https://www.exploit-db.com/exploits/48415

Analysis

  1. Attach Frigate process use windbg
  2. Generate hundreds of ‘A’ characters
  3. Copy the contents to clipboard
  4. Open Frigate3 then go to Disk -> Find Computer
  5. Paste the contents to computer name
  6. Crash

Crash at 4000e8e1.

Because rep movs copy [esi] to [edi], but the data in [esi] is too long, so when edi points to a non-writable memory area, is triggers a crash.

rep movs in rtl60!SysutilsStrLCopy.

Use IDA to decompile rtl60.bpl.
edi is result, esi is a2.

Observe what happened use conditional breakpoints.
bp 4000e8e1 ".if(poi(0x0012ecea)=0x41414141){};.else{gc;}"

ecx is len(payload) / 4, rep movs will copy 0xbf4 times, 4 bytes at a time.