Counter WMF Exploit with the WMF Exploit
Results 1 to 8 of 8

Thread: Counter WMF Exploit with the WMF Exploit

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Counter WMF Exploit with the WMF Exploit

    I used H D Moore's "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution" revision 1.12 Metasploit module to create a WMF file that automatically runs "regsvr32 -u shimgvw.dll" to counter the exploit. Clicking the link may run code on your computer or crash your browser if you are using IE so click with caution:

    http://www.irongeek.com/i.php?page=security/counterwmf

    More of a fun experiment than anything.

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Nice.. beat the bastards at their game..

    It's half a solution (only stops the 'first' exploit)..
    the other gdi32.dll exploits remain..

    Rather cool though !!
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Thanks, but I have to admit that AcidTonic gave me the idea.

  4. #4
    Interesting idea...There's a lot of talk right now about using worms/trojans and such to scan and identify hosts that are vulnerable to new exploits. These systems are then "infected" with a patch that resolves the issue, after which they then begin to scan for more vulnerable hosts (Using very little bandwidth of course)...However, this is a very grey area...Even though the majority of people would consider such software to be good, there is no getting around the fact that such software is running code on someone else machine without permission...It's definatly an interesting idea though...
    We are a generation without a middle. We have no great war or depression. Our war is a spiritual one, our depression is our lives. We were all raised to believe that we\'ll all be millionaires and rockstars - But we won\'t.
    And we are slowly learning this fact...And we are VERY pissed off about it!

  5. #5
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    Here is a little bit about how to prevent that kind of exploit
    http://castlecops.com/p342590-HotFix...em_884020.html
    one hotfix and what dll to unregister

    On the main page, thay have also one tool that can check WMF

    adding just for fun... results of scanning jpg file

    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found WMF Exploit
    AVG Antivirus Found nothing
    BitDefender Found Exploit.Win32.WMF-PFV
    ClamAV Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    Fortinet Found W32/WMF.fam!exploit
    Kaspersky Anti-Virus Found Exploit.Win32.IMG-WMF (probable variant)
    NOD32 Found probably a variant of Win32/Exploit.WMF (probable variant)
    Norman Virus Control Found nothing
    UNA Found nothing
    VBA32 Found nothing
    // too far away outside of limit

  6. #6
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    If you do not want to wait for the MS patch there is another patch recommended by SANS and F-secure that you can impliment until the MS patch is out. You can get information about the author and the patch at:

    http://news.com.com/Beating+Microsof...8132&subj=news


    The SANS information is at:

    http://isc.sans.org/diary.php?date=2006-01-03


    The F-secure information is at:

    http://www.f-secure.com/weblog/archi....html#00000767


    Regards, m2


    ***PS - I just found some of these links on another MASSIVE thread... sorry for any duplication
    Work... Some days it's just not worth chewing through the restraints...

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Yep... Iflak's patch is the only game in town right now... There was an .msi early today but then there was a report that MS' patch had been leaked and removed... I never looked into it because I was already deep into Iflak's patch deployment.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Junior Member
    Join Date
    Jul 2005
    Posts
    26

    Re: Counter WMF Exploit with the WMF Exploit

    Originally posted here by Irongeek
    I used H D Moore's "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution" revision 1.12 Metasploit module to create a WMF file that automatically runs "regsvr32 -u shimgvw.dll" to counter the exploit. Clicking the link may run code on your computer or crash your browser if you are using IE so click with caution:

    http://www.irongeek.com/i.php?page=security/counterwmf

    More of a fun experiment than anything.
    Be Careful, because if anyone who still has an unprotected system thinks somehow this can save them, it is just as easy to create a payload to re-register, so it might be better if people use safe test files like this instead of thinking it's not possible to re-register this .dll via the same method:

    Current Test Files Located Here:

    http://www.antionline.com/showthread...hreadid=273053
    Where Black, Gray and White Hats Unite to help protect YOU from current and future Exploits http://testing.OnlyTheRightAnswers.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •