Shaping LFH

[saaramar]

First of all - great repo! Thanks for sharing.
About the stability issue - you exploited the vulnerability in the DND/CopyPaste mechanism, right? you have corruption in the memcpy in DnDCPMsgV4_UnserializeMultiple(), due to the flawed check in DnDCPMsgV4IsPacketValid(). The issue is that the LFH allocations in the userblocks are randomized, since win8 drop the FreeEntryOffset. But - you have alloc and free primitives. Why not using the randomization vulnerability, and do something like that - https://github.com/saaramar/Deterministic_LFH ?
(It would work until build 16179, but still, that would be pretty cool, isn't it? :) )
Thanks!

[rip1s]

Thanks , I will try but this will be more complicated inside vmware.

[vportal]

Hello,

I am trying to replicate the exploit but i get a BSOD when start debugging vmware-vmx. Analyzing the different dumps the crash occurs in nt!NtWaitForDebugEvent+2bf but not sure why. Did you experience this issue while developing the exploit?

Thanks, best regards.
Víctor