WMF: New Metasploit Framework Module

[hdm at metasploit.com (H D Moore)]

On Saturday 31 December 2005 10:22, Chris Byrd wrote:
> Just for discussion, what is the purpose behind releasing an exploit
> module for an IDS-evading 0day exploit?

To demonstrate that the current set of IDS signatures are near worthless 
for catching the malicious exploitation of this bug. I am guessing no few 
people dropped a sig into snort yesterday and have a false sense of 
security about how accurate that signature is. Better that they realize 
it now and not tomorrow morning (with associated new year's hangover).

> I guess what I'm really asking is what is the intended use of
> Metasploit and exploits such as this?  As a pen-tester, I don't see a
> value in pointing out that I got user access using a 0day - if the
> client can't do anything about it.

I have an opposite take on this; most pen-tests I work on *require* a 
0-day vulnerability to gain access. Network defense is more than applying 
patches, its making sure that the successful exploitation of one system 
doesn't lead to a complete network compromise.

> As for an IDS education or testing tool, wouldn't it be more effective
> to release snort signatures that correctly identify the exploit code,
> at least in conjunction with this module?

I wouldn't bother for this exploit -- there are so many ways to encode a 
valid WMF graphic that any signature-based IDS is going to fail at least 
one case. For example, there three different optional headers that can be 
placed before the real WMF header. You can insert megabytes of filler 
data between the vulnerable record types and even with a by-the-spec WMF 
preprocessor, you can abuse bugs in the GDI api to specify invalid record 
types that are still accepted.

> I hope I don't sound like a jerk, it's not my intention.

Not at all, its a great question. Happy new years :-)

-HD