Results 1 to 6 of 6

Thread: WMF code execution metaspoit question please?

  1. #1
    Junior Member
    Join Date
    Jan 2006

    WMF code execution metaspoit question please?

    How do you embed a code into an image? Also, where do I get the code for the "WMF code Excecutuin Vulnerbility with metasploit" ?

    This is a project for a college class project. My lab partner and I will be Using the above to demonstrate the possible vulnerabilities on our own computers. We understand most of Irongeeks tutorial but are havng trouble getting started.


  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    I would suggest that you do some research into image files, their nature and functionality.

    How do you embed a code into an image?
    That is called "Steganography". A process where data are embedded into (generally) image or music files. There is a forum on this site about it, and there is lots of stuff on the internet, including free examples. I would suggest that you check this out and get a copy. It is quite impressive to the uninitiated and will also serve to demonstrate the difference between it and the WMF vulnerability.

    Basically the Steganographic process embeds code (text) into a pre-rendered image file such as a BMP, GIF or JPG format. By analogy, you use a viewer to display the pre-rendered files just like looking at an electronic slideshow or photograph album. The "viewer" does not actually execute anything, it just opens and displays an image that already exists.

    I am only aware of one malware that would exploit these pre-rendered image files. It was a POC that came out about 5 years ago. It was a bit of a cheat, as you had to load a second malware to go and find it and execute it.

    WMF files are a very different kettle of fish. They do not actually contain an image, but the code or instructions to generate that image "on the fly" so to speak. The actual image is drawn when you open the WMF file.They don't have a default application, and you would typically open them in a web browser or some other application capable of executing code, because that is what they effectively are.

    In this situation, it is much more easy to visualise a specially crafted WMF file being able to execute malicious instructions along with apparently "normal" ones, after all that is what a trojan horse program does is it not?

    So, with a WMF file, all you have to do is insert the correct instructions and they will be executed, they are just additional lines of code.

  3. #3
    The Recidivist
    Join Date
    Nov 2002
    Okay, just to check basics. You aware that Metasploit is a penetration testing tool. I noticed that you did not capitalize Metasploit in your post and wasn't sure if this was a grammatical error or you weren't aware that Metasploit is a specific tool.

    For more info on Metasploit you can go here.

    This has been a love/hate tool for the security community because of one reason. Its ease of use. When it first came out it it was only command line. With the web interface now its basically a point and hack (or crack for you PC bastards).

    There are a lot of tutorials for this tool. Just Google around.

    "Where the tree of knowledge stands, there is always paradise": thus speak the oldest and the youngest serpents.
    - Friedrich Nietzsche

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Hi Ryan,

    The latest versions of Metasploit will support WMF vulnerabilities (2.5, or maybe 3.0?)

    Here is some stuff from Irongeek on the same topic:


    Isis-3 Please read the instructions..................for research only?

  5. #5
    Junior Member
    Join Date
    Jan 2006
    My thanks to both of you. Yes, this is for educational purposes. My lab partner and I will be using it on our two home computers and then wrting about it for class.

  6. #6
    Senior Member
    Join Date
    Mar 2004

    How do you embed a code into an image?
    Let me comment on two well-known GDI-vulnerabilities -
    and how this is related to "embed code into images".

    jpg buffer overflow

    About a year ago, there was a jpg buffer overflow[1] in
    the GDI dll: "an image could execute arbitrary code".
    How did this work?

    One part of the jpg-file format is of descriptive nature.
    Since the length of the description may vary, the jpg-file
    itself contains the information of this length. Since the
    GDI dll at that time had a flaw in the allocation of memory,
    code stored in this very description could be executed.
    Hence, although the "image section" of the jpg-file was
    valid, the "comment section" contained the code.

    wmf vulnerability

    Recently, a wmf-vulnerability[2] is responsible for a lot of
    heated discussions. Here, the GDI escape (gdi32.lib) function
    can be misused (via SETABORTPROC[3]) - the wmf-file itself
    can point to the code to be executed, which again is stored
    in the wmf-file itself.

    The available exploit uses Windows Picture and Fax Viewer (SHIMGVW.DLL)
    as an attack vector. Disabling this functionality by unregistering the
    dll removes a condition of the vulnerability, hence the exploit does
    not work anymore. Still, the underlying security flaw still is available
    for further exploitation (thus, patch it).


    [1] http://marc.theaimsgroup.com/?l=bugt...4346729948&w=2
    [2] http://www.kb.cert.org/vuls/id/181038$
    [3] http://msdn.microsoft.com/library/de...tspol_0883.asp
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts