module
Microsoft SRV.SYS Mailslot Write Corruption
| Disclosed | Created |
|---|---|
| Jul 11, 2006 | May 30, 2018 |
Disclosed
Jul 11, 2006
Created
May 30, 2018
Description
This module triggers a kernel pool corruption bug in SRV.SYS. Each
call to the mailslot write function results in a two byte return value
being written into the response packet. The code which creates this packet
fails to consider these two bytes in the allocation routine, resulting in
a slow corruption of the kernel memory pool. These two bytes are almost
always set to "\xff\xff" (a short integer with value of -1).
call to the mailslot write function results in a two byte return value
being written into the response packet. The code which creates this packet
fails to consider these two bytes in the allocation routine, resulting in
a slow corruption of the kernel memory pool. These two bytes are almost
always set to "\xff\xff" (a short integer with value of -1).
Author
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.