lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <200512282256.17421.fdlist@digitaloffense.net>
Date: Thu Dec 29 04:56:30 2005
From: fdlist at digitaloffense.net (H D Moore)
Subject: Someone wasted a nice bug on spyware...

On Wednesday 28 December 2005 19:16, Nick FitzGerald wrote:
> The fact it was used for installing spyware (and may have been so for
> near on two weeks now) simply shows you where the money is these days.

Its a sad state of affairs when $19.95 crapware scams make more money than 
cleaning out a few bank/egold/epoker accounts.

Since WMF/EMF is basically raw access to the GDI API, expect to see quite 
a few of these bugs. For the curious:

- http://msdn.microsoft.com/library/en-us/gdi/metafile_250z.asp

For anyone using the Metasploit module (aka crappy wrapper around the 
original file), keep in mind that for the exploit to work, you need to 
request a path from the attacking system path ending in .wmf (or .tiff, 
or .emf, or ...). The exploit has been tested against non-english 
versions of Windows as well (Polish, Spanish, a few others) and works 
just fine as long as DEP is turned off.

-HD

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