[program-l] Re: wmf questions
- From: "Mark Long" <Mark.Long@xxxxxxxxxxxxx>
- To: <program-l@xxxxxxxxxxxxx>
- Date: Thu, 5 Jan 2006 16:02:51 -0000
Not very <smile>
-----Original Message-----
From: program-l-bounce@xxxxxxxxxxxxx
[mailto:program-l-bounce@xxxxxxxxxxxxx] On Behalf Of tyler
Sent: 05 January 2006 17:04
To: program-l@xxxxxxxxxxxxx
Subject: [program-l] Re: wmf questions
ok, I understand, I wasn't asking for an inside on it. lol, but, was I
close
in my ideas of how things are done? btw. I want to spend my life
developing,
not chillen with some dude in a 6 by 6 room.
Later,
Tyler Littlefield.
Check out our website:
http://tysplace.the-leetest.net
check out my blog:
livejournal.com/~tylerrl
[my programs don't have bugs, just randomly added features]
[failure is not an option, it comes bundled with windows!]
----- Original Message -----
From: "Mark Long" <Mark.Long@xxxxxxxxxxxxx>
To: <program-l@xxxxxxxxxxxxx>
Sent: Thursday, January 05, 2006 7:56 AM
Subject: [program-l] Re: wmf questions
> Ok. Fair enough.
>
> I can not give you more information than is currently publicly
available
> about the vulnerability.
>
> -----Original Message-----
> From: program-l-bounce@xxxxxxxxxxxxx
> [mailto:program-l-bounce@xxxxxxxxxxxxx] On Behalf Of tyler
> Sent: 05 January 2006 16:58
> To: program-l@xxxxxxxxxxxxx
> Subject: [program-l] Re: wmf questions
>
> I am not asking how eo hack anything... If I wanted to hack someone,
> well...
> I am not stupid enough. I know, for one, there are other people way
> better
> than me, who will probably have me, and 2, a lot of people have moved
to
> block this file. I wanted to figure out how these things work, not for
> some
> bad reason "Hay, try this." but, just to learn. Like I said, I am
> learning.
> If I thought I could take the world, I would be out on a shell account
> with
> a few dos attacks, a log wiper, and nmap.
> Tyler Littlefield.
> Check out our website:
> http://tysplace.the-leetest.net
> check out my blog:
> livejournal.com/~tylerrl
> [my programs don't have bugs, just randomly added features]
> [failure is not an option, it comes bundled with windows!]
> ----- Original Message -----
> From: "Mark Long" <Mark.Long@xxxxxxxxxxxxx>
> To: <program-l@xxxxxxxxxxxxx>
> Sent: Thursday, January 05, 2006 7:52 AM
> Subject: [program-l] Re: wmf questions
>
>
> > You know, I am really, really not going to tell you how to exploit a
> > security hole. I would strongly recommend that you don't ask for
> > instructions on how to hack Windows on a public forum like this
> because
> > it is a criminal offence to use this information to damage a system
> and
> > the penalties are normally custodial.
> >
> > Just a little friendly advice
> >
> > Mark
> >
> > -----Original Message-----
> > From: program-l-bounce@xxxxxxxxxxxxx
> > [mailto:program-l-bounce@xxxxxxxxxxxxx] On Behalf Of tyler
> > Sent: 05 January 2006 16:35
> > To: program-l@xxxxxxxxxxxxx
> > Subject: [program-l] wmf questions
> >
> > Hay list,
> > After the post earlier, It got me thinking. I want to learn how to
> build
> > patches, and etc. Now, if I learn how to do stuff, then well. I
don't
> > know
> > really how to word it, but I want to figure out how this thing is
> > working,
> > and see if I can build a patch for it, just something for fun.
> > Anyway,
> > I got the following information on a wmf file.
> > well, I pasted it below my message, but, could someone explain a
> > security
> > fla like this?
