9.3
CVSSv2

CVE-2007-0038

Published: 30/03/2007 Updated: 16/10/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 1000
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Stack-based buffer overflow in the animated cursor code in Microsoft Windows 2000 SP4 through Vista allows remote malicious users to execute arbitrary code or cause a denial of service (persistent reboot) via a large length value in the second (or later) anih block of a RIFF .ANI, cur, or .ico file, which results in memory corruption when processing cursors, animated cursors, and icons, a variant of CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this might be a duplicate of CVE-2007-1765; if so, then CVE-2007-0038 should be preferred.

Affected Products

Exploits

## # $Id: ms07_017_ani_loadimage_chunksizerb 9984 2010-08-12 16:56:41Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require ' ...
Microsoft ANI Buffer Overflow Exploit Author: Trirat Puttaraksa sf-freedomblogspotcom Tested on: Windows XP SP2 fully patched + IE 6 SP2 For educational purpose only There are many confuses about this vulnerability Someone said that this could not be exploited in XP SP2 - that's wrong I provide this exploit because I wanna to tell t ...
/*************************************************************************** * MS Windows ANI File Local Buffer Overflow * * * * * * Credits go to Trirat Puttaraksa cause hi ...
::[ jamikazu presents ]:: Windows Animated Cursor Handling Exploit (0day) Works on fully patched Windows Vista I think it is first real remote code execution exploit on vista =) Tested on: Windows Vista Enterprise Version 60 (Build 6000) (default installation and UAC enabled) Windows Vista Ultimate Version 60 (Build 6000) (default installa ...
#-------------------------------------------------------------------------------- # Info: ANI (RIFF Cursors) 2007 universal exploit generator # Tested on MS Internet Explorer 6x-7x, Windows XP SP2, Windows Vista # Author: Yag Kohha <skyhole [at] gmailcom> # 10x`n`Gr33tz 2: # Jamikazu, Skylined (pretty good t-short on BH07 Europe - L00k li ...
/* * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Windows ANI LoadAniIcon Stack Overflow * [CVE-2007-1765] * * * Description: * A vulnerability has been identified in Microsoft Windows, * which could be exploited by remote attackers to take complete * control of an affected system This issue is due to a stack overflow * er ...
::[ jamikazu presents ]:: Windows Animated Cursor Handling Exploit (0day) (Version3) Works on fully patched Windows Vista I think it is first real remote code execution exploit on vista =) Tested on: Windows Vista Enterprise Version 60 (Build 6000) (default installation and UAC enabled) Windows Vista Ultimate Version 60 (Build 6000) (defau ...
/**************************************************************************** * MS Windows Explorer Unspecified ANI File DoS * * * * * * Another Ani bug that freezes Explor ...
## # $Id: ms07_017_ani_loadimage_chunksizerb 10394 2010-09-20 08:06:27Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require ...
/* * version 05 * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Windows ANI LoadAniIcon Stack Overflow For Hardware DEP XP SP2 * [CVE-2007-1765] * * * Description: * A vulnerability has been identified in Microsoft Windows, * which could be exploited by remote attackers to take complete * control of an affected system This ...
#!/usr/bin/env python # # $Id: win32-loadaniiconpy 4 2007-06-02 00:47:59Z ramon $ # # Windows Animated Cursor Stack Overflow Exploit # Copyright 2007 Ramon de Carvalho Valle <ramon@risesecurityorg>, # RISE Security <contact@risesecurityorg> # # This program is free software; you can redistribute it and/or modify # it und ...
/* ANI exploit tested on Windows XP SP2 - Portuguese Shellcode port bind 13579 JMP ESP Addr - ntdlldll Greetz: Marsu, Devcode, Str0ke, Dave, Sekureorg guys, Sauna Exploit coded listen sauna hits Featuring Luiz Zanardo's gigs "Minoide - \x52\x49\x46\x ...
#define _WIN32_WINNT 0x0500 #include <windowsh> #include <shlwapih> #include <stdioh> #pragma comment (lib, "user32lib") #pragma comment (lib, "gdi32lib") #pragma comment (lib, "shlwapilib") #pragma comment (lib, "ntdlllib") /* Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last b ...
/* GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017) Coded by Lionel d'Hauenens wwwlabo-assocom Development: ------------ Dev-C++ 4992 Linked with /lib/libgdi32a References: ----------- wwwmicrosoftcom/technet/security/bulletin/MS07-017mspx researcheeyecom/html/alerts/zeroday/20061106html http:/ ...
MS Windows (ANI) GDI Remote Elevation of Privilege Exploit (MS07-017) githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/3804zip (04262007-gdi_remote_elevation_privilege_exploit_ms07_017_principalzip) # milw0rmcom [2007-04-26] ...

