[Full-disclosure] Windows .ANI LoadAniIcon Stack Overflow

[asotirov at determina.com (Alexander Sotirov)]

Larry Seltzer wrote:
> Perhaps your exploit proves this wrong, but it's the last I heard on the
> subject. And even if there are only 256 slots how do you try more than
> one? Isn't the first wrong one going to crash the browser?

Read our advisory:
http://www.determina.com/security.research/vulnerabilities/ani-header.html

It explains that the vulnerable code is wrapped in an exception handler that
recovers from access violations. That means that you can trigger the exploit
multiple times and try different addresses, increasing the chance of hitting the
right one (you only need 128 tries on average)

A much simpler solution is to use heap spraying (which works fine on Vista) for
systems that don't have DEP enabled.

> As for the exploits in protected mode I'm sure there are things you can
> do, but it's a huge step down from what you can do in XP and it's gone
> as soon as you exit IE7

Unless somebody has a Vista exploit for the CSRSS kernel bug :-) In general I
agree that protected mode presents additional constraints on exploitation, but I
would reserve judgment until we've seen a few more exploits and more public
research.

Alex