If you haven’t heard about the Windows Metafile exploit and are using Windows XP or Windows 2003 then you should be a little worried. This exploit allows someone to execute any command they want on your computer as easily as sending you a link and having you browse to it using Internet Explorer. To demonstrate how critical this issue is I am going to show you how to create a .wmf file that will pop up calc.exe on a Windows XP computer by only having them browse to a web page with the .wmf exploit on it.
To easily create the exploit we will be using Metasploit. To do this we will need to download the exploit code and then put it into Metasploit in the correct format. The code for this Metasploit module can be found at http://www.frsirt.com it is called ie_xp_pfv_metafile.pm.
Open up the link and then copy all of the code (from ## through 1; ) now open up TextEdit and paste the code into TextEdit and save the file as ie_xp_pfv_metafile.pm it is really important you name the file correctly or Metasploit will not be able to use it.
Now that you have a .pm file you need to put it in the correct place in Metasploit. Using Finder Browse to where you have your Metasploit folder named framework-2.5 inside the framework folder is a folder named exploits. You will want to place the ie_xp_pfv_metafile.pm file in the exploits folder. Now you want to set the permissions on the new file to the same permissions as the rest to the files in the exploits folder. The easiest way to do that is using Terminal and cd to the framework-2.5/exploits folder and then
ls -la
To see the permissions and owners of the file. If you need to, use chmod and chown to make the permissions match the other files exactly.
Now that the new exploit module is ready you can now fire up the msfcli or msfweb to create a .wmf file. I will be showing you the easy way to do this using msfweb.
Using Terminal cd to the framework-2.5 directory and then run msfweb with the following command
./msfweb
Now open up a web browser and point it to 127.0.0.1:55555 to get to the Metasploit web based GUI.
Using the Filter select app :: ie and click Filter Modules. Now click on Windows XP/2003 Picture and Fax Viewer Metafile Overflow to get started.
Click the Select Target link. We will be executing a harmless remote command so select win32_exec as the Payload.
Now under HTTPHOST put in 127.0.0.1 and in the CMD field type in calc.exe
and now click Exploit. You will now see [*] Waiting for connections to http://127.0.0.1:8080/anything.wmf.
Open up a new tab and browse to http://127.0.0.1:8080/anything.wmf and save that file to disk.
The file is now ready to be uploaded to your web server. Upload the file to your web server and set the correct file permissions. Now browse to the file’s URL using a Windows XP or 2003 computer and Internet Explorer and watch your calculator pop up.
Microsoft knows about this vulnerability and will release the patch on the 6th of January 2006. Until then if you have a vulnerable computer I suggest patching it with the patch available from SANS. Keep in mind though this patch is not authorized by Microsoft and has been found to cause some printing problems when the DLL is registered.