Answer Page

Answer to this objective.

There was a Use After Free (UAF) vulnerability that was found and verified within the code. The vulnerability existed in the following brick of code.

mov     rcx, rsi        ; Memory
call    free
mov     [rsp+1D8h+lpUsedDefaultChar], rbx ; lpUsedDefaultChar
mov     [rsp+1D8h+lpDefaultChar], rbx ; lpDefaultChar
mov     [rsp+1D8h+cbMultiByte], ebx ; cbMultiByte
mov     [rsp+1D8h+pcchString], rbx ; lpMultiByteStr
mov     r9d, 0FFFFFFFFh ; cchWideChar
mov     r8, rsi         ; lpWideCharStr
xor     edx, edx        ; dwFlags
xor     ecx, ecx        ; CodePage
call    cs:WideCharToMultiByte

And presented in this screenshot.

Reason this is a UAF

The reason this was deemed as a Use After Free vulnerability is primarily due to the factor that we are taking rsi, pushing it to rcx which is pushed to the stack as an argument to the 'free' function then right after 'free' is called to free 'rsi', 'rsi' is then used again as an argument to the Windows API call WideCharToMultiByte.

How to patch this

The simple answer is to not use buffers or blocks of memory after they have been freed. If you need to reallocate that memory, you can clean it up and re-initialize the block if need-be but of course, that needs to be done safely.