WMF: New Metasploit Framework Module

[cbyrd01 at gmail.com (Chris Byrd)]

On 12/31/05, H D Moore <hdm at metasploit.com> wrote:
> I have an opposite take on this; most pen-tests I work on *require* a
> 0-day vulnerability to gain access. Network defense is more than applying
> patches, its making sure that the successful exploitation of one system
> doesn't lead to a complete network compromise.

You must be pen-testing better shops than me.  That must be why msf
doesn't have a blank sa password exploit.  :)

Seriously though, you make an excellent point.  Once in, access should
be limited a/k/a failing well.  That isn't the type of pen I've been
asked for, but it certainly has higher value.

> I wouldn't bother for this exploit -- there are so many ways to encode a
> valid WMF graphic that any signature-based IDS is going to fail at least
> one case. For example, there three different optional headers that can be
> placed before the real WMF header. You can insert megabytes of filler
> data between the vulnerable record types and even with a by-the-spec WMF
> preprocessor, you can abuse bugs in the GDI api to specify invalid record
> types that are still accepted.

That is exactly the kind of information I was looking for.  That this
exploit can be obfuscated to that level helps drive the nail in the
signature based NIPS coffin.  Signatures have their place, especially
in IDS, but too often they're the only form of protection.

> Not at all, its a great question. Happy new years :-)

You too, and thanks!

Chris