Www.edup.tudelft.nl/~bjwever/details msie ani.html.php

From Skypher

Internet Exploiter 3: Technical details

Vulnerability

A vulnerability in the windows .ANI file handling was found and documented by eEye digital Security. This vulnerability can be triggered remotely through Internet Explorer.

Exploit

exploits/InternetExploiter3.2.zip consists of InternetExploiter3.2.html and InternetExploiter3.2.ani. The html file contains my standard exploit helper script (see Internet Exploiter 1 documentation) and loads the ani file. The ani file contains the bare minimum an ani file needs to trigger the BoF:

"RIFF" [DWORD:RIFFChunkLength]
"ACON"
"anih" [DWORD:AnimationHeaderLength] [AnimationHeaderData]
"IART" [DWORD:AritistNameLength] [ArtistName]

Where:

• RIFFChunkLength is the total size of everything after it.
• AnimationHeaderLength is where the BoF is triggered.
• AnimationHeaderData is the data that is written to the stack.
• ArtistNameLength is the length of the artists's name.
• ArtistName is "SkyLined".

By choosing too high a value for AnimationHeaderLength we can overwrite the stack with information from AnimationHeaderData. In the PoC code I used 0xDC for AnimationHeaderLength to write that many bytes of AnimationHeaderData to the stack. AnimationHeaderData contained a string of bytes with value 0x0D. This will overwrite the saved return address on the stack with 0x0D0D0D0D. Returning into the heap-blocks created by the script in the html file.

Timeline

Patch

Available from the Microsoft Corporation website.

Links

• Internet Exploiter 3: Remote exploit for Internet Explorer .ANI file Animation Header Length BoF vulnerability.
• Beta shellcode encoder: Documentation.
• beta.c C Source file for the current version of beta shellcode encoder.
• eEye: Windows ANI File Parsing Buffer Overflow.
• Secunia: Microsoft Internet Explorer Multiple Vulnerabilities.
• Microsoft Corporation website: Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711).