CVE-2004-0200

Microsoft .NET Framework - Remote Code Execution via JPEG COM Field Length Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2004-0200. PoCs published by M4Z3R, John Bissell, ATmaCA.

AI-analyzed exploit summary This exploit targets CVE-2004-0200, a buffer overflow vulnerability in the GDI+ library used by Microsoft Windows to process JPEG images. The exploit includes multiple payloads (reverse shell, bind shell, HTTP download, and admin addition) embedded in a malformed JPEG file to achieve remote code execution.

Description

Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.

Exploits (6)

exploitdb WORKING POC VERIFIED
by M4Z3R · cremotewindows
https://www.exploit-db.com/exploits/556

This exploit targets CVE-2004-0200, a buffer overflow vulnerability in the GDI+ library used by Microsoft Windows to process JPEG images. The exploit includes multiple payloads (reverse shell, bind shell, HTTP download, and admin addition) embedded in a malformed JPEG file to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows GDI+ (JPEG processing)
No auth needed
Prerequisites: Vulnerable version of GDI+ library · Ability to deliver malformed JPEG file to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by John Bissell · cremotewindows
https://www.exploit-db.com/exploits/480

This exploit targets CVE-2004-0200, a buffer overflow vulnerability in GDI+ JPEG processing. It includes shellcode for both reverse and bind shell attacks, designed to work on NT-based Windows systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows GDI+ (unpatched versions)
No auth needed
Prerequisites: Unpatched Windows system · Victim interaction (e.g., opening a malicious JPEG file)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by ATmaCA · cremotewindows
https://www.exploit-db.com/exploits/478

This exploit targets CVE-2004-0200, a buffer overflow vulnerability in Windows GDI+ JPEG processing. It uses a crafted JPEG file with embedded shellcode to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows GDI+ (MS04-028)
No auth needed
Prerequisites: Vulnerable Windows system with GDI+ · Ability to deliver malicious JPEG file to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Elia Florio · bashremotewindows
https://www.exploit-db.com/exploits/475

This exploit targets CVE-2004-0200, a heap overflow vulnerability in GDI+ (GDIPLUS.DLL) on Windows XP SP1. It crafts a malicious JPEG file that, when processed, executes shellcode to create a user in the Administrators group.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows XP SP1 (GDIPLUS.DLL versions 5.1.3097.0 and 5.1.3101.0)
No auth needed
Prerequisites: Target must be running Windows XP SP1 with vulnerable GDIPLUS.DLL · Victim must open the crafted JPEG file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by FoToZ · cremotewindows
https://www.exploit-db.com/exploits/472

This exploit targets a buffer overflow vulnerability in GDI+ (CVE-2004-0200) by crafting a malicious JPEG file. The shellcode executes cmd.exe on Windows XP SP1 by leveraging a hardcoded address for system().

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft GDI+ (Windows XP SP1)
No auth needed
Prerequisites: Unpatched Windows XP SP1 system · Ability to deliver malicious JPEG file to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by perplexy · bashdoswindows
https://www.exploit-db.com/exploits/474

This exploit targets a JPEG parsing vulnerability in Microsoft Windows (CVE-2004-0200) by crafting a malicious JPEG file. It triggers a crash via a 0 or 1 length field in the JPEG header, with placeholder addresses for potential shellcode execution.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows (IE JPEG parsing)
No auth needed
Prerequisites: Victim must open or hover over the malicious JPEG file in Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (16)

Core 16
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3038
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1105
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/297462
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA04-260A.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3320
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2706
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=109524346729948&w=2
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1721
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3082
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4003
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3810
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4216
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4307
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3881
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/16304

Scores

EPSS 0.4902
EPSS Percentile 98.7%

Details

Status published
Products (40)
microsoft/.net_framework 1.0 sp2
microsoft/digital_image_pro 7.0
microsoft/digital_image_pro 9
microsoft/digital_image_suite 9
microsoft/excel 2002
microsoft/excel 2003
microsoft/frontpage 2002
microsoft/frontpage 2003
microsoft/greetings 2002
microsoft/infopath 2003
... and 30 more
Published Sep 28, 2004
Tracked Since Feb 18, 2026