<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

Vulnerability Development: MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC

MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC

From: Evgeny Pinchuk <EvgenyP_at_Radware.com>
Date: Tue, 19 Apr 2005 19:46:49 +0200

Vulnerability Details
=====================
The vulnerability is a heap overflow in SvrAppendReceivedChunk function
which is located in xlsasink.dll.
When transmitting large chunks with X-LINK2STATE verb it is possible to
overflow the heap and perform arbitrary memory write in RtlAllocateHeap
function.
77fcc663 8901 mov [ecx],eax
77fcc665 894804 mov [eax+0x4],ecx
We are controlling ECX and EAX registers. So rewriting
lpTopLevelExceptionFilter can easily get us to our shellcode on the
heap.

Regards,

Evgeny Pinchuk

application/octet-stream attachment: MS05-021-PoC.pl

Received on Apr 20 2005

This message: [ Message body ]
Next message: [fz]: "Announcing PAKCON II"
Previous message: João Paulo Caldas Campello: "Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos