First of all - great repo! Thanks for sharing.
About the stability issue - you exploited the vulnerability in the DND/CopyPaste mechanism, right? you have corruption in the memcpy in DnDCPMsgV4_UnserializeMultiple(), due to the flawed check in DnDCPMsgV4IsPacketValid(). The issue is that the LFH allocations in the userblocks are randomized, since win8 drop the FreeEntryOffset. But - you have alloc and free primitives. Why not using the randomization vulnerability, and do something like that - https://github.com/saaramar/Deterministic_LFH ?
(It would work until build 16179, but still, that would be pretty cool, isn't it? :) )
Thanks!
First of all - great repo! Thanks for sharing.
About the stability issue - you exploited the vulnerability in the DND/CopyPaste mechanism, right? you have corruption in the memcpy in DnDCPMsgV4_UnserializeMultiple(), due to the flawed check in DnDCPMsgV4IsPacketValid(). The issue is that the LFH allocations in the userblocks are randomized, since win8 drop the FreeEntryOffset. But - you have alloc and free primitives. Why not using the randomization vulnerability, and do something like that - https://github.com/saaramar/Deterministic_LFH ?
(It would work until build 16179, but still, that would be pretty cool, isn't it? :) )
Thanks!