Code to exploit Windows graphics flaw now public

on a positive note nortons heuristic scaning picks up the jpeg that k-otik's code produces as bloodhound.exploit. rather generic but flags it none the less. i dont believe shell code can be morphed so it will take entirely new shell code that has not been not used in other exploits to get past it. im sure it'll show up but i dont think its going to be the field day they're portraying.

but then again those that dont keep up on their patching are not likely to keep their virus sigs up to date either. so once again it will be the same bunch getting slammed.

Symantec, mcafee, trend and a few others are matching on the JFIF headers of the jpegs. These can not change since it's required to cause the overflow. Still..people don't patch and don't update regularly. I expect the vector to be email that has embedded activeX controls, but there are so many possibilities.....
It should be interesting....

well ive a question , what about the people who donot want to install sp2 ?? like i ve sp 1 and do not want to move over to sp 2, is there any way to be safe from it?

Has anyone actualy gotten any of these to work ??

I've been playing with this local cmd.exe (not bound to the net) version..

Perhaps it's the:
"\xB8\x44\x80\xC2\x77" // mov eax,77c28044h (address of system() on WinXP SP1)
part that doesn't work on my Dutch WinXP SP1..

The C code was compiled with visual C++ 6.0 and executed on a Windows98 box.


I attached the resulting jpg (zipped).. it should be safe (a cmd.exe window should pop up if exploit works)
Disclaimer
The attachment shouldn't be harmfull and is uploaded for experimentation only.
I can't be held responsible for your stupidity if this actualy crashes a production server,
eats your hamster, steals your lunchmoney, creates a hole in the space time continuum
or anything else..

Quote:

---

k-otik's code produces as bloodhound.exploit.

---

tedob1, yeah i saw my norton pick it up too. Norton knows it since 14/09 it seems.

Anyway i've been playing the latest from k-otik , the ActiveX one and i have the same prob as the_jinx, namely that probably the hexcode for the GDIPLUS.DLL in Win XP NL.

I compiled it under linux and I put it in as a .jpg under my apache webserverroot. When I surf to it, it is active since Norton picks it up, but it doesn't create an extra account as it claims.
I believe its a matter of getting the right hex for the GDIPLUS.DLL. Here's a snip of its code to show you what i mean. I did had some weird actions by a win xp unpatched box but again not the account as it claims.

Code:

---

#********************************************
#Address of shellcode
#********************************************
#printf "\x42\x42\x42\x42" #control EDX, left these values if u wanna raise an exception and debug in GDI+
printf "\xDC\xB1\xE7\x70" #70E7B1DC WinXP Professional English SP1 -GDIPLUS.DLL version 5.1.3097.0
#printf "\xDC\xB1\x30\x78" #7830B1DC WinXP Professional Italian SP1 -GDIPLUS.DLL version 5.1.3101.0

---

Quote:

---

well ive a question , what about the people who donot want to install sp2 ?? like i ve sp 1 and do not want to move over to sp 2, is there any way to be safe from it?

---

Apparently keep your AV up-to-date, since they seem to pick it up already. ;)

Greetz,

Quote:

---

Has anyone actualy gotten any of these to work ??

---

No. I too have tried all the POC code in the wild and so far it has been just that - POC. However, after handing the code to someone who i believe is extremely talented, I can see how quickly minor ajustments can be made and thus, the avelanch of crap will surely soon be upon us.

Yes. I was able to modify the PoC to bind a shell and create a reverse shell. But as hog mentioned the trigger in the header will be easily detectable.

-Maestr0

I'm suprised this didn't show up in articles before Wednesday. The security group that works for my company had POC code over the weekend that they were able to run and confirm that it works.. That was on Saturday. We were blocking all jpgs at our proxy and email servers over the weekend because they were expecting a virus to come out by last Sunday...

McAfee has generic protection built into their 4394 dats if you enable heuristics.. The really bad thing about this is that it can infect you even if the file is renamed to .gif or some other image extension.. If the file extension envokes the gdiplus.dll the exploit code can run, regardless of the file extension...

The GDIScan tool at http://isc.sans.org/gdiscan.php detects other files besides gdiplus.dll:

sxs.dll, wsxs.dll, mso.dll, vgx.dll

Does anyone know more details about these files? According to the morons at Microsoft, the MS04-028 vulnerability only affects gdiplus.dll. Apparently not...?

Roberto F.

This post is in response to tigersharks post posted 09-23-2004 01:31 PM where he states *• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.* It would be entirely possible to force a user to visit a malicious site. It's called a pop-up. We see them all the time. You can use a pop-up blocker or for that matter any mozilla browser to prevent this.