Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC
From: "Evgeny Pinchuk" <EvgenyP () Radware com>
Date: Tue, 19 Apr 2005 19:46:49 +0200
Vulnerability Details
=====================
The vulnerability is a heap overflow in SvrAppendReceivedChunk function
which is located in xlsasink.dll.
When transmitting large chunks with X-LINK2STATE verb it is possible to
overflow the heap and perform arbitrary memory write in RtlAllocateHeap
function.
77fcc663 8901             mov     [ecx],eax              
77fcc665 894804           mov     [eax+0x4],ecx          
We are controlling ECX and EAX registers. So rewriting
lpTopLevelExceptionFilter can easily get us to our shellcode on the
heap.

Regards,

Evgeny Pinchuk

Attachment: MS05-021-PoC.pl
Description: MS05-021-PoC.pl

  By Date           By Thread  

Current thread:
  • MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC Evgeny Pinchuk (Apr 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]