I've taken a deeper look at the vulnerability in the ShellExecute API function.
http://www.lac.co.jp/security/english/snsadv_e/65_e.html
After some research I've noticed that the lpFile parameter is converted to unicode
before handled. The IP can therefore only be overwritten with 00xx00xx values
(where xx can be any legal HEX value). I think that exploitation of this function
becomes very difficult in this way, cause there is no 00xx0xx-type memory address
within the overwritten address space (2088 bytes).
I wonder if there are any other techniques available to exploit this kind of vulnerability.
-David
smime.p7s
Description: S/MIME Cryptographic Signature
