The source code claims to be made by the folks at metasploit and xforce, together with a anonymous source.
The exploit generates files:
- with a random size;
- no .wmf extension, (.jpg), but could be any other image extension actually;
- a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
- a number of possible calls to run the exploit are listed in the source;
- a random trailer
From a number of scans we did through
virustotal, we can safely conclude there is currently no anti-virus
signature working for it. Similarly it is very unlikely any of the
current IDS signatures work for it.
Judging from the source
code, it will likely be difficult to develop very effective signatures
due to the structures of the WMF files.
Wishing all windows machines a happy New Year, with a bit fewer nasty exploits.
this upsets all defenses people have in place we voted to go to yellow
in order to warn the good guys out there they need to review their
We just released a new version of the Metasploit Framework exploit module
for the Escape/SetAbortFunc code execution flaw. This module now pads the
Escape() call with random WMF records. You may want to double check your
IDS signatures — most of the ones I saw today could be easily bypassed
or will false positive on valid graphic files.
Available via msfupdate, the 2.5 snapshot, or straight from the web site: