CVE-2005-2123

Windows 2000 SP4, XP SP1-SP2, Server 2003 SP1 - Remote Code Execution via Crafted WMF/EMF Images

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2005-2123.

AI-analyzed exploit summary This code generates a malformed WMF (Windows Metafile) that exploits a vulnerability in GDI (Graphics Device Interface) by setting the 'mtNoObjects' field to 0x0000, causing a crash in Windows Explorer. It was tested on Windows 2000 Server SP4 and is mitigated by MS05-053.

Description

Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.

Exploits (1)

exploitdb WORKING POC

cdoswindows

https://www.exploit-db.com/exploits/1346

View Code ZIP pw:eip

This code generates a malformed WMF (Windows Metafile) that exploits a vulnerability in GDI (Graphics Device Interface) by setting the 'mtNoObjects' field to 0x0000, causing a crash in Windows Explorer. It was tested on Windows 2000 Server SP4 and is mitigated by MS05-053.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Microsoft Windows 2000 Server SP4 (GDI)

No auth needed

Prerequisites: Ability to deliver the crafted WMF file to the target system

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (16)

Core 16

Core References

Vendor Advisory x_refsource_confirm

http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdf

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1175

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17461

Third Party Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2005/2348

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://securitytracker.com/id?1015168

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1263

US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA05-312A.html

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A701

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17223

Third Party Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/17498

Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/300549

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1063

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2005/ms05-053

Patch, Vendor Advisory x_refsource_misc

http://www.eeye.com/html/research/advisories/AD20051108b.html

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1546

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/15352

Scores

EPSS 0.6960

EPSS Percentile 98.7%

Details

Status published

Products (6)

microsoft/windows_2000

microsoft/windows_2003_server 64-bit

microsoft/windows_2003_server itanium

microsoft/windows_2003_server r2

microsoft/windows_2003_server sp1 (2 CPE variants)

microsoft/windows_xp (3 CPE variants)

Published Nov 29, 2005

Tracked Since Feb 18, 2026