?
1 reply 0 retweets 0 likes
it's just that one pointer, I don't think it's controlable.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.