CVE-2014-3434 Symantec Endpoint Protection sysplant.sys Heap Overflow - Win7 x86
OSEE Extra Mile Heap Overflow - Win7 x86
HEVD - Heap Overflow - Win7 x86
Heap allocation max 0x1f8, fill up a fake object and overwrite next chunk pool and object header. Change the pointer to the crafted chunk to null in the Type Index Table so when the chunk is freed, the execution path will jump to OkayToCloseProcedure parameter at offset 0x74. We set shellcode pointer to null page at offset 0x74 and free the crafted chunk thus causing the execution to jump to shellcode.
HEVD - Use-After-Free - Win7 x86
Heap spray size of 0x60 using IoCompleteReserve objects fits the object used here perfectly. After heap fung shui is done, allocating and freeing the object forcably leaves a pointer to the old object.
HEVD - Type Confusion - Win7 x86
Callback structure member is not set before passing the pointer to the TypeConfusionObjectInitializer() function.
HEVD - Uninitialized Stack Variable - Win7 x86
When you pass the incorrect magic value the callback parameter is not initialized. Spray stack to overwrite callback using the undocumented function NtMapUserPhysicalPages which copies input to kernel stack.
HEVD - Null Pointer Dereference - Win7 x86
When you pass the incorrect magic value the callback parameter is nulled. Allocate null page and pass shellcode pointer.
HEVD - Integer Overflow - Win7 x86
Supplying an IOCTL input size of 0xffffffff will cause the buffer to pass the max buffer size check due to program adding a size of 4 (terminator size 0xbad0b0b0) to the user buffer input size.
HEVD - Stack Overflow - Win7 x86