cbcvebase.
CVE-2005-0416
published 2005-04-27

CVE-2005-0416: The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to…

PriorityP258high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
45.49%
98.6th percentile
The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to execute arbitrary code via the AnimationHeaderBlock length field, which leads to a stack-based buffer overflow.

Affected

11 ranges
VendorProductVersion rangeFixed in
microsoftie
microsoftinternet_explorer<= 6
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

  • Malicious ANI files exploiting CVE-2005-0416/MS05-002 begin with the RIFF/ACON magic bytes (52 49 46 46 ... 41 43 4F 4E) followed by an 'anih' chunk, but contain a crafted oversized header (0x189c total size field) and embedded shellcode/NOP sleds within the first 912 bytes of the file.
  • The exploit generates paired .ani and .html files with the same base filename; look for .ani files of exactly 912 bytes containing NOP sleds (0x90 padding) immediately following the RIFF/ACON/anih header.
  • The downloader variant (exploit 771) appends a URL string directly after the shellcode blob and terminates with '\x01'; network-level inspection of .ani files should look for embedded HTTP/HTTPS URL strings within the binary payload.
  • ·The portbind port is configurable at exploit build time via the SET_PORTBIND_PORT macro; 7777 is only the example port and real-world attacks may use any port.
  • ·The downloader variant (exploit 771) takes an arbitrary URL as argv[2] and embeds it directly in the shellcode; the download URL is fully attacker-controlled and cannot be predicted from the exploit code alone.
  • ·CVE-2005-0416 may overlap with or be a duplicate of CVE-2007-0038 and CVE-2007-1765 for the later Vista-era variant; detections should cover both the 2005 (MS05-002/CAN-2004-1049) and 2007 ANI handling vulnerabilities.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.