CVE-2005-0803

Windows 2000 - Denial of Service via Crafted Enhanced Metafile

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2005-0803. PoCs published by Hongzhen Zhou.

AI-analyzed exploit summary This exploit leverages a denial of service vulnerability in Microsoft Windows GDI library 'gdi32.dll' by using a malformed EMF image file. The provided hex dump represents a crafted EMF file that triggers the vulnerability, causing a denial of service condition.

Description

The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Hongzhen Zhou · textdoswindows
https://www.exploit-db.com/exploits/25231

This exploit leverages a denial of service vulnerability in Microsoft Windows GDI library 'gdi32.dll' by using a malformed EMF image file. The provided hex dump represents a crafted EMF file that triggers the vulnerability, causing a denial of service condition.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows GDI library (gdi32.dll)
No auth needed
Prerequisites: Ability to deliver a malformed EMF file to the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
cdoswindows
https://www.exploit-db.com/exploits/1346

This code generates a malformed Windows Metafile (WMF) that exploits CVE-2005-0803 by setting the 'mtNoObjects' field to 0x0000, causing a crash in Windows Explorer. It was tested on Windows 2000 SP4 and bypasses the MS05-053 hotfix.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows (Windows 2000 SP4)
No auth needed
Prerequisites: Vulnerable Windows system without MS05-053 hotfix
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (18)

Core 18
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/20580
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1152
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/19727
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17461
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2005/2348
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/134756
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/14631
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/12834
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015168
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA05-312A.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17223
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1240
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=111108743527497&w=2
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1121
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1215
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A671

Scores

EPSS 0.7808
EPSS Percentile 99.0%

Details

CWE
CWE-399
Status published
Products (1)
microsoft/windows_2000 (5 CPE variants)
Published May 02, 2005
Tracked Since Feb 18, 2026