-
January 3rd, 2006, 11:28 PM
#1
Counter WMF Exploit with the WMF Exploit
I used H D Moore's "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution" revision 1.12 Metasploit module to create a WMF file that automatically runs "regsvr32 -u shimgvw.dll" to counter the exploit. Clicking the link may run code on your computer or crash your browser if you are using IE so click with caution:
http://www.irongeek.com/i.php?page=security/counterwmf
More of a fun experiment than anything.
-
January 3rd, 2006, 11:36 PM
#2
Nice.. beat the bastards at their game..
It's half a solution (only stops the 'first' exploit)..
the other gdi32.dll exploits remain..
Rather cool though !!
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
January 3rd, 2006, 11:52 PM
#3
Thanks, but I have to admit that AcidTonic gave me the idea.
-
January 4th, 2006, 12:15 AM
#4
Interesting idea...There's a lot of talk right now about using worms/trojans and such to scan and identify hosts that are vulnerable to new exploits. These systems are then "infected" with a patch that resolves the issue, after which they then begin to scan for more vulnerable hosts (Using very little bandwidth of course)...However, this is a very grey area...Even though the majority of people would consider such software to be good, there is no getting around the fact that such software is running code on someone else machine without permission...It's definatly an interesting idea though...
We are a generation without a middle. We have no great war or depression. Our war is a spiritual one, our depression is our lives. We were all raised to believe that we\'ll all be millionaires and rockstars - But we won\'t.
And we are slowly learning this fact...And we are VERY pissed off about it!
-
January 4th, 2006, 12:28 AM
#5
Here is a little bit about how to prevent that kind of exploit
http://castlecops.com/p342590-HotFix...em_884020.html
one hotfix and what dll to unregister
On the main page, thay have also one tool that can check WMF
adding just for fun... results of scanning jpg file
AntiVir Found nothing
ArcaVir Found nothing
Avast Found WMF Exploit
AVG Antivirus Found nothing
BitDefender Found Exploit.Win32.WMF-PFV
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found W32/WMF.fam!exploit
Kaspersky Anti-Virus Found Exploit.Win32.IMG-WMF (probable variant)
NOD32 Found probably a variant of Win32/Exploit.WMF (probable variant)
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
// too far away outside of limit
-
January 4th, 2006, 11:08 PM
#6
If you do not want to wait for the MS patch there is another patch recommended by SANS and F-secure that you can impliment until the MS patch is out. You can get information about the author and the patch at:
http://news.com.com/Beating+Microsof...8132&subj=news
The SANS information is at:
http://isc.sans.org/diary.php?date=2006-01-03
The F-secure information is at:
http://www.f-secure.com/weblog/archi....html#00000767
Regards, m2
***PS - I just found some of these links on another MASSIVE thread... sorry for any duplication
Work... Some days it's just not worth chewing through the restraints...
-
January 5th, 2006, 12:23 AM
#7
Yep... Iflak's patch is the only game in town right now... There was an .msi early today but then there was a report that MS' patch had been leaked and removed... I never looked into it because I was already deep into Iflak's patch deployment.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 9th, 2006, 12:47 PM
#8
Re: Counter WMF Exploit with the WMF Exploit
Originally posted here by Irongeek
I used H D Moore's "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution" revision 1.12 Metasploit module to create a WMF file that automatically runs "regsvr32 -u shimgvw.dll" to counter the exploit. Clicking the link may run code on your computer or crash your browser if you are using IE so click with caution:
http://www.irongeek.com/i.php?page=security/counterwmf
More of a fun experiment than anything.
Be Careful, because if anyone who still has an unprotected system thinks somehow this can save them, it is just as easy to create a payload to re-register, so it might be better if people use safe test files like this instead of thinking it's not possible to re-register this .dll via the same method:
Current Test Files Located Here:
http://www.antionline.com/showthread...hreadid=273053
Where Black, Gray and White Hats Unite to help protect YOU from current and future Exploits http://testing.OnlyTheRightAnswers.com
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|