Irongeek

Counter WMF Exploit with the WMF Exploit

10 posts in this topic

I used H D Moore's "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution" revision 1.12 Metasploit module to create a WMF file that automatically runs "regsvr32 -u shimgvw.dll" to counter the exploit. Clicking the link may run code on your computer or crash your browser if you are using IE so click with caution:

http://www.irongeek.com/i.php?page=security/counterwmf

More of a fun experiment than anything.

0

Share this post


Link to post
Share on other sites

if you run "regsvr32 -u shimgvw.dll" to counter the exploit, then what do you do to set this back to the way it was before you did this, say when ms releases an official patch for it?

0

Share this post


Link to post
Share on other sites

This:

regsvr32 shimgvw.dll

0

Share this post


Link to post
Share on other sites

OK cool. I didnt want to do it unless there was an easy way to go back to the way it was.

0

Share this post


Link to post
Share on other sites

Alternatively: If you use the Kerio firewall as I do, you can go here to download an updated bad-traffic.rlk file which will block out the whole malicious WMF thing.

http://castlecops.com/p687296-.html#687296

Or you can append this to your current bad-traffic.rlk file:

alert ip any any -> any any (msg: "COMPANY-LOCAL WMF Exploit"; content:"01
00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00"; content:"00 26 06 0f 00 08
00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00"; reference:
url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php;
sid:2005122802; classtype:attempted-user; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT
WMF Escape Record Exploit"; flow:established,from_server; content:"01 00
09 00 00 03"; depth:500; content:"00 00"; distance:10; within:12;
content:"26 06 09 00"; within:5000; classtype:attempted-user;
reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002733;
rev:1;)

Source: http://www.securityfocus.com/archive/1/420556

Edited by Seal
0

Share this post


Link to post
Share on other sites
if you run "regsvr32 -u shimgvw.dll" to counter the exploit, then what do you do to set this back to the way it was before you did this, say when ms releases an official patch for it?

Microsoft is also telling people to do this as a temporary measure. I'm sure that when an official patch is released they'll check to see if you have unregistered the dll and just reregister it.

But be aware that if you use Mozilla this might actually break certain things (according to SANS: PDF)

Better to install the unofficial patch.

0

Share this post


Link to post
Share on other sites

I'm getting a 404.

Does it have anything to do with the fact that I use linux?

0

Share this post


Link to post
Share on other sites

well the patch is for windows but I can access all the pages just fine with my linux machine

0

Share this post


Link to post
Share on other sites

I'm just countering the exploit by using Fedora Core :)

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now