Metasploit mailing list archives
WMF: New Metasploit Framework Module
From: hdm at metasploit.com (H D Moore)
Date: Sat, 31 Dec 2005 11:50:52 -0600
On Saturday 31 December 2005 10:22, Chris Byrd wrote:
Just for discussion, what is the purpose behind releasing an exploit module for an IDS-evading 0day exploit?
To demonstrate that the current set of IDS signatures are near worthless for catching the malicious exploitation of this bug. I am guessing no few people dropped a sig into snort yesterday and have a false sense of security about how accurate that signature is. Better that they realize it now and not tomorrow morning (with associated new year's hangover).
I guess what I'm really asking is what is the intended use of Metasploit and exploits such as this? As a pen-tester, I don't see a value in pointing out that I got user access using a 0day - if the client can't do anything about it.
I have an opposite take on this; most pen-tests I work on *require* a 0-day vulnerability to gain access. Network defense is more than applying patches, its making sure that the successful exploitation of one system doesn't lead to a complete network compromise.
As for an IDS education or testing tool, wouldn't it be more effective to release snort signatures that correctly identify the exploit code, at least in conjunction with this module?
I wouldn't bother for this exploit -- there are so many ways to encode a valid WMF graphic that any signature-based IDS is going to fail at least one case. For example, there three different optional headers that can be placed before the real WMF header. You can insert megabytes of filler data between the vulnerable record types and even with a by-the-spec WMF preprocessor, you can abuse bugs in the GDI api to specify invalid record types that are still accepted.
I hope I don't sound like a jerk, it's not my intention.
Not at all, its a great question. Happy new years :-) -HD
Current thread:
- WMF: New Metasploit Framework Module H D Moore (Dec 30)
- WMF: New Metasploit Framework Module Chris Byrd (Dec 31)
- WMF: New Metasploit Framework Module str0ke (Dec 31)
- WMF: New Metasploit Framework Module H D Moore (Dec 31)
- WMF: New Metasploit Framework Module Chris Byrd (Dec 31)
- WMF: New Metasploit Framework Module rrecaba at usb.ve (Dec 31)
- WMF: New Metasploit Framework Module H D Moore (Dec 31)
- WMF: New Metasploit Framework Module Chris Byrd (Dec 31)