WMF code execution metaspoit question please?

[Isis-3]

How do you embed a code into an image? Also, where do I get the code for the "WMF code Excecutuin Vulnerbility with metasploit" ?

This is a project for a college class project. My lab partner and I will be Using the above to demonstrate the possible vulnerabilities on our own computers. We understand most of Irongeeks tutorial but are havng trouble getting started.

Thanks

[nihil]

I would suggest that you do some research into image files, their nature and functionality.

How do you embed a code into an image?

That is called "Steganography". A process where data are embedded into (generally) image or music files. There is a forum on this site about it, and there is lots of stuff on the internet, including free examples. I would suggest that you check this out and get a copy. It is quite impressive to the uninitiated and will also serve to demonstrate the difference between it and the WMF vulnerability.

Basically the Steganographic process embeds code (text) into a pre-rendered image file such as a BMP, GIF or JPG format. By analogy, you use a viewer to display the pre-rendered files just like looking at an electronic slideshow or photograph album. The "viewer" does not actually execute anything, it just opens and displays an image that already exists.

I am only aware of one malware that would exploit these pre-rendered image files. It was a POC that came out about 5 years ago. It was a bit of a cheat, as you had to load a second malware to go and find it and execute it.

WMF files are a very different kettle of fish. They do not actually contain an image, but the code or instructions to generate that image "on the fly" so to speak. The actual image is drawn when you open the WMF file.They don't have a default application, and you would typically open them in a web browser or some other application capable of executing code, because that is what they effectively are.

In this situation, it is much more easy to visualise a specially crafted WMF file being able to execute malicious instructions along with apparently "normal" ones, after all that is what a trojan horse program does is it not?

So, with a WMF file, all you have to do is insert the correct instructions and they will be executed, they are just additional lines of code.

[hjack]

Okay, just to check basics. You aware that Metasploit is a penetration testing tool. I noticed that you did not capitalize Metasploit in your post and wasn't sure if this was a grammatical error or you weren't aware that Metasploit is a specific tool.

For more info on Metasploit you can go here.


This has been a love/hate tool for the security community because of one reason. Its ease of use. When it first came out it it was only command line. With the web interface now its basically a point and hack (or crack for you PC bastards).

There are a lot of tutorials for this tool. Just Google around.

Ry

[nihil]

Hi Ryan,

The latest versions of Metasploit will support WMF vulnerabilities (2.5, or maybe 3.0?)

Here is some stuff from Irongeek on the same topic:

http://www.irongeek.com/i.php?page=videos/metasploitwmf

Isis-3 Please read the instructions..................for research only?

[Isis-3]

My thanks to both of you. Yes, this is for educational purposes. My lab partner and I will be using it on our two home computers and then wrting about it for class.

[sec_ware]

Hi

How do you embed a code into an image?

Let me comment on two well-known GDI-vulnerabilities -
and how this is related to "embed code into images".


jpg buffer overflow

About a year ago, there was a jpg buffer overflow[1] in
the GDI dll: "an image could execute arbitrary code".
How did this work?

One part of the jpg-file format is of descriptive nature.
Since the length of the description may vary, the jpg-file
itself contains the information of this length. Since the
GDI dll at that time had a flaw in the allocation of memory,
code stored in this very description could be executed.
Hence, although the "image section" of the jpg-file was
valid, the "comment section" contained the code.



wmf vulnerability

Recently, a wmf-vulnerability[2] is responsible for a lot of
heated discussions. Here, the GDI escape (gdi32.lib) function
can be misused (via SETABORTPROC[3]) - the wmf-file itself
can point to the code to be executed, which again is stored
in the wmf-file itself.

The available exploit uses Windows Picture and Fax Viewer (SHIMGVW.DLL)
as an attack vector. Disabling this functionality by unregistering the
dll removes a condition of the vulnerability, hence the exploit does
not work anymore. Still, the underlying security flaw still is available
for further exploitation (thus, patch it).



Cheers


[1] http://marc.theaimsgroup.com/?l=bugt...4346729948&w=2
[2] http://www.kb.cert.org/vuls/id/181038$
[3] http://msdn.microsoft.com/library/de...tspol_0883.asp