The attached proof of concept exploit triggers a buffer overflow in the NtGdiBitBlt system call. It reproduces reliable on Win 7 32-bit with Special Pool enabled on win32k.sys.
f8fe51bd5f2d627380ec1e9bcb00b3ca0c6353262e9aa8b4b1b4ac9c99cb457a
The Microsoft Windows kernel suffers from a pool buffer overflow in NtGdiStretchBlt.
cec5a4d82cefd5f7408a48e23c6eaff40a66ebae181a5611b5534e09b970f5cc