RCE Without Native Code: Exploitation of a Write-What-Where in Internet Explorer

Aside | Posted on by

RCE Without Native Code: Exploitation of a Write-What-Where in Internet Explorer

At this point, it’s pretty much game over for arbitrary read and write access to the memory space of the current process. Exploitation, Part 2: From Memory Control to Code Execution
The next step at this point, traditionally, would be to leverage our memory read and write capabilities to initiate ROP-style execution, leading ultimately to a native payload stage. I conjecture that once an attacker has arbitrary read/write access to the process’s address space, there will always be ways to construct hazardous objects in memory that yield easy code execution.

Source: www.thezdi.com