This issue is a basic stack overflow affecting only windows 7/2008R2 smb1 implementation.
It's actually a nice bug as the affected function is not protected by a canary, and allow us to redirect the flow anywhere we want to.
You can find the full advisory about this bug here : http://seclists.org/fulldisclosure/2010/Apr/201
Have phun !
PoC url : http://pastebin.com/h3jSyJTN
Posts
3 comments:
Is there a full disclosure about the other bugs you found that were patched in MS10-020?
According to MS they sound even more dangerous than this one (affects multiple OS)
Thanks for this informative post! I really appreciated it :)
Can we execute the arbitrary code.. I think we have to by pass DEP using ROP. M I right
Post a Comment