cbcvebase.
CVE-2005-0803
published 2005-05-02

CVE-2005-0803: The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted…

PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
70.77%
99.3th percentile
The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

filenameMS053.wmf
bytes
d7 cd c6 9a 00 00 c6 fb ca 02 aa 02 39 09 e8 03 00 00 00 00 66 a6 01 00 09 00 00 03 ff ff ff 7f 00 00 ff ff ff ff 00 00
bytes
01 00 00 00 64 00 00 00 93 00 00 00 02 00 00 00 83 01 00 00 39 01 00 00 00 00 00 00 00 00 00 00 d1 08 00 00 be 06 00 00 20 45 4d 46 00 00 01 00 78 00 00 00 17 00 00 00 03 00 00 00 0f 00 00 00 64 00 00 00 41 00 00 00 c8 12 00 00 c2 1a 00 00 cc 00 00 00 22 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 14 00 00 00 41 00 00 00 41 42 43 44 00 00 01 ff
  • Crafted EMF file exploits GetEnhMetaFilePaletteEntries in GDI32.DLL via invalid end/emreof/palent offsets; detect malformed EMF files with anomalous palette entry offsets processed by gdi32.dll.
  • The crafted EMF file contains the magic bytes '20 45 4d 46' (' EMF') at offset 0x28; combined with anomalous/truncated record structure (total size 0x78, only 17 records, ending with 00 00 01 ff), this can be used as a signature for the PoC file.
  • WMF PoC file header starts with magic bytes 'd7 cd c6 9a'; combined with mtNoObjects=0x0000 at byte offset 26-27 of the WMF header, this pattern identifies the malicious WMF.
  • ·The EMF PoC (exploit 25231) targets Windows XP/2000/2003 via the vulnerable gdi32.dll; scope is limited to unpatched systems.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.