WMF Exploit Round two…

On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xforce, together with a anonymous source.
The exploit generates files:

  • with a random size;
  • no .wmf extension, (.jpg), but could be any other image extension actually;
  • a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
  • a number of possible calls to run the exploit are listed in the source;
  • a random trailer

From a number of scans we did through
virustotal, we can safely conclude there is currently no anti-virus
signature working for it. Similarly it is very unlikely any of the
current IDS signatures work for it.

Judging from the source
code, it will likely be difficult to develop very effective signatures
due to the structures of the WMF files.

Wishing all windows machines a happy New Year, with a bit fewer nasty exploits.

this upsets all defenses people have in place we voted to go to yellow
in order to warn the good guys out there they need to review their

From SANS Internet Storm Center.  F-Secure has blogged that the first WMF worm is in the wild.  Here's the post on Full Disclosure:

We just released a new version of the Metasploit Framework exploit module
for the Escape/SetAbortFunc code execution flaw. This module now pads the
Escape() call with random WMF records. You may want to double check your
IDS signatures — most of the ones I saw today could be easily bypassed

or will false positive on valid graphic files.

Available via msfupdate, the 2.5 snapshot, or straight from the web site:


Author: Xavier Ashe

Entrepreneur, Infosec Executive, CISSP, CISM, Ironman triathlete, traveler, UU, paleo, father of 8, goyishe, gamer, & geek. http://linkedin.com/in/xavierashe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s