After I found the vulnerability, exploitation was easy. All I had to do was tweak the length of the string argument supplied to
NewObject() to overflow the stack buffer and gain control of the return address of the current stack frame.
As illustrated in Figure 5-9, the distance from the
SubKey buffer to the saved return address on the stack is 272 bytes (the offset of the saved return address (
+00000004) minus the offset of
0x4 - −0x10c = 0x110 (272)). I also had to account for the fact that the string “
Authoring” and part of the format string will be copied into
SubKey right before the user-controlled data (see Figure 5-10). All in all I had to subtract 40 bytes (“