Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution
Trend Micro blog about it few days ago. This vulnerability is related to Hacking Team leaked email addresses . The issue is so trival that exploitation is a piece of cake.
Based on POC and description we just need to create a simple mcl file contains our executable path and preso it works.
The caveat for this attack is that you cannot passed an argument such as cmd.exe /c ipconfig in the mcl file. However we can execute our payload externally via UNC PATH provided by a simple SMB Server. The steps required.
1. Generate evil payload exe
2. Setup a SMB Listener
3. Create MCL file that points to evil payload.
4. Profits.
I use Impacket SMB Server to simulate the steps above. If you are a bit creative, we can use DLL Hijacking Method to cloak our payload .
Better patch it up fast.
Source: https://technet.microsoft.com/en-us/library/security/ms15-100
Based on POC and description we just need to create a simple mcl file contains our executable path and preso it works.
The caveat for this attack is that you cannot passed an argument such as cmd.exe /c ipconfig in the mcl file. However we can execute our payload externally via UNC PATH provided by a simple SMB Server. The steps required.
1. Generate evil payload exe
2. Setup a SMB Listener
3. Create MCL file that points to evil payload.
4. Profits.
I use Impacket SMB Server to simulate the steps above. If you are a bit creative, we can use DLL Hijacking Method to cloak our payload .
Better patch it up fast.