Analysis Introduction Resources Disclaimer USB initialisation Handling of USB transfers Initial request handling Data phase Use-after-free Lifecycle of image transfer USB stack shutdown Memory leak Why is a leak needed? USB request structure The bug Exploitation Heap feng shui Triggering the use-after-free The payload The overwrite Executing the payload Explaining the payload Conclusion
