22-Jan-2010: CVE-2010-0071
source link: https://yurichev.com/blog/38/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
22-Jan-2010: CVE-2010-0071
CVE-2010-0071 discovered by me was patched in CPUjan2010:
Here is PoC (Python script). It is not full exploit, what it do is: while running on 11.1.0.7.0 win32, nsglvcrt() Listener function attempt to allocate huge memory block and copy *something* to it.
TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0x438631 (TNSLSNR.EXE!nsglvcrt+0x95)) TID=3052|(1) MSVCR71.dll!malloc -> 0x2530020 TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0x2530020, 0, 0x4222fc4) (called from 0x438647 (TNSLSNR.EXE!nsglvcrt+0xab))
(addresses are for TNS Listener 11.1.0.7.0 win32 unpatched)
If I correct, nsglvcrt() function is involved in new service creation.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK