MGD
Premium,MVM
join:2002-07-31
Fort Lauderdale, FL
| reply to Blackbird
Re: Windows MetaFiles still vulnerable
I concur, two 98SE machines one with Office 97 and one with Office 2000. Neither one will open .wmf files, nor will MS Paint open them in any format. While the quick view does display the files, it did not execute the test.wmf downloaded file. It seems that Sans surmising of this being a "watershed moment" for 98/ME was a little early.
MGD |
|
CyberSchnook1
Disciple of Christ Jesus
Premium
join:2005-08-26
USA
| reply to noway1
said by noway1  :said by gracie :...LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok. I needed to restart for the fix to work. I didn't, with XP Home SP2. Go figure.
--
O
o
p!
I fell off the edge of the island again! |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| said by CyberSchnook1 :said by noway1 :said by gracie :...LATE EDIT: wait. does this require a restart? we've done the unreg on all the xp machines, but can still open a .wmf file ok. I needed to restart for the fix to work. I didn't, with XP Home SP2. Go figure. Ilfak and Steve Gibson say that it is UNnecessary to unregister the dll and recommend that you do not do so. Microsoft, on the other hand, says you should if you don't have Windows One Care. Naturally, MS would recommend unregistering the dll because they do not recognize or approve of anyone using the unofficial patch.
»castlecops.com/t143199-Is_it_sti···dll.html
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" |
|
johnpd
Premium
join:2003-11-20
Green Valley, AZ
 ·Cox HSI
| reply to redxii
Has anyone tried the Kye-U test site for WMF?
»kyeu.info/WMF/
I am using NOD32. It was detecting the exploit Monday, but now any browser hangs when I try the test files. I am wondering if there is a problem with NOD32 after the last update. |
|
KyeU
join:2003-12-31
Canada
| reply to redxii
Version 1.14 of source code out. It randomizes almost everything now.
Room for 1740 bytes of payload.
Can anyone help explain to me ALL the mathematical functions below? (Like rand(0xffff)) I need to rewrite my Proxomitron filter for sure.
#
# WindowsMetaHeader
#
pack('vvvVvVv',
# WORD FileType; /* Type of metafile (1=memory, 2=disk) */
int(rand(2))+1,
# WORD HeaderSize; /* Size of header in WORDS (always 9) */
9,
# WORD Version; /* Version of Microsoft Windows used */
(int(rand(2)) == 1 ? 0x0100 : 0x0300),
# DWORD FileSize; /* Total size of the metafile in WORDs */
$clen/2,
# WORD NumOfObjects; /* Number of objects in the file */
rand(0xffff),
# DWORD MaxRecordSize; /* The size of largest record in WORDs */
rand(0xffffffff),
# WORD NumOfParams; /* Not Used (always 0) */
rand(0xffff),
).
#
# Filler data
#
$pre_buff.
#
# StandardMetaRecord - Escape()
#
pack('Vvv',
# DWORD Size; /* Total size of the record in WORDs */
4,
# WORD Function; /* Function number (defined in WINDOWS.H) */
int(rand(256) << 8) + 0x26,
# WORD Parameters[]; /* Parameter values passed to function */
9,
). $shellcode |
|
SpannerITWks
Premium
join:2005-04-22
| reply to johnpd
Hi johnpd,
A few of us tried not just Kye's tests but quite a few others too. If you check back up a little in thread you'll see them, and with screenys, which i think always helps a lot more.
I just tried to test the new additions, and the pages wouldn't load, maybe overloaded or something. I'll try again and post back with the results.
Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks |
|
z12
Premium
join:2004-01-26
1 edit | reply to KyeU
Hi Kye-U
What it boils down to is that this rev randomizes the version number (0x0100 or 0x0300) and the last two bytes.
So this,
[%00-%02][%00][%09][%00][%00][%03]([%00-%FF]+{10})[%00][%00]
should be like so
[%00-%02][%00][%09][%00][%00]([%03]|[%01])([%00-%FF]+{12})
Also, this exploit code only uses FileType codes of 0x0100 and 0x0200 for the first two bytes. That will be probably change in a later version to what you are already matching ([%00-%02]).
Mike
Edit: they also randomized the function code, but you already had that covered. |
|
Alan_UK
join:2006-01-03
UK
2 edits | reply to Alan_UK
As stated earlier, I took an image, copied and pasted it into PowerPoint, converted the single slide to WMF then renamed it to JPG (all under WinXP SP2). I also kept a copy as WMF.
I have just uploaded the 2 image files to my web site and then opened in IE6 under WinXP SP1&2. Both the real wmf and the pseudo jpg file opened, even though I have run regsvr32 /u shimgvw.dll. Most worrying.
