WMF: New Metasploit Framework Module

[cbyrd01 at gmail.com (Chris Byrd)]

Just for discussion, what is the purpose behind releasing an exploit
module for an IDS-evading 0day exploit?

I guess what I'm really asking is what is the intended use of
Metasploit and exploits such as this?  As a pen-tester, I don't see a
value in pointing out that I got user access using a 0day - if the
client can't do anything about it.

As for an IDS education or testing tool, wouldn't it be more effective
to release snort signatures that correctly identify the exploit code,
at least in conjunction with this module?

I hope I don't sound like a jerk, it's not my intention.  I've used
Metasploit for pen-testing, IDS testing, and demonstrations, and I
really appreciate your efforts with it.  The development effort,
especially on msf3 using Ruby, is truly impressive.

Thanks,

Chris


On 12/31/05, H D Moore <hdm at metasploit.com> wrote:
> We just released a new version of the Metasploit Framework exploit module
> for the Escape/SetAbortFunc code execution flaw. This module now pads the
> Escape() call with random WMF records. You may want to double check your
> IDS signatures -- most of the ones I saw today could be easily bypassed
> or will false positive on valid graphic files.
>
> Available via msfupdate, the 2.5 snapshot, or straight from the web site:
> http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile
>
> -HD