Counter WMF Exploit with the WMF Exploit

Update: 1/6/2005 Looks like AV on this server delete the image files.

    I used H D Moore's "Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution" revision 1.12  Metasploit module to create a WMF file that automatically runs "regsvr32 -u shimgvw.dll" to counter the exploit. I've embedded the image in this page with both a JPG and a WMF extension, but depending on how things are set up it may not run. If you are using Internet Explorer and did not get an Antivirus Warning about  Bloodhound.*.* or nothing seemed to happen you can try it out by right clicking these links:

http://www.irongeek.com/images/wmfunreg.wmf
http://www.irongeek.com/images/wmfunreg.jpg

and trying to opens the images in "Windows Picture and Fax viewer". FireFox users would also more than likely have to right click, download the file and open it manually to see any effect. If you see a message like:

that means it ran, other wise your AV may have picked it up, the problem has been fixed, shimgvw.dll had already been unregistered or I just screwed the pooch. If you wonder what options I gave to Metasploit to get this WMF file this screenshot should help you out:

 Thanks to AcidTonic and kn1ghtl0rd for the idea of using the exploit to "patch" the hole.

Date: 01/03/2006

More info:

http://www.securityfocus.com/bid/16074/
http://en.wikipedia.org/wiki/Windows_Metafile
http://en.wikipedia.org/wiki/2005_WMF_vulnerability
http://www.podcastincubator.com/krt/shows.php