Saturday, April 17, 2010


This bug was discovered back in december 2009, and patched by microsoft in April 2010.
This issue is a basic stack overflow affecting only windows 7/2008R2 smb1 implementation.
It's actually a nice bug as the affected function is not protected by a canary, and allow us to redirect the flow anywhere we want to.
You can find the full advisory about this bug here :
Have phun !
PoC url :


Anonymous said...

Is there a full disclosure about the other bugs you found that were patched in MS10-020?
According to MS they sound even more dangerous than this one (affects multiple OS)

cafe24 youtube extension said...

Thanks for this informative post! I really appreciated it :)

Anonymous said...

Can we execute the arbitrary code.. I think we have to by pass DEP using ROP. M I right

Post a Comment