I removed an unintended bug, updated my exploit to RS4 and brought my elgoog challenge from 34c3ctf back to life for WCTF. @j00ru managed to solved it without the intended pool metadata corruption, nice
-
-
We can absolutely, just didn’t want to publish much so far because I knew I might reuse it
-
Great, I'll clean up the code a bit and let you know
-
I dumped my own exploit (& sources) at https://github.com/niklasb/elgoog/ , but that's only some short comments in the exploit code so far. I'm just overwriting PrevSize, but it's quite painful to get the right data into the chunks under the constraints given by the driver.
-
Thanks, much appreciated. It's a neat exploit -- I haven't seen too many of them for 1-byte pool overflows in modern Windows. It's much more convoluted than mine, I'm quite happy I didn't actually have to deal with the pool grooming. :) I'll follow up with my code soon
-
I guess getting the precise chunk addresses to survive the linked list checks would usually be a big problem, but my challenge gives those out for free.
-
By the way, set_addr(), read(), write(), steal_token() etc. seem to be artifacts of some other exploitation route?
-
Yeah, the RS3 exploit used palettes because it was running as low integrity.
-
Ah, makes sense, cheers. :)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.