A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle




Counter WMF Exploit with the WMF Exploit

 

Counter WMF Exploit with the WMF Exploit

Update: 1/6/2005 Looks like AV on this server delete the image files.

    I used H D Moore's "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution" revision 1.12  Metasploit module to create a WMF file that automatically runs "regsvr32 -u shimgvw.dll" to counter the exploit. I've embedded the image in this page with both a JPG and a WMF extension, but depending on how things are set up it may not run. If you are using Internet Explorer and did not get an Antivirus Warning about  Bloodhound.*.* or nothing seemed to happen you can try it out by right clicking these links:

Links no longer work, see above

http://www.irongeek.com/images/wmfunreg.wmf
http://www.irongeek.com/images/wmfunreg.jpg

and trying to opens the images in "Windows Picture and Fax viewer". FireFox users would also more than likely have to right click, download the file and open it manually to see any effect. If you see a message like:

that means it ran, other wise your AV may have picked it up, the problem has been fixed, shimgvw.dll had already been unregistered or I just screwed the pooch. If you wonder what options I gave to Metasploit to get this WMF file this screenshot should help you out:

 Thanks to AcidTonic and kn1ghtl0rd for the idea of using the exploit to "patch" the hole.

Date: 01/03/2006

More info:

http://www.securityfocus.com/bid/16074/
http://en.wikipedia.org/wiki/Windows_Metafile
http://en.wikipedia.org/wiki/2005_WMF_vulnerability
http://www.podcastincubator.com/krt/shows.php
 

 

 

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast