Due to IE being so content help-happy there are a
myriad of IE-friend file types (e.g.-.jpg) that one
can simply rename a metafile to for purpose of web
exploitation, and IE will pull out the wonderful hey;
you're-not-a-jpeg-you're-a-something-else-that-I-can-
-automatically-handle trick err /feature/ for you.
Windows Explorer/My Computer preview/thumbnail thingy=IE
for purposes of rendering engine.
For your experimentation pleasure, I have benign JPEGs
and one WMF with modified extension names found here:
http://www.anachronic.com/xss/
Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
candy is a JPEG also renamed doc, and win32api is a JPEG
renamed to wmf. Mix and match to your hearts content. <obvious>
and so on and so forth. These are only posted for those of
you who need to make this RealSimple(tm) to someone, or
validate what things do auto/magicbyte rendering. </obvious>
You may reach me by using my first name at the domain listed
in the links above with threats, complaints, or creative uses
for the WMF rendering issue.
Due to IE being so content help-happy there are a
myriad of IE-friend file types (e.g.-.jpg) that one
can simply rename a metafile to for purpose of web
exploitation, and IE will pull out the wonderful hey;
you're-not-a-jpeg-you're-a-something-else-that-I-can-
-automatically-handle trick err /feature/ for you.
Windows Explorer/My Computer preview/thumbnail thingy=IE
for purposes of rendering engine.
Stocking Stuffer Sploit-use Samples:
http://sharepoint2003/bizdir/your_custom_folder_icon.jpg
http://yourcorp_web_based_DMS/surprise_not_a.doc
etc.
For your experimentation pleasure, I have benign JPEGs
and one WMF with modified extension names found here:
http://www.anachronic.com/xss/
Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
candy is a JPEG also renamed doc, and win32api is a JPEG
renamed to wmf. Mix and match to your hearts content. <obvious>
http://www.anachronic.com/xss/skatebrd.wmf =
http://www.anachronic.com/xss/statebrd.jpg
and
http://www.anachronic.com/xss/win32api.jpg =
http://www.anachronic.com/xss/win32api.wmf
and so on and so forth. These are only posted for those of
you who need to make this RealSimple(tm) to someone, or
validate what things do auto/magicbyte rendering. </obvious>
You may reach me by using my first name at the domain listed
in the links above with threats, complaints, or creative uses
for the WMF rendering issue.
Merry Metafiling,
-ae
[ reply ]