Hello, are you going to release the attack against cred?
Actually I wonder how you can leverage the high privilege cred object after freeing the victim object, as different victim objects may be in different slab caches. How can you escalate the privilege of current process by heap spraying to occupy the cred pointer within the victim object? One assumption is to do cross-cache attack. Not sure...
Hello, are you going to release the attack against cred?
Actually I wonder how you can leverage the high privilege cred object after freeing the victim object, as different victim objects may be in different slab caches. How can you escalate the privilege of current process by heap spraying to occupy the cred pointer within the victim object? One assumption is to do cross-cache attack. Not sure...
Thanks!