CVE-2007-1765

EXPLOITED

Microsoft Windows 2000 and 2003 Server - Remote Code Execution via Malformed ANI File

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2007-1765 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 12 public exploits from researchers including Metasploit, devcode, jamikazu, including a Metasploit module exploits/windows/email/ms07_017_ani_loadimage_chunksize.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in the LoadAniIcon() function of USER32.dll via a malicious .ANI file delivered through an SMTP email with a CURSOR style sheet directive. It supports multiple targets, including Windows XP, 2000, and Vista, and includes payload generation and delivery mechanisms.

Description

Unspecified vulnerability in Microsoft Windows 2000 SP4 through Vista allows remote attackers to execute arbitrary code or cause a denial of service (persistent reboot) via a malformed ANI file, which results in memory corruption when processing cursors, animated cursors, and icons, a similar issue to CVE-2005-0416, as originally demonstrated using Internet Explorer 6 and 7. NOTE: this issue might be a duplicate of CVE-2007-0038; if so, then use CVE-2007-0038 instead of this identifier.

Exploits (12)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16698

This Metasploit module exploits a stack buffer overflow in the LoadAniIcon() function of USER32.dll via a malicious .ANI file delivered through an SMTP email with a CURSOR style sheet directive. It supports multiple targets, including Windows XP, 2000, and Vista, and includes payload generation and delivery mechanisms.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (USER32.dll, Outlook Express)
No auth needed
Prerequisites: SMTP access to send emails · Target using Outlook Express or a vulnerable email client
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by devcode · clocalwindows
https://www.exploit-db.com/exploits/3652

This is a functional exploit for CVE-2007-0038, targeting a stack overflow in the LoadAniIcon function in user32.dll. It generates a malicious .ANI file and an HTML file to trigger the vulnerability via a crafted cursor, leading to arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (XP SP2, 2000 SP4, Server 2003, Vista) with Internet Explorer 6/7
No auth needed
Prerequisites: User interaction (visiting a malicious webpage or opening a crafted email)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by jamikazu · textremotewindows
https://www.exploit-db.com/exploits/3634

This exploit targets a vulnerability in Windows Animated Cursor Handling (CVE-2007-0038), allowing remote code execution on vulnerable systems, including fully patched Windows Vista and XP SP2. The PoC invokes calc.exe upon successful exploitation, demonstrating arbitrary code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows Animated Cursor Handling (Windows Vista, XP SP2, and other NT-based systems)
No auth needed
Prerequisites: Victim must process a malicious animated cursor file (e.g., via web browser or email attachment)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Trirat Puttaraksa · textremotewindows
https://www.exploit-db.com/exploits/3635

This exploit targets a buffer overflow vulnerability in Microsoft ANI file handling (CVE-2007-1765) to execute arbitrary code (calc.exe) on Windows XP SP2 with IE 6 SP2. It leverages a crafted .ani file and shellcode from Metasploit's win32_exec module.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows XP SP2 with IE 6 SP2
No auth needed
Prerequisites: Victim must open a malicious .ani file · Target system must be unpatched for CVE-2007-1765
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by jamikazu · textremotewindows
https://www.exploit-db.com/exploits/3636

This exploit targets a vulnerability in Windows Animated Cursor handling (CVE-2007-1765), allowing remote code execution on fully patched Windows Vista and XP SP2. It bypasses security patches and invokes calc.exe upon successful exploitation.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows Animated Cursor Handling (Windows Vista, XP SP2)
No auth needed
Prerequisites: Target system with vulnerable Windows version · Delivery mechanism for the malicious cursor file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by devcode · c++localwindows
https://www.exploit-db.com/exploits/3617

This is a functional exploit for CVE-2007-0038, targeting a stack overflow in the LoadAniIcon function in user32.dll. It crafts a malicious .ANI file with a malformed header and embedded shellcode to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (various versions including XP SP2, 2000 SP4, Server 2003, Vista)
No auth needed
Prerequisites: DEP must be disabled on XP SP2 for explorer.exe exploitation · User interaction required (e.g., visiting a malicious webpage or opening a crafted ANI file)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
pythonremotewindows
https://www.exploit-db.com/exploits/4045

