WMF Exploit
Dan Hollis
spamtrap71892316634 at ANIME.NET
Thu Dec 29 23:44:52 GMT 2005
On Thu, 29 Dec 2005, dnsadmin 1bigthink.com wrote:
> Well, it was in mine and this is what it looked like:
> # Windows Metafont .WMF
> 0 string \327\315\306\232\000\000\000\000\000\000 ms-windows metafont .wmf
> RedHat ES 3.0
that's a metafont. not the same thing.
here's a hexdump from an _actual_ real life wmf exploit being used right now:
$ hexdump xpl.wmf | more
0000000 0001 0009 0300 1f52 0000 0006 003d 0000
0000010 0000 0011 0000 0626 000f 0018 ffff ffff
0000020 00ff 0010 0000 0000 0000 0000 03c0 0085
0000030 02d0 0000 0009 0000 0626 000f 0008 ffff
0000040 ffff 0002 0000 0017 0000 0626 000f 0023
0000050 ffff ffff 0004 001b 4e54 5050 0014 0020
0000060 00b8 0632 0000 ffff 004f 0014 0000 004d
0000070 0069 0000 000a 0000 0626 000f 000a 4e54
0000080 5050 0000 0002 03f4 0009 0000 0626 000f
0000090 0008 ffff ffff 0003 0000 000f 0000 0626
00000a0 000f 0014 4e54 5050 0004 000c 0001 0000
00000b0 0001 0000 0000 0000 0005 0000 020b 0000
00000c0 0000 0005 0000 020c 02d0 03c0 0004 0000
-Dan
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list