CVE-2005-2124

Windows 2000 SP4, XP SP1-SP2, Server 2003 SP1 - Remote Code Execution via Crafted WMF Image

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2005-2124. PoCs published by Winny Thomas.

AI-analyzed exploit summary This code generates a malformed WMF (Windows Metafile) file that exploits CVE-2005-0803 by setting the 'mtNoObjects' field in the metafile header to 0x0000, causing a crash in Windows Explorer. The exploit targets a vulnerability in the GDI library, which was patched by MS05-053.

Description

Unspecified vulnerability in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1, related to "An unchecked buffer" and possibly buffer overflows, allows remote attackers to execute arbitrary code via a crafted Windows Metafile (WMF) format image, aka "Windows Metafile Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Winny Thomas · cdoswindows
https://www.exploit-db.com/exploits/1346

This code generates a malformed WMF (Windows Metafile) file that exploits CVE-2005-0803 by setting the 'mtNoObjects' field in the metafile header to 0x0000, causing a crash in Windows Explorer. The exploit targets a vulnerability in the GDI library, which was patched by MS05-053.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows (GDI library), specifically Windows 2000 Server SP4
No auth needed
Prerequisites: A vulnerable Windows system without the MS05-053 hotfix
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Winny Thomas · cdoswindows
https://www.exploit-db.com/exploits/1343

This exploit generates a malformed Windows Metafile (WMF) that triggers a DoS condition (100% CPU utilization) when viewed in Internet Explorer on unpatched Windows 2000 SP4 systems. It leverages a vulnerability in GDI (MS05-053) by crafting a WMF file with specific header and record structures.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows 2000 SP4 (GDI component)
No auth needed
Prerequisites: Unpatched Windows 2000 SP4 system · Victim must open the crafted WMF file in Internet Explorer
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13
Core References
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA05-312A.html
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/161
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17461
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2005/2348
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015168
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17223
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17498
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/15356
Patch, Vendor Advisory x_refsource_misc
http://www.eeye.com/html/research/advisories/AD20051108b.html
Patch, Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/433341

Scores

EPSS 0.5571
EPSS Percentile 98.9%

Details

Status published
Products (6)
microsoft/windows_2000
microsoft/windows_2003_server 64-bit
microsoft/windows_2003_server itanium
microsoft/windows_2003_server r2
microsoft/windows_2003_server sp1 (2 CPE variants)
microsoft/windows_xp (3 CPE variants)
Published Nov 29, 2005
Tracked Since Feb 18, 2026