WMF Exploit
Randal, Phil
prandal at HEREFORDSHIRE.GOV.UK
Fri Dec 30 10:06:47 GMT 2005
My head hurts after reading this :-)
http://www.skynet.ie/~caolan/publink/libwmf/libwmf/doc/ora-wmf.html
Cheers,
Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Dan Hollis
> Sent: 29 December 2005 23:45
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: WMF Exploit
>
> On Thu, 29 Dec 2005, dnsadmin 1bigthink.com wrote:
> > Well, it was in mine and this is what it looked like:
> > # Windows Metafont .WMF
> > 0 string \327\315\306\232\000\000\000\000\000\000
> ms-windows metafont .wmf
> > RedHat ES 3.0
>
> that's a metafont. not the same thing.
>
> here's a hexdump from an _actual_ real life wmf exploit being
> used right now:
>
> $ hexdump xpl.wmf | more
> 0000000 0001 0009 0300 1f52 0000 0006 003d 0000 0000010 0000
> 0011 0000 0626 000f 0018 ffff ffff 0000020 00ff 0010 0000
> 0000 0000 0000 03c0 0085 0000030 02d0 0000 0009 0000 0626
> 000f 0008 ffff 0000040 ffff 0002 0000 0017 0000 0626 000f
> 0023 0000050 ffff ffff 0004 001b 4e54 5050 0014 0020 0000060
> 00b8 0632 0000 ffff 004f 0014 0000 004d 0000070 0069 0000
> 000a 0000 0626 000f 000a 4e54 0000080 5050 0000 0002 03f4
> 0009 0000 0626 000f 0000090 0008 ffff ffff 0003 0000 000f
> 0000 0626 00000a0 000f 0014 4e54 5050 0004 000c 0001 0000
> 00000b0 0001 0000 0000 0000 0005 0000 020b 0000 00000c0 0000
> 0005 0000 020c 02d0 03c0 0004 0000
>
> -Dan
>
> ------------------------ MailScanner list
> ------------------------ To unsubscribe, email
> jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/)
> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list