cbcvebase.
CVE-2007-0038
published 2007-03-30

CVE-2007-0038: Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause…

PriorityP273critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
72.88%
99.4th percentile
Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.

Affected

5 ranges
VendorProductVersion rangeFixed in
microsoftie
microsoftinternet_explorer<= 6
microsoftwindows_2003_server
microsoftwindows_2003_server
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

filenamepoc.ani
commandlogoff.exe
registryCURSOR: url("poc.ani")
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3651.tar.gz
bytes
52 49 46 46 08 4D 00 00 41 43 4F 4E 61 6E 69 68
bytes
52 49 46 46 00 04 00 00 41 43 4F 4E 61 6E 69 68
bytes
52 49 46 46 13 03 00 00 41 43 4F 4E 61 6E 69 68
  • Exploit delivery via HTML page using CSS cursor property pointing to a remote .ANI file; detect HTTP responses serving .ANI files with Content-Type application/octetstream alongside HTML pages referencing cursor URLs.
  • Exploit HTML embeds malicious ANI via CSS: '* {CURSOR: url("poc.ani")}' — monitor for HTML pages with wildcard CSS cursor rules pointing to .ani files.
  • Return address 0x7c801aed (JMP ESP in ntdll.dll) used at buffer offset 168 in crafted ANI file for Windows XP SP2; look for this 4-byte sequence at offset 168 in ANI files: ED 1E 94 7C.
  • Return address 0x7c801a7b (CALL ESI in kernel32.dll) used at buffer offset 168 in crafted ANI file for Windows XP SP2; look for byte sequence 7B 1A 80 7C at offset 168 in ANI files.
  • Exploit targets Windows XP SP2 DEP bypass using ret2libc: kernel32.dll gadget at 0x7C8024D6 and msvcrt.dll system() at 0x77C293C7; detect these addresses in ANI file payloads.
  • Shellcode uses windows/shell_reverse_tcp connecting back to attacker; monitor for outbound TCP connections from browser/explorer processes shortly after ANI file processing.
  • ANI files with 'anih' chunk size field set to 0xFFFF (\xff\xff\x00\x00) are malformed and indicative of exploit attempts; validate anih chunk size in ANI file parsers.
  • ·The exploit targets multiple Windows versions and DLL base addresses; ROP/return addresses are ASLR-sensitive and vary by OS language/SP version. Hardcoded addresses in exploits are only valid for specific DLL versions listed.
  • ·CVE-2007-1765 may be a duplicate of CVE-2007-0038; treat both identifiers as referring to the same ANI stack overflow vulnerability.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.