Saturday, April 17, 2010

MS10-020

This bug was discovered back in december 2009, and patched by microsoft in April 2010.
This issue is a basic stack overflow affecting only windows 7/2008R2 smb1 implementation.
It's actually a nice bug as the affected function is not protected by a canary, and allow us to redirect the flow anywhere we want to.
You can find the full advisory about this bug here : http://seclists.org/fulldisclosure/2010/Apr/201
Have phun !
PoC url : http://pastebin.com/h3jSyJTN

3 comments:

Anonymous said...

Is there a full disclosure about the other bugs you found that were patched in MS10-020?
According to MS they sound even more dangerous than this one (affects multiple OS)

cafe24 youtube extension said...

Thanks for this informative post! I really appreciated it :)

Anonymous said...

Can we execute the arbitrary code.. I think we have to by pass DEP using ROP. M I right

Post a Comment