I will keep the files on my web site for a short while:
»www.ethicalpricing.info/image.jpg
»www.ethicalpricing.info/image.wmf
Edit 2: they are now updated with 2 much smaller files of c1K. See Link Logger's thread for a more comprehensive selection of image files that run Notepad at
»Windows MetaFiles still vulnerable
Edit: I have just tried under Win98 SP1 with IE5.5 and again both images display. regsvr32 /u shimgvw.dll has not been run as the shimgvw.dll does not exist on this system. 32 bit fax s/w (32bf.exe) can no longer be found. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| Geez...IE is something else. I just tried your files on both Fx and IE on XP Pro SP1 on a PATCHED system and on the same OS on an unpatched system. I have not unregistered the dll or either box just applied the patch on one.
On both computers Fx gave me a torn image on the first file and gobblegook on the second.
IE, on both computers, Patched and Unpatched, opened both files. 
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions" |
|
Alan_UK
join:2006-01-03
UK
| said by Mele20 :On both computers Fx gave me a torn image on the first file and gobblegook on the second. I've just tried FireFox on Win98 SP1 with FF1.0.4 and WinXP SP1&2 FF1.5. Almost the same results on both PCs:
For the WMF I'm prompted for an application. Choose MS Paint: on Win98 failed to open ("Paint cannot read this file. This is not a valid bitmap file or its format is not currently supported"). On XP Paint opened OK.
For the JPG file (the WMF renamed) FF says "The image [url] cannot be displayed, because it contains errors".
Alan |
|
SpannerITWks
Premium
join:2005-04-22
1 edit | Hi,
I see both images in IE v6 on 98SE. I DL'd the WMF + renamed it to .JPG, this what i get when i DC it -
click OK and XnView launches with NO image.
My Renamed pic is in the ZIP
Spanner
--
I Only Know What I Know But I'm Learning all The Time -
Stay Safe -
Spanner intheWorks
/SpannerITWks |
|
Alan_UK
join:2006-01-03
UK
| I d/l your zip file and opened it (I'm trusting you 
Irfranview says it's a WMF and would I like it renamed. Replied No and then Irfranview displays OK. I wonder if Irfranview has its own WMF engine or simply calls Windows graphic engine to decode.
Alan
(going off line now) |
|
SpannerITWks
Premium
join:2005-04-22
| Yes thanx, it's 100% Safe !
Well here's something a bit strange. I examined the headers from both your pics and my Renamed one. They ALL look the same to me ! Did you maybe actually Convert the - image.wmf to image.jpg, rather than rename it ?
-
These are the headers from the pics -
image.jpg -
0000: D7 CD C6 9A 00 00 00 00 00 00 7A 16 DA 10 40 02 ..........z...@.
0010: 00 00 00 00 F1 53 01 00 09 00 00 03 AE 09 07 00 .....S..........
0020: 06 00 22 08 07 00 00 00 11 00 00 00 26 06 0F 00 ..".........&...
0030: 18 00 FF FF FF FF 00 00 10 00 00 00 00 00 00 00 ................
0040: 00 00 7A 16 00 00 DA 10 00 00 09 00 00 00 26 06 ..z...........&.
0050: 0F 00 08 00 FF FF FF FF 02 00 00 00 17 00 00 00 ................
0060: 26 06 0F 00 23 00 FF FF FF FF 04 00 1B 00 54 4E &...#.........TN
0070: 50 50 14 00 C8 F0 00 30 00 00 00 00 14 00 00 00 PP.....0........
0080: 94 0E 8B 00 00 00 00 00 00 00 0A 00 00 00 26 06 ..............&.
0090: 0F 00 0A 00 54 4E 50 50 00 00 02 00 F4 03 09 00 ....TNPP........
00A0: 00 00 26 06 0F 00 08 00 FF FF FF FF 03 00 00 00 ..&.............
00B0: 0F 00 00 00 26 06 0F 00 14 00 54 4E 50 50 04 00 ....&.....TNPP..
00C0: 0C 00 01 00 00 00 01 00 00 00 00 00 00 00 05 00 ................
00D0: 00 00 0B 02 00 00 00 00 05 00 00 00 0C 02 DA 10 ................
00E0: 7A 16 05 00 00 00 04 01 0D 00 00 00 07 00 00 00 z...............
00F0: FC 02 00 00 FF FF FF 00 00 00 04 00 00 00 2D 01 ..............-.
-
image.wmf -
0000: D7 CD C6 9A 00 00 00 00 00 00 7A 16 DA 10 40 02 ..........z...@.