> > The only possible way I could see that anyone could do anything, was
> to
> > possibly write some code to go into a .wmf file, and change some
> values
> > around, like the file size, but I still don't see how that would
help,
> > unless it would cause... buffer over flow? It would be trying to
read
> x
> > values from the file, when there were only n values, and that would
> more
> > than likely just read NULL values in rite?
> > Also, I see some weird stuff, like structures. How am I supposed to
> read
> > these with c++?
> > Anyone have some example?
> > I am just not sure how to read something in binary, take it into a
> > struct,
> > and take care of it from there.
> > Thanks, and here is my research,
> > Microsoft Windows Metafile File Format Summary
> >
> > Also Known As: Windows Metafile, WMF
> >
> > Table with 2 columns and 10 rows
> > Type
> > Metafile
> > Colors
> > 24-bit maximum
> > Compression
> > NA
> > Maximum Image Size
> > NA
> > Multiple Images Per File
> > No
> > Numerical Format
> > Little-endian
> > Originator
> > Microsoft Corporation
> > Platform
> > Microsoft Windows
> > Supporting Applications
> > Numerous Microsoft Windows-based graphics applications
> > See Also
> > Encapsulated PostScript,
> > Microsoft Windows Bitmap
> > table end
> >
> > Usage
> > Used for file interchange, device support.
> >
> > Comments
> > A widely used format associated with Microsoft Windows, although
> > applications on other platforms may provide support.
> >
> > Vendor specifications
> > are available for this format.
> >
> > Microsoft Windows Metafile (WMF) files are used to store vector and
> > bitmap-format image data in memory or in disk files for later
playback
> > to an
> > output
> > device. Although Windows Metafile is specific to Microsoft Windows,
> many
> > non-Windows-based applications support this format as a method for
> > interchanging
> > data with Windows applications. Because of the widespread popularity
> of
> > the
> > Microsoft Windows GUI, the Windows Metafile format has become a
staple
> > format
> > for graphical applications and is supported on all platforms.
> > Encapsulated
> > PostScript (EPSF) supports the use of an included Windows Metafile
> when
> > required
> > to store vector-based data. The logical unit of measurement used in
> > Windows
> > Metafiles is the twip. A twip (meaning "twentieth of a point") is
> equal
> > to
> > 1/1440 of an inch. Thus 720 twips equal 1/2 inch, while 32,768 twips
> is
> > 22.75 inches.
> >
> > Contents:
> > File Organization
> > File Details
> > For Further Information
> >
> > File Organization
> >
> > Windows Metafile format files contain a header, followed by one or
> more
> > records of data. The header contains a description of the record
data
> > stored
> > in
> > the metafile. Each record is a binary-encoded Microsoft Windows
> Graphics
> > Device Interface (GDI) function call. The GDI is used by Windows to
> > perform
> > all
> > output to a screen window or other output device. When the metafile
> data
> > is
> > rendered (or played back, in Microsoft terminology), the data from
> each
> > record
> > is used to perform the appropriate function call to render each
object
> > in
> > the image. The last record in the file contains information
indicating
> > that
> > the
> > end of the record data has been reached.
> >
> > File Details
> >
> > The header is 18 bytes in length and is structured as follows:
> > typedef struct _WindowsMetaHeader
> > {
> > WORD FileType; /* Type of metafile (1=memory, 2=disk) */
> > WORD HeaderSize; /* Size of header in WORDS (always 9) */
> > WORD Version; /* Version of Microsoft Windows used */
> > DWORD FileSize; /* Total size of the metafi+le in WORDs */
> > WORD NumOfObjects; /* Number of objects in the file */
> > DWORD MaxRecordSize; /* The size of largest record in WORDs */
> > WORD NoParameters; /* Not Used (always 0) */
> > } WMFHEAD;
> >
> > FileType contains a value which indicates the location of the
metafile
> > data.
