Courtesy of:
W (Javascript, Research & Testing)
esc0rtd3w (Debugging, Research & Testing)
bguerville (ROP Chaining/Javascript & Debugging)
The code was heavily modified but the userland memory leak exploit poc by xerpi provided a perfect basis for this work.
Another UAF exploit was added onto it in order to get userland code execution via ROP to defeat NX (DEP).
With many thanks to Joonie & zecoxao for their regular advice, friendly support & extra testing...
More details & news on http://www.psx-place.com