ExploitationChallengesAnalysis.txt

Exploitation Challenges Analysis
=================================

Challenge 1: Heap Alignment
====================================================================================================================

1. Get the dump of the memory where string is allocated
-------------------------------------------------------
bp MSHTML!CDOMStringDataList::InitFromString ".printf \"CDOMStringDataList::InitFromString Hit\";.echo;.echo \"ESI Memory Dump: \";dc @esi;.echo;"

CDOMStringDataList::InitFromString Hit
ESI Memory Dump:
06314fe4  0000000a 0000005c 00000000 350c04c9  ....\..........5
06314ff4  88000000 75627488 00000001 00000002  .....tbu........
06315004  00000190 350c0736 88000000 00000000  ....6..5........
06315014  00000000 00000000 00000000 350c0733  ............3..5
06315024  88000000 00000000 00000000 00000000  ................
06315034  00000000 350c0730 88000000 659aaaa4  ....0..5.......e
06315044  6aa99018 00000001 65674e40 350c073d  ...j....@Nge=..5
06315054  8a000000 00000008 006f006c 00640061  ........l.o.a.d.
-------------------------------------------------------

2. Get the Heap Entry of the heap chunk where the string has been allocated
---------------------------------------------------------------------------
0:007> !heap -p -a @esi
    address 06314fe4 found in
    _HEAP @ 340000
      HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
        06314fd8 0003 0000  [00]   06314fe0    00010 - (busy)

Note: We can see that the size of the allocation is 0x10 where as the size 
of the string is only 0x1 byte.
---------------------------------------------------------------------------

3. Find the start of the adjacent heap chunk
--------------------------------------------
?(HEAP_ENTRY + UserSize + Heap Header)

0:007> ?06314fd8+00010+8
Evaluate expression: 103895024 = 06314ff0

Now dump the content of 06314ff0 heap chunk

0:007> dc 06314ff0
06314ff0  350c04c9 88000000 75627488 00000001  ...5.....tbu....
06315000  00000002 00000190 350c0736 88000000  ........6..5....
06315010  00000000 00000000 00000000 00000000  ................
06315020  350c0733 88000000 00000000 00000000  3..5............
06315030  00000000 00000000 350c0730 88000000  ........0..5....
06315040  659aaaa4 6aa99018 00000001 65674e40  ...e...j....@Nge
06315050  350c073d 8a000000 00000008 006f006c  =..5........l.o.
06315060  00640061 00000000 350c073a 8c000000  a.d.....:..5....
--------------------------------------------

Note: As we can see that in the previous 0000005c 00000000 does not seems to
be our string. 00000000 is the BSTR null terminators (two null terminator),
remember it's unicode. 0000005c is the extra padding that was inserted.

So, the goal is to find a allocation size where the extra padding is not inserted.
Also, remember BSTR structure while trying to find the suitable string length.

            BSTR structure
			==============
header  | unicode string     | NULL terminator
4 bytes | sizeof(string) * 2 | 2 bytes
====================================================================================================================

Challenge 2: requiredFeatures attribute value is allocated in OLEAUT32 Cache Heap
====================================================================================================================
====================================================================================================================

Challenge 3: Find suitable object to be used to spray the Process Heap
====================================================================================================================
1. Use IDA Pro manually look for the objects of the desired size and Heap
2. Use IDA Python script to automatically find one for you.
====================================================================================================================