Fun with: disassembling GDI32.dll

["Hubbard, Dan" <dhubbard () websense com>]

For those interested, we just posted this on our blog:

Microsoft Windows is vulnerable to remote code execution in GDI32.dll
(Graphical Device Interface). An exploit containing this vulnerability
was found in the wild by Websense Security Labs on 12/27/2005.

This vulnerability was exploited in the wild as early as 12/15/2005 to
install various malicious programs. In order to successfully exploit
this vulnerability, an attacker is only required to lure the victim to
an infected website. The number of websites currently hosting malicious
code has steadily increased since the exploit was made public.

This paper will disassemble GDI32.dll and provide a detailed analysis of
the code flow leading to the vulnerability. Readers are expected to be
familiar with x86 assembly instructions to follow this document.

http://www.websensesecuritylabs.com/images/alerts/ms06-001.pdf

_______________________________
Dan Hubbard
Security & Technology Research
Websense Security Labs
http://www.WebsenseSecurityLabs.com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.