cbcvebase.
CVE-2005-0560
published 2005-05-02

CVE-2005-0560: Heap-based buffer overflow in the SvrAppendReceivedChunk function in xlsasink.dll in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers…

PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.48%
99.3th percentile
Heap-based buffer overflow in the SvrAppendReceivedChunk function in xlsasink.dll in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers to execute arbitrary code via a crafted X-LINK2STATE extended verb request to the SMTP port.

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftexchange_server
microsoftexchange_server

Detection & IOCsextracted from sources · hover to see the quote

commandX-LINK2STATE CHUNK=
filenamexlsasink.dll
bytes
\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\xD5\x01\x59\x7C\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x5F\x0C\x59\x7C\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0D\x31\xd2\x52\x51\x51\x52\xff\xd0\x31\xd2\x50\xb8\x72\x69\x59\x7C\xff\xd0\xe8\xc4\xff\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff\xff\x4D\x53\x30\x35\x2D\x30\x32\x31\x20\x54\x65\x73\x74\x4e
  • Detect exploitation attempts by monitoring SMTP traffic on port 25 for the extended verb command 'X-LINK2STATE' followed by a CHUNK parameter containing large repeated byte sequences (e.g., 1000+ 'A' characters), indicative of heap overflow staging.
  • The exploit sends two separate TCP connections to port 25, each issuing EHLO followed by X-LINK2STATE CHUNK= with oversized payloads. Detecting multiple rapid SMTP connections with this pattern from the same source IP is a strong indicator of exploitation.
  • The second chunk of the exploit embeds a short JMP (\xEB\x10) followed by a return address and shellcode. Inspect SMTP CHUNK payloads for the byte sequence EB 10 at offset ~30 bytes into the data as a heap-spray/overflow trigger signature.
  • The vulnerable function SvrAppendReceivedChunk resides in xlsasink.dll. Monitor for unexpected crashes or code execution originating from this DLL in the Exchange SMTP service process.
  • ·The exploit's hardcoded return addresses (EAX, ECX) target specific DLL base addresses on Windows 2000 Server SP4 EN with Exchange 2000 SP3. These offsets will differ on other OS/SP/Exchange versions and are not universally reliable.
  • ·The exploit was tested only on Windows 2000 Server SP4 EN with Microsoft Exchange 2000 SP3. Exploitation behavior against Exchange 2003 or different service pack levels may vary.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.