Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

I managed to get a blue screen easily (Win 7 32-bit) but had to use the bruteforce python script, perhaps because my VM resolution is 800x600.

Note that the Python script is Python 3 syntax.

---
The PoC triggers a crashes due to a pool buffer overflow while drawing the caption bar of window.  The trigger depends on the current window layout and resolution. The PoC takes an offset on the command line to be able to test with different values, I tested this on two different Win7 32-bit VM's and had success with 0 and 475000 (Resolution was 1024x768 and 1280x1024). A bruteforce Python script is also attached which should trigger a crash fairly quickly. Use as follows:

cl.exe  bug321 .cpp user32.lib
 bug321 .exe 0
---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 

crash321.txt 9.1 KB View Download

brute.py 146 bytes View Download

bug321.cpp 915 bytes Download