0010: 00 00 00 00 F1 53 01 00 09 00 00 03 AE 09 07 00 .....S..........
0020: 06 00 22 08 07 00 00 00 11 00 00 00 26 06 0F 00 ..".........&...
0030: 18 00 FF FF FF FF 00 00 10 00 00 00 00 00 00 00 ................
0040: 00 00 7A 16 00 00 DA 10 00 00 09 00 00 00 26 06 ..z...........&.
0050: 0F 00 08 00 FF FF FF FF 02 00 00 00 17 00 00 00 ................
0060: 26 06 0F 00 23 00 FF FF FF FF 04 00 1B 00 54 4E &...#.........TN
0070: 50 50 14 00 C8 F0 00 30 00 00 00 00 14 00 00 00 PP.....0........
0080: 94 0E 8B 00 00 00 00 00 00 00 0A 00 00 00 26 06 ..............&.
0090: 0F 00 0A 00 54 4E 50 50 00 00 02 00 F4 03 09 00 ....TNPP........
00A0: 00 00 26 06 0F 00 08 00 FF FF FF FF 03 00 00 00 ..&.............
00B0: 0F 00 00 00 26 06 0F 00 14 00 54 4E 50 50 04 00 ....&.....TNPP..
00C0: 0C 00 01 00 00 00 01 00 00 00 00 00 00 00 05 00 ................
00D0: 00 00 0B 02 00 00 00 00 05 00 00 00 0C 02 DA 10 ................
00E0: 7A 16 05 00 00 00 04 01 0D 00 00 00 07 00 00 00 z...............
00F0: FC 02 00 00 FF FF FF 00 00 00 04 00 00 00 2D 01 ..............-.
-
Renamed-WMF by me -
0000: D7 CD C6 9A 00 00 00 00 00 00 7A 16 DA 10 40 02 ..........z...@.
0010: 00 00 00 00 F1 53 01 00 09 00 00 03 AE 09 07 00 .....S..........
0020: 06 00 22 08 07 00 00 00 11 00 00 00 26 06 0F 00 ..".........&...
0030: 18 00 FF FF FF FF 00 00 10 00 00 00 00 00 00 00 ................
0040: 00 00 7A 16 00 00 DA 10 00 00 09 00 00 00 26 06 ..z...........&.
0050: 0F 00 08 00 FF FF FF FF 02 00 00 00 17 00 00 00 ................
0060: 26 06 0F 00 23 00 FF FF FF FF 04 00 1B 00 54 4E &...#.........TN
0070: 50 50 14 00 C8 F0 00 30 00 00 00 00 14 00 00 00 PP.....0........
0080: 94 0E 8B 00 00 00 00 00 00 00 0A 00 00 00 26 06 ..............&.
0090: 0F 00 0A 00 54 4E 50 50 00 00 02 00 F4 03 09 00 ....TNPP........
00A0: 00 00 26 06 0F 00 08 00 FF FF FF FF 03 00 00 00 ..&.............
00B0: 0F 00 00 00 26 06 0F 00 14 00 54 4E 50 50 04 00 ....&.....TNPP..
00C0: 0C 00 01 00 00 00 01 00 00 00 00 00 00 00 05 00 ................
00D0: 00 00 0B 02 00 00 00 00 05 00 00 00 0C 02 DA 10 ................
00E0: 7A 16 05 00 00 00 04 01 0D 00 00 00 07 00 00 00 z...............
00F0: FC 02 00 00 FF FF FF 00 00 00 04 00 00 00 2D 01 ..............-.
[/code]
-
Dunno about what IrfanView would do !
Spanner
--
I Only Know What I Know But I'm Learning all The Time - Stay Safe - Spanner intheWorks/SpannerITWks |
|
Alan_UK
join:2006-01-03
UK
| They ALL look the same to me ! Did you maybe actually Convert the - image.wmf to image.jpg, rather than rename it ? No. I created the wmf, then took a copy in Explorer, then renamed the wmf to jpg in a DOS window, then renamed the "copy of" back to the original name. So that's why they are the same, because they came from the same file! |
|
SpannerITWks
Premium
join:2005-04-22 | I just renamed your WMF again Twice to JPG + got exactly the same headers !!!
Spanner |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
 ·AT&T Southwest
| reply to Sysadmin
said by Sysadmin :» www.microsoft.com/technet/securi···840.mspx quote:
Microsoft Security Advisory (912840)
Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.
