New WMF Exploit version emerges - ISC returns to Yellow alert
Posted
Saturday, December 31, 2005 6:11 PM
by
hwaldron
There is a "new and improved" edition of the WMF exploit that does not use a WMF extension. It also varies in size randomly to better evade AV detection. A code Yellow alert has been issued by the Internet Storm Center. There is little or no AV protection available, so extra caution should be used.
New exploit released for the WMF vulnerability - YELLOW
http://isc.sans.org/diary.php?storyid=992
A copy of the actual exploit can be found at FrSIRT for anyone wanting to review the code, but please use caution. The exploit generates files with the following characteristics:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer