To learn to exploit real heap memory corruption vulnerabilities on Windows one of the things you have to do is to read every Matt Conover's publication. The next are two posts in the Symantec Security Response Blog about double free() bugs. More articles and publications by him will be posted later in this blog.
In light of the recent CSRSS double free bug, I wanted to provide some information on the exploitation of double frees on Windows on XP SP2 and later. Prior to XP SP2, double frees were trivial to exploit, but now the security cookie (in each heap chunk) and safe unlinking checks make it more difficult to exploit. So this blog entry will discuss the exploitability on XP SP2 and later heap implements.
Double Free Vulnerabilities Part 1
Double Free Vulnerabilities Part 2