01 |
02 |
03 |
04 |
05 |
06 |
07 |
08 |
09 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
3-Jan-2012 [6:09] -- The cools kid way of finding the use-after-free block size...
Lets say you have found a use-after-free on program X where at some point it is dereferencing a register plus an offset.
You could:
1) Open IDA an lookup where the object got created to see the size of the allocation.
2) Use page heap, windbg and take a look to the allocation stack trace
3) Windbg !heap -p -a
Or... a quick trick I used today, taking advantage of page heap placing the object at the end of a page for catching buffer overflows.
1:022:x86> ? 0x1000-(ebx&0x00000FFF)
Evaluate expression: 88 =
00000058 <--- size of chunk
1:022:x86>
Fermin J. Serna - @fjserna
Comments (0)