Www.edup.tudelft.nl/~bjwever/details msie ani.html.php

From Skypher

Jump to: navigation, search
← Back to www.edup.tudelft.nl/~bjwever/
Warning
This information is copied from my old webpage @ http://www.edup.tudelft.nl/~bjwever. Some or all of it may be outdated and incorrect. The only thing close to any guarantee that I can give about the contents of this page is that is very likely to be chuck-full of spelling errors.

Internet Exploiter 3: Technical details

Contents

Vulnerability

A vulnerability in the windows .ANI file handling was found and documented by eEye digital Security. This vulnerability can be triggered remotely through Internet Explorer.

Exploit

exploits/InternetExploiter3.2.zip consists of InternetExploiter3.2.html and InternetExploiter3.2.ani. The html file contains my standard exploit helper script (see Internet Exploiter 1 documentation) and loads the ani file. The ani file contains the bare minimum an ani file needs to trigger the BoF:

"RIFF" [DWORD:RIFFChunkLength]
"ACON"
"anih" [DWORD:AnimationHeaderLength] [AnimationHeaderData]
"IART" [DWORD:AritistNameLength] [ArtistName]

Where:

  • RIFFChunkLength is the total size of everything after it.
  • AnimationHeaderLength is where the BoF is triggered.
  • AnimationHeaderData is the data that is written to the stack.
  • ArtistNameLength is the length of the artists's name.
  • ArtistName is "SkyLined".

By choosing too high a value for AnimationHeaderLength we can overwrite the stack with information from AnimationHeaderData. In the PoC code I used 0xDC for AnimationHeaderLength to write that many bytes of AnimationHeaderData to the stack. AnimationHeaderData contained a string of bytes with value 0x0D. This will overwrite the saved return address on the stack with 0x0D0D0D0D. Returning into the heap-blocks created by the script in the html file.

Timeline

2004-11-01 Patch released by Microsoft.
2004-11-01 Advisory released by eEye.
2004-11-01 Exploit released.
2004-12-01 Exploit v0.2 released.

Patch

Available from the Microsoft Corporation website.

Links

  • Internet Exploiter 3: Remote exploit for Internet Explorer .ANI file Animation Header Length BoF vulnerability.
  • Beta shellcode encoder: Documentation.
  • beta.c C Source file for the current version of beta shellcode encoder.
  • eEye: Windows ANI File Parsing Buffer Overflow.
  • Secunia: Microsoft Internet Explorer Multiple Vulnerabilities.
  • Microsoft Corporation website: Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711).
Personal tools