To leak memory information, one way is to overwrite the length field of a string (as explained here: http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php).
This works well under IE8, but does anyone know how one can create such a string allocation under IE9? Known methods to allocate such strings don't seem to work under IE9. What javascript code is needed to allocate a few bstr strings of size 0x200 in IE9, for example? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/