[Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[devcode29 at hotmail.com (dev code)]

I made a mistake in including "jmp esp" for XP SP2 because the stack cannot 
be executed (due to DEP of course :P). It is completely possible to execute 
shellcode if we can do some DEP bypass (ie. ret2libc attack, etc..) to add 
execute access to the stack and jmp to our code. My PoC i updated yesterday 
(added as an attachment to the full disclosure post) returns to 
ExitProcess()  and closes explorer.exe upon viewing the .ani file, just to 
show that it is possible to do our own shiznat in SP2.

>From: "Larry Seltzer" <Larry at larryseltzer.com>
>To: <full-disclosure at lists.grok.org.uk>
>Subject: Re: [Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow
>Date: Sun, 1 Apr 2007 07:49:58 -0400
>
> >>The issue is that this only works with DEP turned off!
>
>Interesting point. I haven't seen this mentioned anywhere, including the
>Microsoft advisory
>(http://www.microsoft.com/technet/security/advisory/935423.mspx).
>
>Has anyone actually tested this with DEP on/off to be sure?
>
>Larry Seltzer
>eWEEK.com Security Center Editor
>http://security.eweek.com/
>http://blog.eweek.com/blogs/larry_seltzer/
>Contributing Editor, PC Magazine
>larryseltzer at ziffdavis.com
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Exercise your brain! Try Flexicon. 
http://games.msn.com/en/flexicon/default.htm?icid=flexicon_hmemailtaglinemarch07