Re: PEB heap exploitation question

[nolimit bugtraq <nolimit.bugtraq () gmail com>]

Hello 6d79676d61696c6163636f756e74,

It's a shame that theirs not as much documentation on this subject, as
stack overflows. It's a complex subject, and as such can only be
explained by a handful of people.
http://cansecwest.com/csw04/csw04-Oded+Connover.ppt
This is one of the prominent sources about the method
The Forced Coalescing method I believe is the method you seek clarity
on. It's sad because thier was a much better presentation on heap
overflows and SP2/2k3 protection breaking, but cybertech.net no longer
hosts it.
http://www.phreedom.org/solar/exploits/msasn1-bitstring/
This exploit seems to use the method you are speaking of, right down
to the FastPebLockRoutine overwrite. It also explains decently well.

Hopefully this will set you off in the right track.
nolimit