[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Someone wasted a nice bug on spyware...
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Someone wasted a nice bug on spyware...
- From: H D Moore <fdlist@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 28 Dec 2005 22:56:17 -0600
On Wednesday 28 December 2005 19:16, Nick FitzGerald wrote:
> The fact it was used for installing spyware (and may have been so for
> near on two weeks now) simply shows you where the money is these days.
Its a sad state of affairs when $19.95 crapware scams make more money than
cleaning out a few bank/egold/epoker accounts.
Since WMF/EMF is basically raw access to the GDI API, expect to see quite
a few of these bugs. For the curious:
- http://msdn.microsoft.com/library/en-us/gdi/metafile_250z.asp
For anyone using the Metasploit module (aka crappy wrapper around the
original file), keep in mind that for the exploit to work, you need to
request a path from the attacking system path ending in .wmf (or .tiff,
or .emf, or ...). The exploit has been tested against non-english
versions of Windows as well (Polish, Spanish, a few others) and works
just fine as long as DEP is turned off.
-HD
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/