Today in the afternoon the day before yesterday night did not continue of this vulnerability continue to look at, in fact the main is to verify an idea. The other day I rough try a little Heap Spray to execute the shellcode, but failed. Because the Heap Spray to modify the ECX register, cause while pushing high coverage of the memory, but cannot be CALL [ EAX+2 0 ]refers to the control of this block of memory.
This afternoon will try the first HeapSpray fill the memory, I used the 0c0c0c0c do. This time ECX is not determined, so the EAX is also uncertain. But this does not matter, because behind the operation. HeapSpray after the completion of re-loading the FLV file, this time in front not sure of the ECX will be the deformity of the FLV file content override, I also 0c0c0c0c, so EAX becomes a 0c0c0c0c. Previously I have covered large tracts of contiguous memory, so the CALL [ EAX+2 0 ]also falls in which, the call to 0x0c0c0c0c, and this time 0x0c0c0c0c at the storage of the content is also 0c0c0c0c, therefore, will eventually jump to 0x0c0c0c0c address of the execution, all the way to the useless instructions down, obediently fall into the shellcode.
Attached is a POC, interested can debug and see. Compare depressing is that my test results seem to be not repeated overflow. May in 3-5 times, it controls less than the ECX, that is Control for less than EAX+2 0. By the way, I use the 9. 0. 4 5. 0 version of the control.