|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-disclosure] MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC
From: Evgeny Pinchuk (EvgenyP
Radware.com)
Date: Tue Apr 19 2005 - 12:46:49 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Vulnerability Details
=====================
The vulnerability is a heap overflow in SvrAppendReceivedChunk function
which is located in xlsasink.dll.
When transmitting large chunks with X-LINK2STATE verb it is possible to
overflow the heap and perform arbitrary memory write in RtlAllocateHeap
function.
77fcc663 8901 mov [ecx],eax
77fcc665 894804 mov [eax+0x4],ecx
We are controlling ECX and EAX registers. So rewriting
lpTopLevelExceptionFilter can easily get us to our shellcode on the
heap.
Regards,
Evgeny Pinchuk
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- application/octet-stream attachment: MS05-021-PoC.pl
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]