Allocating BSTR strings in IE9

Hello,

I am currently interested if anyone from this forum has done some work in exploit development as I found myself banging on a wall for quite a few.

The issue I am facing is allocating BSTR strings in HEAP under Internet Explorer 9. I encounter no issues doing it under IE8 using "substring" from javascript. I have been playing around with a heap overflow under IE8 and got it working, based on the advisory IE9 should also be vulnerable however there are no public references for a BSTR allocation primitive for it.

Note that placing the BSTR strings in memory is essential in order to cause a leak and bypass ASLR. I can not use simple objects of a certain size as the heap overflow overwrites the BSTR SIZE DWORD which allows me to get the leak.

If anyone has any insight or ideas regarding this I would appreciate it.

[deepzero]

I have no problems creating one in IE10 (win7x86) here. Why is the word HEAP capitalized? What exactly is the problem?

[mrsick]

Take a look here: https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

MrSick, thanks!

While that did not solve the problem entirely by using a random heap I was able to get allocations working correctly under IE9. Now it's just a matter of crafting the heap accordingly.

[mrsick]

Yeah, i don't recall many IE9 targets tbh

But you can take a look on this metasploit module using corelan's random spray: MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption

Good luck