> > A value of 1 indicates that the metafile is stored in memory, while
a
> 2
> > indicates
> > that it is stored on disk.
> >
> > HeaderSize contains the size of the metafile header in WORDs.
> >
> > Version stores the version number of Microsoft Windows that created
> the
> > metafile. This value is always read in hexadecimal format. For
> example,
> > in a
> > metafile
> > created by Windows 3.0, this item would have the value 300h.
> >
> > FileSize specifies the total size of the metafile in 16-bit WORDs.
> >
> > NumOfObjects specifies the number of objects that are in the
metafile.
> >
> > MaxRecordSize specifies the size of the largest record in the
metafile
> > in
> > WORDs.
> >
> > NumOfParams is not used and is set to a value of 0.
> >
> > Following the header is a series of data records. The basic format
of
> > each
> > record is shown below:
> > typedef struct _WindowsMetaRecord
> > {
> > DWORD Size; /* Total size of the record in WORDs */
> > WORD Function; /* Function number (defined in WINDOWS.H) */
> > WORD Parmeters[]; /* Parameter values passed to function */
> > } WMFRECORD;
> >
> > Size is the total size of the records in WORDs, including the Size
> field
> > itself. The minimum possible size for a record is 3.
> >
> > Function is the GDI number of the function.
> >
> > Parameters is an array of the parameters used by the function. The
> > parameters are stored in the reverse order in which they are passed
to
> > the
> > function.
> >
> > When a Windows Metafile format file is played back, each record is
> read
> > and
> > the function call it contains is executed in the sequence in which
it
> is
> > read.
> > The last record in every metafile always has a function number of
zero
> > and
> > is used to indicate the end of the record data.
> >
> > There are several important considerations that must be observed
when
> > reading WMF record data.
> >
> > First, not all of the records in a Windows Metafile have the above
> > format,
> > although most do. The GDI function calls that do follow the basic
> record
> > format
> > are the following:
> >
> > Table with 3 columns and 13 rows
> > Arc
> > RealizePalette
> > SetPolyFillMode
> > Chord
> > Rectangle
> > SetROP2
> > Ellipse
> > ResizePalette
> > SetStretchBltMode
> > ExcludeClipRect
> > RestoreDC
> > SetTextAlign
> > FloodFill
> > RoundRect
> > SetTextCharExtra
> > IntersectClipRect
> > SaveDC
> > SetTextColor
> > LineTo
> > ScaleViewportExt
> > SetTextJustification
> > MoveTo
> > ScaleWindowExt
> > SetViewportExt
> > OffsetClipRgn
> > SetBkColor
> > SetViewportOrg
> > OffsetViewportOrg
> > SetBkMode
> > SetWindowExt
> > OffsetWindowOrg
> > SetMapMode
> > SetWindowOrg
> > PatBlt
> > SetMapperFlags
> >
> > Pie
> > SetPixel
> >
> > table end
> >
> > Second, several record formats deviate from this basic record format
> by
> > containing a data structure, rather than a data array, in the
> Parameters
> > field.
> > These are:
> >
> > Table with 3 columns and 5 rows
> > AnimatePalette
> > CreatePatternBrush
> > Escape
> > BitBlt
> > CreatePenIndirect
> > ExtTextOut
> > CreateBrushIndirect
> > CreateRegion
> > Polygon
> > CreateFontIndirect
> > DeleteObject
> > PolyPolygon
> > CreatePalette
> > DrawText
> > Polyline
> > table end
> >
> > Consult the Microsoft Windows Programmer's Reference Library for the
> > internal structure of each of these special records.
