The jump to shellcode is executed by simply interacting with the Number objects created
during preparation of the blocks above. More specifically, we need force a call to
a virtual method of the underlying NumberInstance object in the JavaScript implementation.
For the blocks that were not overwritten, execution is transferred to
*((*pNI) + 4*k) where k is the index of the method in the virtual function table that
is invoked. For the block that immediately follows the vulnerable buffer, execution is transferred
to *((*pSled)+4*k). This double dereference of pSled is mildly irritating, but the case
study that follows shows a simple way of dealing with it.
The following JavaScript forces a virtual function call for each NumberInstance object, and
thereby triggers execution of the shellcode.
for(i=901; i<1000; i+=2){
document.write(bigdummy[i][0] + "<br />");
}