CVE-2008-1087

Microsoft Windows - Buffer Overflow

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-1087. PoCs published by Ac!dDrop, Lamhtz.

AI-analyzed exploit summary This exploit targets a stack buffer overflow in the EMR_COLORMATCHTOTARGETW function in GDI32.dll, part of MS08-021. It includes payloads for executing a calculator and establishing a reverse shell connection to localhost on port 230.

Description

Stack-based buffer overflow in GDI in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, and Server 2008 allows remote attackers to execute arbitrary code via an EMF image file with crafted filename parameters, aka "GDI Stack Overflow Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED
by Ac!dDrop · textremotewindows
https://www.exploit-db.com/exploits/6656

This exploit targets a stack buffer overflow in the EMR_COLORMATCHTOTARGETW function in GDI32.dll, part of MS08-021. It includes payloads for executing a calculator and establishing a reverse shell connection to localhost on port 230.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows XP Professional SP1 with GDI32.dll 5.1.2600.1106
No auth needed
Prerequisites: Vulnerable version of GDI32.dll · Ability to deliver malicious EMF file to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Lamhtz · c++localwindows
https://www.exploit-db.com/exploits/5442

This exploit generates a crafted EMF file to trigger a stack overflow in the GDI API (CVE-2008-1083), leading to arbitrary code execution (calc.exe) on Windows 2000 SP4 CHS or a crash on Windows XP SP2. The exploit leverages a vulnerability in the handling of EMF files to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Windows 2000 SP4 CHS, Windows XP SP2 (GDI API)
No auth needed
Prerequisites: Target system must be unpatched for MS08-021 · Target must open the crafted EMF file
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (11)

Core 11
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5580
Broken Link vdb-entry x_refsource_osvdb
http://www.osvdb.org/44215
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA08-099A.html
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=120845064910729&w=2
Broken Link vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/1145/references
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/28570
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/6656
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/5442
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1019798
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29704

Scores

EPSS 0.7508
EPSS Percentile 98.9%

Details

CWE
CWE-119
Status published
Products (5)
microsoft/windows-nt 2008 (3 CPE variants)
microsoft/windows_2000
microsoft/windows_2003_server (6 CPE variants)
microsoft/windows_vista
microsoft/windows_xp (3 CPE variants)
Published Apr 08, 2008
Tracked Since Feb 18, 2026