This sounds reasonable at first, but if I were a CIO or CEO, I would not be pleased about having to run an organization's computers for 12 days (now 6 days) without a temporary patch (or even the currently being tested patch, with such a serious exploit. I would rather my people test the temporary patch on several internal systems, then deploy the temporary patch -- than run without anything knowing the risks. Risks being it only takes one variant to get past av scanning mixed with one employee clicking on something they shouldn't (the later being pretty much a given). |
|
RobertLudlum
join:2005-01-20
656456
| reply to Mele20
said by Mele20 :Interesting that Windows One Care is protecting heuristically but only protects XP SP2. Processguard 3.2
Ilfak Guilfanov's patch
Add it to the list of things that doesn't work on XP SP1
 |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
4 edits | reply to redxii
Suggestion,
There is NO WAY I would run ADMIN right now and be browsing the WEB!.
I created these because I THINK versions people are testing with MAY NOT be created from the most recent Metasploit version which is 1.14, so using these will make sure you are protected from the most CURRENT version.
As they release versions, I will make new ones so we can be on top of them and have ways to test their most recent releases of this JUNK!
These files were created with the latest version 1.14 of the exploit.
I have created a zip file to demonstrates just how EVIL this stuff can be and HOW it can launch commands silently in the background. This example simply launches notepad silently, however because I try to OPEN a file that does not exist called "text.txt" you can see it because it fails to open that file.
This is what ALL these files do, they launch NOTEPAD and attempt to OPEN text.txt ("This is done because I want people to see that it is in the background, otherwise, NOTEPAD would simply be in your Task List using your task manager. By trying to OPEN a file called "text.txt" it prompts you, yet you see NO NOTEPAD window.
If anyone can THINK of any other file types let me know but the zip file contains these for now:
notepad.bmp
notepad.gif
notepad.jpeg
notepad.jpg
notepad.png
notepad.tiff
notepad.wmf
They are ALL the same file simply copied as each file extension and are 15k big
The Zip file containing them is located at:
»testing.OnlyTheRightAnswers.com/···loit.zip
If anyone can think of any other file extensions, let me know and I will add them to the zip file.
If ANY of these create a notepad entry in your task list or Prompt with a message box titled "Notepad" that says "Cannot find text.txt file Do you want to create a new file" then you are NOT protected from this exploit no matter WHAT your A/V says.
NOTE: You need to MANUALLY do an "End Process" using task manager for ANY Notepad that does start. do NOT answer yes to create "text.txt" answer NO or Click the Cancel button if prompted, because once the file is created, it won't prompt and Notepad will start SILENTLY.
If you did accidentally click yes and created "text.txt" go to your Documents and settings\USER\ folder and delete text.txt
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
vugo
join:2006-01-03
| Hi folks,
i head rumors about a automated tool to create a .WMF file with you own shellcode. The aparent name of the tool is "WMF Maker".
Anybody here have details about it?
If somebody here realy have a automated tool, please post some link (take care with SKs).
Regards...
Igor Marcel - Vugo Verbal Killer (VUGO), (vugo"at"hotmail.com)
Information Security Consultant
"Linux is modism, BSD is a life style!" |
|
heels_fan
1.20.09 The start of Socialism
Premium
join:2003-02-07
Columbia, TN
| reply to ZOverLord
said by ZOverLord :Suggestion, There is NO WAY I would run ADMIN right now and be browsing the WEB!. These files were created with the latest version 1.14 of the exploit. I have created a zip file to demonstrates just how EVIL this stuff can be and HOW it can launch commands silently in the background. This example simply launches notepad silently, however because I try to OPEN a file that does not exist called "text.txt" you can see it because it fails to open that file. This is what ALL these files do, they launch NOTEPAD and attempt to OPEN text.txt ("This is done because I want people to see that it is in the background, otherwise, NOTEPAD would simply be in your Task List using your task manager. By trying to OPEN a file called "text.txt" it prompts you, yet you see NO NOTEPAD window. If anyone can THINK of any other file types let me know but the zip file contains these for now: notepad.bmp notepad.gif notepad.jpeg notepad.jpg notepad.png notepad.tiff notepad.wmf They are ALL the same file simply copied as each file extension and are 15k big The Zip file containing them is located at: » testing.OnlyTheRightAnswers.com/···loit.zipIf anyone can think of any other file extensions, let me know and I will add them to the zip file. If ANY of these create a notepad entry in your task list or Prompt with a message box titled "Notepad" that says "Cannot find text.txt file Do you want to create a new file" then you are NOT protected from this exploit no matter WHAT your A/V says. NOTE: You need to MANUALLY do an "End Process" using task manager for ANY Notepad that does start. When I try to open your files, Ifranview pops up with a error message stating that: "Cant read file header! Unknown file format!
--
"Independent thinkers tend to ALWAYS have someone not agreeing with them. It's the non-thinkers that always come in legions." -John Callari |
|
