WMF SETABORTPROC exploit

To: hdm@xxxxxxxxxxxxxx
Subject: WMF SETABORTPROC exploit
From: SanjayR <sanjayr@xxxxxxxxxx>
Date: Tue, 03 Jan 2006 14:14:43 +0530
Cc: bugtraq@xxxxxxxxxxxxxxxxx, vuln-dev@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi Moore et al (and All):

I was trying to understand the wmf setabortproc exploit code. I gotconfused over one point. In the code, under the point "StandardMetaRecord -Escape()", you have given the value of WORD function as 0x0026 and otherpossible values can be (according to the code) 0x0626, 0xff26 etc. And thevalue of the parameter is 9, which is call to SETABORTPROC. But, instead offinding these definitions in WINDOWS.H, as stated in the code, I found themin wingdi.h. Now my question is, from where I can get the other values ofescape functions (like those stated by you)? In wingdi.h, i got only0x0626. Please any clue from anybody will be appreciated.


Regards
Sanjay


Sanjay Rawat

Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
  Homepage: http://sanjay-rawat.tripod.com

Prev by Date: Re: Drupal all versiyon xss cehennem.org
Next by Date: Re: [Full-disclosure] WMF round-up, updates and de-mystification
Previous by thread: RE: WMF round-up, updates and de-mystification
Next by thread: [eVuln] VEGO Web Forum SQL Injection Vulnerability
Index(es):
- Date
- Thread