QUOTE
Windows SMB Client Transaction Response Handling Exploit (MS05-011)
Technical Details:
* -----------------
*
* The driver MRXSMB.SYS is responsible for performing SMB
* client operations and processing the responses returned
* by an SMB server service. A number of important Windows
* File Sharing operations, and all RPC-over-named-pipes,
* use the SMB commands Trans (25h) and Trans2 (32h). A
* malicious SMB server can respond with specially crafted
* Transaction response data that will cause an overflow
* wherever the data is handled, either in MRXSMB.SYS or
* in client code to which it provides data. One example
* would be if the
*
* file name length field
*
* and the
*
* short file name length field
*
* in a Trans2 FIND_FIRST2 response packet can be supplied
* with inappropriately large values in order to cause an
* excessive memcpy to occur when the data is handled.
* In the case of these examples an attacker could leverage
* file:// links, that when clicked by a remote user, would
* lead to code execution.
Technical Details:
* -----------------
*
* The driver MRXSMB.SYS is responsible for performing SMB
* client operations and processing the responses returned
* by an SMB server service. A number of important Windows
* File Sharing operations, and all RPC-over-named-pipes,
* use the SMB commands Trans (25h) and Trans2 (32h). A
* malicious SMB server can respond with specially crafted
* Transaction response data that will cause an overflow
* wherever the data is handled, either in MRXSMB.SYS or
* in client code to which it provides data. One example
* would be if the
*
* file name length field
*
* and the
*
* short file name length field
*
* in a Trans2 FIND_FIRST2 response packet can be supplied
* with inappropriately large values in order to cause an
* excessive memcpy to occur when the data is handled.
* In the case of these examples an attacker could leverage
* file:// links, that when clicked by a remote user, would
* lead to code execution.
Source: http://www.milw0rm.com/id.php?id=1065
