Friday, September 11, 2015

Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution

Trend Micro blog about it few days ago.  This vulnerability is related to Hacking Team leaked email addresses . The issue is so trival that exploitation is a piece of cake.


Source: https://technet.microsoft.com/en-us/library/security/ms15-100



Based on POC  and description we just need to create a simple mcl file contains our executable path and preso it works.


The caveat for this attack is that you cannot passed an argument such as cmd.exe /c ipconfig  in the mcl file. However we can execute our payload externally via UNC PATH provided by a simple SMB Server. The steps required.

1. Generate evil payload exe
2. Setup a SMB Listener
3. Create MCL file that points to evil payload.
4. Profits.

I use Impacket SMB Server to simulate the steps above. If you are a bit creative, we can use DLL Hijacking  Method to cloak our payload .



Better patch it up fast.