The following text is what looks like an attempt to circumvent windows 7 and windows 8 memory protections in order to execute arbritrary assembly code. The presented methods are in particular useful for client-side attacks as used for example in browser exploits.

Summary of exploitation stages:

• Fill the heap with random bytes until all memory is used up. During the heap filling stage Windows might become unresponsive and will relax soon afterwards·

• Free small heap blocks one by one and try adding a DLL (for example by using a new ActiveX Object that is loadable without a warning by Internet Explorer) This DLL (and the DLLs that are loaded from it) will be squeezed into the remaining memory region (the space that was freed by us through JavaScript). This address is fixed and predictable for us to jump to

• Free the remaining memory blocks which were allocated before

• Spray the heap using the well known method

• Finally trigger the heap corruption and jump to this fixed DLL base to execute our code in a ROP manner.