wmf never worked on my default winxp ever

[hdm at metasploit.com (H D Moore)]

If you have Data Execution Preventing enabled, it will block the execution 
of the code in the WMF file. I can assure you that the exploit *does 
work*, quite reliably, against most Windows XP SP2 and Windows 2003 SP1 
systems. The exploit does not work if you have unregistered the PFV, have 
DEP enabled, or are not running XP, 2003, or Vista.

To be absolutely sure that your system is not affected, use the MSF 
exploit to download the BMP file, rename it to end in .WMF, place the 
file into any directory, and then view that directory with Windows 
Explore set to Preview/Icon mode.

On a fresh install of XP Professional, I confirmed that the exploit 
automatically executes. Are you running XP Home Edition maybe?

If the Picture Viewer crashes, does it pop up a warning about code 
execution, or simply dissappear? Are you running any third-party HIPS 
products (Core Force, Cisco Security Agent, Wehntrust, etc?).

If you (or any of your friends) could send a screen shot of it asking to 
open/save the file, it would help us debug the problem. We found a few 
cases where XP would not auto-open the file if the WMF file name was 
longer than a certain number of characters - but it was very hard to 
reproduce. Screen shots should be sent to msfdev[at]metasploit.com.

If you would like a "known-safe" WMF file to test with, I generated one 
that executes "calc.exe" and does not crash Explorer. You can download 
this at:

https://metasploit.com/calc .bmp (remove the space between calc and .bmp).

Thanks for the feedback,

-HD


On Wednesday 04 January 2006 15:06, sandalwood wrote:
> addition:  i have now confirmed 2 other friends of mine say that it
> throws up a warning saying it blocked a download and does not work on
> their machines either.

A screen shot would