Re: Someone wasted a nice bug on spyware...

[H D Moore <fdlist () digitaloffense net>]

On Wednesday 28 December 2005 19:16, Nick FitzGerald wrote:
> The fact it was used for installing spyware (and may have been so for
> near on two weeks now) simply shows you where the money is these days.

Its a sad state of affairs when $19.95 crapware scams make more money than 
cleaning out a few bank/egold/epoker accounts.

Since WMF/EMF is basically raw access to the GDI API, expect to see quite 
a few of these bugs. For the curious:

- http://msdn.microsoft.com/library/en-us/gdi/metafile_250z.asp

For anyone using the Metasploit module (aka crappy wrapper around the 
original file), keep in mind that for the exploit to work, you need to 
request a path from the attacking system path ending in .wmf (or .tiff, 
or .emf, or ...). The exploit has been tested against non-english 
versions of Windows as well (Polish, Spanish, a few others) and works 
just fine as long as DEP is turned off.

-HD
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/