This is a functional exploit for CVE-2007-1765, targeting a stack overflow vulnerability in Windows Animated Cursor handling. It generates a malicious ANI file embedded in an HTML page to trigger remote code execution via a reverse shell payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows XP SP2 and earlier (user32.dll, userenv.dll, shell32.dll)
No auth needed
Prerequisites: Victim must visit a malicious webpage or open a crafted ANI file · Network connectivity for reverse shell callback
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
remotewindows
https://www.exploit-db.com/exploits/3651

This exploit generates a malicious .ANI file targeting a vulnerability in Windows cursor handling (CVE-2007-1765), leading to remote code execution via heap corruption. It was tested on Internet Explorer 6.x-7.x and Windows XP SP2/Vista.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (XP SP2, Vista), Internet Explorer 6.x-7.x
No auth needed
Prerequisites: Victim must open a malicious .ANI file (e.g., via web page or email attachment)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/3695

This exploit generates a malicious .ANI file targeting CVE-2007-1765, a vulnerability in Windows Animated Cursor handling. It uses a JMP ESP address from ntdll.dll to redirect execution to a port-binding shellcode (port 13579).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (tested on XP SP2)
No auth needed
Prerequisites: Victim must open the malicious .ANI file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/3647

This exploit leverages a buffer overflow in the handling of .ANI files in Windows to execute arbitrary code (calc.exe). It crafts a malicious .ANI file with a large buffer and embedded shellcode, targeting a vulnerability in the parsing of animated cursor files.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (tested on XP SP2 FR)
No auth needed
Prerequisites: DEP must be disabled for exploitation via Explorer · Victim must open the malicious .ANI file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
cdoswindows
https://www.exploit-db.com/exploits/3684

This exploit generates a malformed .ANI file that triggers a Denial of Service (DoS) in Microsoft Windows Explorer when the file is opened. The crafted file contains a manipulated header that causes Explorer to freeze.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows Explorer (tested on Windows XP SP2 FR)
No auth needed
Prerequisites: Ability to place a crafted .ANI file in a directory accessible to the victim
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GREAT
by hdm, skape · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/email/ms07_017_ani_loadimage_chunksize.rb

This Metasploit module exploits a stack buffer overflow in the LoadAniIcon() function of USER32.dll via a malicious .ANI file delivered through Outlook Express. It supports multiple targets, including Windows XP, 2000, and Vista, and uses a crafted ANI file embedded in an HTML email to trigger the vulnerability.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (XP SP0/SP1/SP2, 2000 SP0-SP4, Vista) via Outlook Express
No auth needed
Prerequisites: Victim must open the malicious email in Outlook Express · Target system must be vulnerable to CVE-2007-1765
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (11)

Core 11
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/464287/100/0/threaded
Third Party Advisory x_refsource_misc
http://research.eeye.com/html/alerts/zeroday/20070328.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/464345/100/0/threaded
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/1151
Broken Link x_refsource_misc
http://vil.nai.com/vil/content/v_141860.htm
Third Party Advisory x_refsource_misc
http://www.avertlabs.com/research/blog/?p=230
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/23194
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1017827
Third Party Advisory x_refsource_misc
http://www.avertlabs.com/research/blog/?p=233

Scores

EPSS 0.5433
EPSS Percentile 98.9%

Details

VulnCheck KEV 2007-03-30
Status published
Products (10)
avaya/definity_one_media_server
avaya/ip600_media_servers
avaya/s3400
avaya/s8100
microsoft/ie 7.0
microsoft/internet_explorer < 6
microsoft/windows_2000 (20 CPE variants)
microsoft/windows_2003_server (4 CPE variants)
microsoft/windows_vista (9 CPE variants)
microsoft/windows_xp (4 CPE variants)
Published Mar 30, 2007
Tracked Since Feb 18, 2026