> >
> > Third, several GDI function calls were added or had their parameters
> > changed
> > with the release of Microsoft Windows 3.0. GDI function calls in
this
> > category
> > include:
> >
> > Table with 3 columns and 3 rows
> > AnimatePalette
> > Record
> > DeleteObject
> > BitBlt
> > CreatePatternBrush
> > RealizePalette
> > CreatePalette
> > Record
> > ResizePalette
> > table end
> >
> > Note that not all GDI function calls can appear in a metafile. The
> only
> > calls that are valid are those that take a handle to a device
context
> as
> > their first
> > parameter. A complete list of all of the GDI function calls is
> > documented in
> > Microsoft Windows Programmer's Reference. They are also found in the
> > WINDOWS.H
> > header file. These GDI function calls are the directives that begin
> with
> > the
> > characters META. There are more than 70 different GDI function calls
> > defined
> > for Windows 3.0.
> >
> > Porting WMF Files Between Applications
> >
> > Most Microsoft Windows applications that create metafiles prepend a
> > 22-byte
> > header to the file. This header contains information not found in
the
> > metafile
> > header, but which is needed to move the metafile information between
> > applications. The structure of this header is as follows:
> > typedef struct _WmfSpecialHeader
> > {
> > DWORD Key; /* Magic number (always 9AC6CDD7h) */
> > WORD Handle; /* Metafile HANDLE number (always 0) */
> > SHORT Left; /* Left coordinate in metafile units */
> > SHORT Top; /* Top coordinate in metafile units */
> > SHORT Right; /* Right coordinate in metafile units */
> > SHORT Bottom; /* Bottom coordinate in metafile units */
> > WORD Inch; /* Number of metafile units per inch */
> > DWORD Reserved; /* Reserved (always 0) */
> > WORD Checksum; /* Checksum value for previous 10 WORDs */
> > } WMFSPECIAL;
> >
> > Key contains a special identification value that indicates the
> presence
> > of a
> > special header and is always 9AC6CDD7h.
> >
> > Handle is not used and always contains the value 0.
> >
> > Left, Top, Right, and Bottom contain the coordinates of the
upper-left
> > and
> > lower-right corners of the image on the output device. These are
> > measured in
> > twips. These four fields also correspond to the RECT structure used
in
> > Microsoft Windows and found in the file WINDOWS.H.
> >
> > Inch contains the number of twips per inch used to represent the
> image.
> > Normally, there are 1440 twips per inch; however, this number may be
> > changed
> > to
> > scale the image. A value of 720 indicates that the image is double
its
> > normal size, or scaled to a factor of 2:1. A value of 360 indicates
a
> > scale
> > of 4:1,
> > while a value of 2880 indicates that the image is scaled down in
size
> by
> > a
> > factor of two. A value of 1440 indicates a 1:1 scale ratio.
> >
> > Reserved is not used and is always set to 0.
> >
> > Checksum contains a checksum value for the previous 10 WORDs in the
> > header,
> > calculated by XORing each WORD value to 0:
> > WMFSPECIAL wmfspecial; wmfspecial.
> > Checksum = 0;
> > wmfspecial.Checksum ^= (wmfspecial.Key & 0x0000FFFFL);
> > wmfspecial.Checksum ^= ((wmfspecial.Key & 0xFFFF0000L) >> 16);
> > wmfspecial.Checksum ^= wmfspecial.Handle; wmfspecial.Checksum ^=
> > wmfspecial.Left;
> > wmfspecial.Checksum ^= wmfspecial.Top; wmfspecial.Checksum ^=
> > wmfspecial.Right;
> > wmfspecial.Checksum ^= wmfspecial.Bottom; wmfspecial.Checksum ^=
> > wmfspecial.Inch;
> > wmfspecial.Checksum ^= (wmfspecial.Reserved & 0x0000FFFFL);
> > wmfspecial.Checksum ^= ((wmfspecial.Reserved & 0xFFFF0000L) >> 16);
> >
> > An alternative way to step through the header structure one WORD at
a
> > time
> > is to use a pointer as shown below:
> > WMFSPECIAL *wmfspecial;
> > WORD *ptr;
> > wmfspecial->Checksum = 0;
> > for(ptr = (WORD *) wmfspecial;
> > ptr < (WORD *)wmfspecial->Checksum;
> > ptr++)
> > wmfspecial->Checksum ^= *ptr;
> > Tyler Littlefield.
