Home page logo

bugtraq logo Bugtraq mailing list archives

WMF browser-ish exploit vectors
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Thu, 29 Dec 2005 15:10:19 -0600

Here, let's make the rendering issue simple:

Due to IE being so content help-happy there are a
myriad of IE-friend file types (e.g.-.jpg) that one
can simply rename a metafile to for purpose of web
exploitation, and IE will pull out the wonderful hey;
-automatically-handle trick err /feature/ for you.

Windows Explorer/My Computer preview/thumbnail thingy=IE
for purposes of rendering engine.

Stocking Stuffer Sploit-use Samples:




For your experimentation pleasure, I have benign JPEGs
and one WMF with modified extension names found here:


Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
candy is a JPEG also renamed doc, and win32api is a JPEG
renamed to wmf. Mix and match to your hearts content. <obvious>

http://www.anachronic.com/xss/skatebrd.wmf =


http://www.anachronic.com/xss/win32api.jpg =

and so on and so forth. These are only posted for those of
you who need to make this RealSimple(tm) to someone, or
validate what things do auto/magicbyte rendering. </obvious>

You may reach me by using my first name at the domain listed
in the links above with threats, complaints, or creative uses
for the WMF rendering issue.

Merry Metafiling,


  By Date           By Thread  

Current thread:
  • WMF browser-ish exploit vectors Evans, Arian (Dec 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]