MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC

To: <vuln-dev@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <appsec-research@xxxxxxxxxxxx>
Subject: MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC
From: "Evgeny Pinchuk" <EvgenyP@xxxxxxxxxxx>
Date: Tue, 19 Apr 2005 19:46:49 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcVFB8L8PEV6Xz9ESbmVztKcYWQnuw==
Thread-topic: MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC

Vulnerability Details
=====================
The vulnerability is a heap overflow in SvrAppendReceivedChunk function
which is located in xlsasink.dll.
When transmitting large chunks with X-LINK2STATE verb it is possible to
overflow the heap and perform arbitrary memory write in RtlAllocateHeap
function.
77fcc663 8901             mov     [ecx],eax              
77fcc665 894804           mov     [eax+0x4],ecx          
We are controlling ECX and EAX registers. So rewriting
lpTopLevelExceptionFilter can easily get us to our shellcode on the
heap.

Regards,

Evgeny Pinchuk

Attachment: MS05-021-PoC.pl
Description: MS05-021-PoC.pl

Prev by Date: CAU - New Tool: hcraft - HTTP Vuln Request Crafter
Next by Date: PAKCON II: Call for Papers (CfP - 2005)
Previous by thread: CAU - New Tool: hcraft - HTTP Vuln Request Crafter
Next by thread: PAKCON II: Call for Papers (CfP - 2005)
Index(es):
- Date
- Thread