Metasploit Modules

Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP)

This module exploits a buffer overflow vulnerability in the LoadAniIcon() function in USER32.dll. The flaw can be triggered through Internet Explorer 6 and 7 by using the CURSOR style sheet directive to load a malicious .ANI file. The module can also exploit Mozilla Firefox by using a UNC path in a moz-icon URL and serving the .ANI file over WebDAV. The vulnerable code in USER32.dll will catch any exceptions that occur while the invalid cursor is loaded, causing the exploit to silently fail when the wrong target has been chosen. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.

msf > use exploit/windows/browser/ms07_017_ani_loadimage_chunksize
      msf exploit(ms07_017_ani_loadimage_chunksize) > show targets
            ...targets...
      msf exploit(ms07_017_ani_loadimage_chunksize) > set TARGET <target-id>
      msf exploit(ms07_017_ani_loadimage_chunksize) > show options
            ...show and set options...
      msf exploit(ms07_017_ani_loadimage_chunksize) > exploit
Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)

This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.

msf > use exploit/windows/email/ms07_017_ani_loadimage_chunksize
      msf exploit(ms07_017_ani_loadimage_chunksize) > show targets
            ...targets...
      msf exploit(ms07_017_ani_loadimage_chunksize) > set TARGET <target-id>
      msf exploit(ms07_017_ani_loadimage_chunksize) > show options
            ...show and set options...
      msf exploit(ms07_017_ani_loadimage_chunksize) > exploit

Github Repositories

References

CWE-119http://archives.neohapsis.com/archives/fulldisclosure/2007-03/0470.htmlhttp://secunia.com/advisories/24659http://securityreason.com/securityalert/2542http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asphttp://www.kb.cert.org/vuls/id/191609http://www.osvdb.org/33629http://www.securityfocus.com/archive/1/464269/100/0/threadedhttp://www.securityfocus.com/archive/1/464339/100/0/threadedhttp://www.securityfocus.com/archive/1/464340/100/0/threadedhttp://www.securityfocus.com/archive/1/464342/100/0/threadedhttp://www.securityfocus.com/archive/1/464459/100/100/threadedhttp://www.securityfocus.com/archive/1/464460/100/100/threadedhttp://www.securityfocus.com/archive/1/466186/100/200/threadedhttp://www.us-cert.gov/cas/techalerts/TA07-089A.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-093A.htmlhttp://www.us-cert.gov/cas/techalerts/TA07-100A.htmlhttp://www.vupen.com/english/advisories/2007/1215https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-017https://exchange.xforce.ibmcloud.com/vulnerabilities/33301https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1854https://github.com/Axua/CVE-2007-0038http://tools.cisco.com/security/center/viewAlert.x?alertId=12967https://nvd.nist.govhttps://www.exploit-db.com/exploits/16526/https://www.rapid7.com/db/vulnerabilities/WINDOWS-HOTFIX-MS07-017https://www.rapid7.com/db/modules/exploit/windows/browser/ms07_017_ani_loadimage_chunksizehttps://www.kb.cert.org/vuls/id/191609