So a while back I am working on determining if I can get controlled memory execution for a memory corruption issue. There is an off by one in a sub function that is overwriting stack memory one byte at a time each time the sub function is called from the parent. The sub function also makes use of a function pointer which as it turns out is one of the first things you start to control as memory gets corrupted.
This makes for an interesting exploit development cycle because the function pointer you are controlling is activley in use and you can only control 1 byte at a time. This means you have to potentially come up 3 valid return addresses, within a limited predefined range and get it to return back to the original function without crashing so the next byte overwrite can occur on schedule.
(The first byte a return address has to be within 0xFF bytes of the default pointer, second within 0xFFFF etc.)
Turned out a usable address combination did exist to pull off code execution for this particular version of the application, but talk about pulling teeth!
Anyway..something reminded me of that today and it was an interesting case so figured i would share.