| ||||
|
| ||||
|
Sponsored by: 
Affiliates:                
EC-Council ECSA Training Videos
Web Hosting: |
Counter WMF Exploit with the WMF Exploit Update: 1/6/2005 Looks like AV on this server delete the image files.
I used H D Moore's "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution" revision 1.12 Metasploit module to create a WMF file that automatically runs "regsvr32 -u shimgvw.dll" to counter the exploit. I've embedded the image in this page with both a JPG and a WMF extension, but depending on how things are set up it may not run. If you are using Internet Explorer and did not get an Antivirus Warning about Bloodhound.*.* or nothing seemed to happen you can try it out by right clicking these links: Links no longer work, see above
http://www.irongeek.com/images/wmfunreg.wmf and trying to opens the images in "Windows Picture and Fax viewer". FireFox users would also more than likely have to right click, download the file and open it manually to see any effect. If you see a message like:
that means it ran, other wise your AV may have picked it up, the problem has been fixed, shimgvw.dll had already been unregistered or I just screwed the pooch. If you wonder what options I gave to Metasploit to get this WMF file this screenshot should help you out:
Thanks to AcidTonic and kn1ghtl0rd for the idea of using the exploit to "patch" the hole. Date: 01/03/2006 More info:
http://www.securityfocus.com/bid/16074/
blog comments powered by Disqus
Ten most recent posts on Irongeek.com:
| |||
RSS
Printable version of this article
If
you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2010, IronGeek
Louisville / Kentuckiana Information Security Enthusiast