Related information

Microsoft Exchange Server SMTP protocol buffer overflow

ISS Protection Brief: Microsoft Exchange Remote Compromise

Microsoft Security Bulletin MS05-021 Vulnerability in Exchange Server Could Allow Remote Code Execution (894549)

From:	Evgeny Pinchuk <EvgenyP_(at)_Radware.com>
Date:	20.04.2005
Subject:	MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC

Vulnerability Details
=====================
The vulnerability is a heap overflow in SvrAppendReceivedChunk function
which is located in xlsasink.dll.
When transmitting large chunks with X-LINK2STATE verb it is possible to
overflow the heap and perform arbitrary memory write in RtlAllocateHeap
function.
77fcc663 8901             mov     [ecx],eax              
77fcc665 894804           mov     [eax+0x4],ecx          
We are controlling ECX and EAX registers. So rewriting
lpTopLevelExceptionFilter can easily get us to our shellcode on the
heap.

Regards,

Evgeny Pinchuk