; ebx is attacker controlled 00402CA2 lea ecx, [ebx+1] 00402CA5 push ecx 00402CA6 call MMmallocThe MMalloc() routine performs minimal mathematical operations to the supplied value before allocating memory. An attacker can specify a malicious number that will result in an integer overflow and cause a small memory chunk to be allocated. The original and larger supplied value will be later used in an inline memcpy():
; destination is attacker allocated 00402D6E rep movsd 00402D70 mov ecx, edx 00402D72 and ecx, 3 00402D75 rep movsbThis instruction sequence will copy attacker-supplied data beyond the brims of the allocated heap chunk and arbitrarily overwrite the heap. Too large a payload will cause an access violation as it writes off the end of the heap. If the supplied data is large enough, it will corrupt the heap and eventually result in a classic arbitrary DWORD overwrite in NTDLL during subsequent heap manipulation:
77FCC2C0 mov [ecx], eax 77FCC2C2 mov [eax+4], ecxBy overwriting the address of a soon to be called function, the attacker can redirect CPU flow and eventually execute arbitrary code.