9 comments on “Heap spraying in Internet Explorer with rop nops

  1. good job!but when i test this exploit-exploit.htm. i find that a9
    in the 0x7c3413a9 ,maybe the bad characters!everytime i debug in the ollydbg the num 0xa9 change to 0x3f. i don’t know how you test this. i test the exp in xp sp2 and IE6…so i serch another xchg address 0x7c342643.this time it works good!

  2. Strange, I think it could be the OS language, try filling the first 215 bytes with a9 instead of 41 and set a breakpoint on 0x7c376223 and check the stack when breaks. For me a9 was fine, anyway glad you got it working 🙂

  3. headersize should be 0x10; it does not matter for this case, but that is why you have 0x0000 values at the end of heap’s blocks.

    headersize 0x24 was in IE8.

  4. BTW, one more thing that works for me. You do not need padnum function at all. Just add any string before nop. if any concat operation will be in the loop, spary will work.

    codewithnum = “HI” + code;
    heap_chunks[i] = codewithnum.substring(0, codewithnum.length);

  5. Hey man. Nice blog post. I tried Peter Van Eeckhoutte’s scripts, but they didn’t seem to heap spray in IE9 correctly for me. Your stuff helped me to figure out what was wrong with my javascript.

    Also, you mention above that you are weak in V-table exploitation. Check out my blog post here:

    heh–you’re trying to learn something that I wrote about and im trying to learn something you wrote about. This works out well for both of us 🙂

  6. Glad I could help 🙂 Thanks for sharing the link about v-table exploitation, I look forward to reading it 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *