----- Original Message ----- > http://goto.ucsd.edu/quark/
Relatedly, this MWR Labs writeup on their Chrome exploit is kind of fun. "Looking at the crash dumps, we observed that the following undocumented system call triggered the crash" "In cases where the last argument to NtUserMessageCall is an even number and is non-zero, the allocation function and the function performing the copy operation will interpret this value differently. As an example, if we passed the value 2 as the last argument, the allocation function would treat this as Boolean true, and allocate a buffer big enough to hold the ASCII representation of the string. When the function performing the copy operation is called, it would copy the string as a WCHAR value, because the least significant bit of the value 2 is not set." https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up-kernel-exploit/ They also have a set of slides on the first part of the attack, to take over the child process: https://labs.mwrinfosecurity.com/system/assets/538/original/mwri_polishing-chrome-slides-nsc_2013-09-06.pdf _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
