Hello,

I am currently interested if anyone from this forum has done some work in exploit development as I found myself banging on a wall for quite a few.

The issue I am facing is allocating BSTR strings in HEAP under Internet Explorer 9. I encounter no issues doing it under IE8 using "substring" from javascript. I have been playing around with a heap overflow under IE8 and got it working, based on the advisory IE9 should also be vulnerable however there are no public references for a BSTR allocation primitive for it.

Note that placing the BSTR strings in memory is essential in order to cause a leak and bypass ASLR. I can not use simple objects of a certain size as the heap overflow overwrites the BSTR SIZE DWORD which allows me to get the leak.

If anyone has any insight or ideas regarding this I would appreciate it.