Metasploit mailing list archives

unable to reproduce WMF exploit

From: mwood at icts.uct.ac.za (Michael Wood)
Date: Thu, 12 Jan 2006 10:03:35 +0200

Hi

On Tue, Jan 10, 2006 at 01:02:20PM +0100, /dev/null wrote:

Sorry, for off-topic...

Seem that everybody was able to reproduce the WMF exploit except me :)


I had a similar problem on a Windows 2003 terminal server.

Here are the steps I performed:

- use ie_xp_pfv_metafile
- set PAYLOAD win32_exec
- set CMD cmd.exe
- exploit


I tried win32_exec with notepad.exe and a couple of other
things.  That didn't seem to do anything, but later I noticed
some notepad.exe processes running that were just not
displaying.  See if you have some cmd.exe processes running in
the background.

I also tried the win32_reverse payload which worked very well.
The win32_reverse_vncinject and win32_reverse_stg_upexec
payloads appeared to do nothing, though.

[snip]

The most amazing thing: when I try calc.bmp generated by
Mr.Moore it works like a cham...

[snip]

Same here.

Is there anything special that needs to be done to get the
win32_exec payload to actually display the process it is
running? :)

-- 
Michael Wood <mwood at icts.uct.ac.za>

Current thread:

unable to reproduce WMF exploit /dev/null (Jan 10)
- unable to reproduce WMF exploit Devin Ertel (Jan 10)
- unable to reproduce WMF exploit H D Moore (Jan 10)
- unable to reproduce WMF exploit Michael Wood (Jan 12)
  - unable to reproduce WMF exploit H D Moore (Jan 12)
- <Possible follow-ups>
- unable to reproduce WMF exploit /dev/null (Jan 10)