windows WMF exploit and metasploit
If you've had your head in the sand since the holidays, you probably haven't heard about the WMF vulnerability. Aparrently there have already been WMF exploits travelling in the wild.
In the intererst of trying to construct a WMF exploit that we could use in NetReg security check, I spent a few hours last night with metasploit.
Turns out it's not so easy - at least for me. Metasploit is a framework for quickly selecting an exploit to break into a system, and a payload (what you feed to the exploited machine to execute.) For the WMF exploit, because it requires user interaction from a browser, it starts up a little HTTP server. You point your browser at metasploit, and it tries to take over the machine:
* On a fresh install of winXP SP2, the exploit does seem to run - IE fires up the "Windows Picture and Fax Viewer" when trying to view a WMF with the exploit in it. There is a few second pause, and then the user gets the normal "foo had a problem" dialog:
Clearly, the exploit is working partially - it crashed WPFV, so there's something there. But the machine didn't get taken over: I didn't get a reverse shell, it didn't run the command, it didn't download and run the EXE I had specified, whatever the particular payload I had selected was supposed to do.
Maybe this is why we haven't yet seen lots of machines getting taken over by malware using this exploit. It's not straightforward for script kiddies.