Counter WMF Exploit with the WMF Exploit

[Irongeek]

I used H D Moore's "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution" revision 1.12 Metasploit module to create a WMF file that automatically runs "regsvr32 -u shimgvw.dll" to counter the exploit. Clicking the link may run code on your computer or crash your browser if you are using IE so click with caution:

http://www.irongeek.com/i.php?page=security/counterwmf

More of a fun experiment than anything.

[the_JinX]

Nice.. beat the bastards at their game..

It's half a solution (only stops the 'first' exploit)..
the other gdi32.dll exploits remain..

Rather cool though !!

[Irongeek]

Thanks, but I have to admit that AcidTonic gave me the idea.

[Neptune0z]

Interesting idea...There's a lot of talk right now about using worms/trojans and such to scan and identify hosts that are vulnerable to new exploits. These systems are then "infected" with a patch that resolves the issue, after which they then begin to scan for more vulnerable hosts (Using very little bandwidth of course)...However, this is a very grey area...Even though the majority of people would consider such software to be good, there is no getting around the fact that such software is running code on someone else machine without permission...It's definatly an interesting idea though...

[MrBabis]

Here is a little bit about how to prevent that kind of exploit
http://castlecops.com/p342590-HotFix...em_884020.html
one hotfix and what dll to unregister

On the main page, thay have also one tool that can check WMF

adding just for fun... results of scanning jpg file

AntiVir Found nothing
ArcaVir Found nothing
Avast Found WMF Exploit
AVG Antivirus Found nothing
BitDefender Found Exploit.Win32.WMF-PFV
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found W32/WMF.fam!exploit
Kaspersky Anti-Virus Found Exploit.Win32.IMG-WMF (probable variant)
NOD32 Found probably a variant of Win32/Exploit.WMF (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

[mmelby]

If you do not want to wait for the MS patch there is another patch recommended by SANS and F-secure that you can impliment until the MS patch is out. You can get information about the author and the patch at:

http://news.com.com/Beating+Microsof...8132&subj=news


The SANS information is at:

http://isc.sans.org/diary.php?date=2006-01-03


The F-secure information is at:

http://www.f-secure.com/weblog/archi....html#00000767


Regards, m2


***PS - I just found some of these links on another MASSIVE thread... sorry for any duplication

[Tiger Shark]

Yep... Iflak's patch is the only game in town right now... There was an .msi early today but then there was a report that MS' patch had been leaked and removed... I never looked into it because I was already deep into Iflak's patch deployment.

[ZOverLord]

Originally posted here by Irongeek
I used H D Moore's "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution" revision 1.12 Metasploit module to create a WMF file that automatically runs "regsvr32 -u shimgvw.dll" to counter the exploit. Clicking the link may run code on your computer or crash your browser if you are using IE so click with caution:

http://www.irongeek.com/i.php?page=security/counterwmf

More of a fun experiment than anything.

Be Careful, because if anyone who still has an unprotected system thinks somehow this can save them, it is just as easy to create a payload to re-register, so it might be better if people use safe test files like this instead of thinking it's not possible to re-register this .dll via the same method:

Current Test Files Located Here:

http://www.antionline.com/showthread...hreadid=273053