> > Check out our website:
> > http://tysplace.the-leetest.net
> > check out my blog:
> > livejournal.com/~tylerrl
> > [my programs don't have bugs, just randomly added features]
> > [failure is not an option, it comes bundled with windows!]
> >
> > ** To leave the list, click on the immediately-following link:-
> > ** [mailto:program-l-request@xxxxxxxxxxxxx?subject=unsubscribe]
> > ** If this link doesn't work then send a message to:
> > ** program-l-request@xxxxxxxxxxxxx
> > ** and in the Subject line type
> > ** unsubscribe
> > ** For other list commands such as vacation mode, click on the
> > ** immediately-following link:-
> > ** [mailto:program-l-request@xxxxxxxxxxxxx?subject=faq]
> > ** or send a message, to
> > ** program-l-request@xxxxxxxxxxxxx with the Subject:- faq
> > ** To leave the list, click on the immediately-following link:-
> > ** [mailto:program-l-request@xxxxxxxxxxxxx?subject=unsubscribe]
> > ** If this link doesn't work then send a message to:
> > ** program-l-request@xxxxxxxxxxxxx
> > ** and in the Subject line type
> > ** unsubscribe
> > ** For other list commands such as vacation mode, click on the
> > ** immediately-following link:-
> > ** [mailto:program-l-request@xxxxxxxxxxxxx?subject=faq]
> > ** or send a message, to
> > ** program-l-request@xxxxxxxxxxxxx with the Subject:- faq
>
> ** To leave the list, click on the immediately-following link:-
> ** [mailto:program-l-request@xxxxxxxxxxxxx?subject=unsubscribe]
> ** If this link doesn't work then send a message to:
> ** program-l-request@xxxxxxxxxxxxx
> ** and in the Subject line type
> ** unsubscribe
> ** For other list commands such as vacation mode, click on the
> ** immediately-following link:-
> ** [mailto:program-l-request@xxxxxxxxxxxxx?subject=faq]
> ** or send a message, to
> ** program-l-request@xxxxxxxxxxxxx with the Subject:- faq
> ** To leave the list, click on the immediately-following link:-
> ** [mailto:program-l-request@xxxxxxxxxxxxx?subject=unsubscribe]
> ** If this link doesn't work then send a message to:
> ** program-l-request@xxxxxxxxxxxxx
> ** and in the Subject line type
> ** unsubscribe
> ** For other list commands such as vacation mode, click on the
> ** immediately-following link:-
> ** [mailto:program-l-request@xxxxxxxxxxxxx?subject=faq]
> ** or send a message, to
> ** program-l-request@xxxxxxxxxxxxx with the Subject:- faq
** To leave the list, click on the immediately-following link:-
** [mailto:program-l-request@xxxxxxxxxxxxx?subject=unsubscribe]
** If this link doesn't work then send a message to:
** program-l-request@xxxxxxxxxxxxx
** and in the Subject line type
** unsubscribe
** For other list commands such as vacation mode, click on the
** immediately-following link:-
** [mailto:program-l-request@xxxxxxxxxxxxx?subject=faq]
** or send a message, to
** program-l-request@xxxxxxxxxxxxx with the Subject:- faq
** To leave the list, click on the immediately-following link:-
** [mailto:program-l-request@xxxxxxxxxxxxx?subject=unsubscribe]
** If this link doesn't work then send a message to:
** program-l-request@xxxxxxxxxxxxx
** and in the Subject line type
** unsubscribe
** For other list commands such as vacation mode, click on the
** immediately-following link:-
** [mailto:program-l-request@xxxxxxxxxxxxx?subject=faq]
** or send a message, to
** program-l-request@xxxxxxxxxxxxx with the Subject:- faq
Other related posts:
