Vulnerability Details ===================== The vulnerability is a heap overflow in SvrAppendReceivedChunk function which is located in xlsasink.dll. When transmitting large chunks with X-LINK2STATE verb it is possible to overflow the heap and perform arbitrary memory write in RtlAllocateHeap function. 77fcc663 8901 mov [ecx],eax 77fcc665 894804 mov [eax+0x4],ecx We are controlling ECX and EAX registers. So rewriting lpTopLevelExceptionFilter can easily get us to our shellcode on the heap. Regards, Evgeny Pinchuk
Attachment:
MS05-021-PoC.pl
Description: MS05-021-PoC.pl