Metasploit mailing list archives
WMF: New Metasploit Framework Module
From: cbyrd01 at gmail.com (Chris Byrd)
Date: Sat, 31 Dec 2005 12:56:58 -0600
On 12/31/05, H D Moore <hdm at metasploit.com> wrote:
I have an opposite take on this; most pen-tests I work on *require* a 0-day vulnerability to gain access. Network defense is more than applying patches, its making sure that the successful exploitation of one system doesn't lead to a complete network compromise.
You must be pen-testing better shops than me. That must be why msf doesn't have a blank sa password exploit. :) Seriously though, you make an excellent point. Once in, access should be limited a/k/a failing well. That isn't the type of pen I've been asked for, but it certainly has higher value.
I wouldn't bother for this exploit -- there are so many ways to encode a valid WMF graphic that any signature-based IDS is going to fail at least one case. For example, there three different optional headers that can be placed before the real WMF header. You can insert megabytes of filler data between the vulnerable record types and even with a by-the-spec WMF preprocessor, you can abuse bugs in the GDI api to specify invalid record types that are still accepted.
That is exactly the kind of information I was looking for. That this exploit can be obfuscated to that level helps drive the nail in the signature based NIPS coffin. Signatures have their place, especially in IDS, but too often they're the only form of protection.
Not at all, its a great question. Happy new years :-)
You too, and thanks! Chris
Current thread:
- WMF: New Metasploit Framework Module H D Moore (Dec 30)
- WMF: New Metasploit Framework Module Chris Byrd (Dec 31)
- WMF: New Metasploit Framework Module str0ke (Dec 31)
- WMF: New Metasploit Framework Module H D Moore (Dec 31)
- WMF: New Metasploit Framework Module Chris Byrd (Dec 31)
- WMF: New Metasploit Framework Module rrecaba at usb.ve (Dec 31)
- WMF: New Metasploit Framework Module H D Moore (Dec 31)
- WMF: New Metasploit Framework Module Chris Byrd (Dec 31)