Re: Windows .ANI LoadAniIcon Stack Overflow

["dev code" <devcode29 () hotmail com>]

I made a mistake in including "jmp esp" for XP SP2 because the stack cannot 
be executed (due to DEP of course :P). It is completely possible to execute 
shellcode if we can do some DEP bypass (ie. ret2libc attack, etc..) to add 
execute access to the stack and jmp to our code. My PoC i updated yesterday 
(added as an attachment to the full disclosure post) returns to 
ExitProcess()  and closes explorer.exe upon viewing the .ani file, just to 
show that it is possible to do our own shiznat in SP2.

> From: "Larry Seltzer" <Larry () larryseltzer com>
> To: <full-disclosure () lists grok org uk>
> Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
> Date: Sun, 1 Apr 2007 07:49:58 -0400
>
> > > The issue is that this only works with DEP turned off!
>
> Interesting point. I haven't seen this mentioned anywhere, including the
> Microsoft advisory
> (http://www.microsoft.com/technet/security/advisory/935423.mspx).
>
> Has anyone actually tested this with DEP on/off to be sure?
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blog.eweek.com/blogs/larry_seltzer/
> Contributing Editor, PC Magazine
> larryseltzer () ziffdavis com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Exercise your brain! Try Flexicon. 
http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglinemarch07

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/