Microsoft Windows XP - Animated Cursor '.ani' Remote Overflow (2)

EDB-ID:

3635


Platform:

Windows

Published:

2007-04-01

Microsoft ANI Buffer Overflow Exploit

Author: Trirat Puttaraksa
http://sf-freedom.blogspot.com

Tested on: Windows XP SP2 fully patched + IE 6 SP2

For educational purpose only

There are many confuses about this vulnerability. Someone said that this could
not be exploited in XP SP2 - that's wrong. I provide this exploit because I 
wanna to tell these people that they are in danger. 
This exploit will call calc.exe (shellcode fome metasploit win32_exec 
CMD=calc.exe EXITFUNC=process).

P.S. I do not include the source code for generate the .ani file because of
its damage. However, if you reverse engineer .ani file, you will know how
could I produce this exploit in 10 minutes.

I will describe this vulnerability and how to exploit it in my blog 
after M$ released patch.

greets: used SkyLined's idea of exploitation.  tnx to him.

https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/3635.zip (04012007-ani.zip)

# milw0rm.com [2007-04-01]