lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Apr 2005 19:46:49 +0200
From: "Evgeny Pinchuk" <EvgenyP@...ware.com>
To: <vuln-dev@...urityfocus.com>, <bugtraq@...urityfocus.com>,
<full-disclosure@...ts.grok.org.uk>, <appsec-research@...uxbox.org>
Subject: MS05-021 Microsoft Exchange X-LINK2STATE Heap
Overflow PoC
Vulnerability Details
=====================
The vulnerability is a heap overflow in SvrAppendReceivedChunk function
which is located in xlsasink.dll.
When transmitting large chunks with X-LINK2STATE verb it is possible to
overflow the heap and perform arbitrary memory write in RtlAllocateHeap
function.
77fcc663 8901 mov [ecx],eax
77fcc665 894804 mov [eax+0x4],ecx
We are controlling ECX and EAX registers. So rewriting
lpTopLevelExceptionFilter can easily get us to our shellcode on the
heap.
Regards,
Evgeny Pinchuk
Download attachment "MS05-021-PoC.pl" of type "application/octet-stream" (2396 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists