Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:8384
HistoryApr 20, 2005 - 12:00 a.m.

MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC

2005-04-2000:00:00
vulners.com
18

Vulnerability Details

The vulnerability is a heap overflow in SvrAppendReceivedChunk function
which is located in xlsasink.dll.
When transmitting large chunks with X-LINK2STATE verb it is possible to
overflow the heap and perform arbitrary memory write in RtlAllocateHeap
function.
77fcc663 8901 mov [ecx],eax
77fcc665 894804 mov [eax+0x4],ecx
We are controlling ECX and EAX registers. So rewriting
lpTopLevelExceptionFilter can easily get us to our shellcode on the
heap.

Regards,

Evgeny Pinchuk