Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

WMF browser-ish exploit vectors

from [Evans, Arian] Network Security [Permanent Link]
Subject: WMF browser-ish exploit vectors
Date: Thu, 29 Dec 2005 15:10:19 -0600 
Here, let's make the rendering issue simple:

Due to IE being so content help-happy there are a
myriad of IE-friend file types (e.g.-.jpg) that one
can simply rename a metafile to for purpose of web
exploitation, and IE will pull out the wonderful hey;
you're-not-a-jpeg-you're-a-something-else-that-I-can-
-automatically-handle trick err /feature/ for you.

Windows Explorer/My Computer preview/thumbnail thingy=IE
for purposes of rendering engine.

Stocking Stuffer Sploit-use Samples:

http://sharepoint2003/bizdir/your_custom_folder_icon.jpg

http://yourcorp_web_based_DMS/surprise_not_a.doc

etc.

For your experimentation pleasure, I have benign JPEGs
and one WMF with modified extension names found here:

http://www.anachronic.com/xss/

Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
candy is a JPEG also renamed doc, and win32api is a JPEG
renamed to wmf. Mix and match to your hearts content. <obvious>

http://www.anachronic.com/xss/skatebrd.wmf =
http://www.anachronic.com/xss/statebrd.jpg

and

http://www.anachronic.com/xss/win32api.jpg =
http://www.anachronic.com/xss/win32api.wmf

and so on and so forth. These are only posted for those of
you who need to make this RealSimple(tm) to someone, or
validate what things do auto/magicbyte rendering. </obvious>

You may reach me by using my first name at the domain listed
in the links above with threats, complaints, or creative uses
for the WMF rendering issue.

Merry Metafiling,

-ae
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • WMF browser-ish exploit vectors, Evans, Arian <=
Previous by Date:  Yahoo mail Cross Site Scripting vulnerability, simo
Next by Date:  RE: WMF Exploit, Bill Busby
Previous by Thread:  WTF??, veil_of_darkness
Next by Thread:  [KAPDA::#18] - WebWiz Products SQL Injection, advisory
Indexes:  [Date] [Thread] [Top] [All Lists]