Reverse Shell and Windows multimedia center Remote Execution Vulnerability (CVE-2015-2509) exploits
In this article, we will briefly introduce reverse shell and Windows Media Center (CVE-2015-2509) vulnerabilities, and finally detail the methods of this vulnerability.
0 × 01 reverse shell
The so-called shell is no stranger to everyone. It is nothing more than a command line interface. If it is classified by platform, it can basically be divided into two categories: for the web level and for the system level. In addition, there are two types of connections: active connection and passive connection. The active connection is the Bind Shell, and the passive connection is the Reverse Shell, which is the Reverse shell mentioned in this article, as shown in the following article.
Next we will talk about the difference between active connection and passive connection. The Bind Shell is used by the user to Bind the shell to a local port, so that anyone can send commands in the local network. Reverse shell is used by a remote computer to send its shell to a specific user, rather than binding the shell to a port. When the remote machine is behind the firewall and other things, reverse shell technology will become very useful.
Many times, after attackers intrude into a server, they will set up a reverse shell. In the future, they will be able to easily access this remote computer through this shell, is to leave a backdoor.
0 × 02 CVE-2015-2509 Vulnerability
This vulnerability was found in the Windows Media Center. The following describes the vulnerability from Microsoft:
· If Windows Media Center opens a specially designed Media Center link (. mcl) file that references malicious code, this vulnerability may allow remote code execution. Attackers who successfully exploit this vulnerability can obtain the same user permissions as the current user. Compared with customers with administrative user permissions, users with accounts configured with fewer system user permissions are less affected.
· If Windows Media Center opens a specially designed Media Center Link (. mcl) file that references malicious code, this vulnerability may allow remote code execution. Attackers who successfully exploit this vulnerability can obtain the same user permissions as the current user. Users with fewer user permissions configured for accounts are less affected than users with lower user permissions.
· To exploit this vulnerability, attackers must trick users into installing the. mcl file on their local computers. Then, malicious code referenced by the. mcl file may be executed from a location controlled by attackers. This security update fixes this vulnerability by correcting the Media Center link file.
Now, we will introduce how to exploit this vulnerability.
0 × 03 build a vulnerability exploitation environment
The following are some necessary tools used in this article:
• Virtualbox
• Kali Linux runs in Virtualbox
• Windows 7 running in Virtualbox
Note that when connecting Kali and Windows 7, select "Host Only Adapter" as the connection method ".
0 × 04 test Vulnerability
To test the vulnerability, open the Notepad program on Windows and enter the following content:
Run = "c: \ windows \ system32 \ calc.exe">
Then, save the file. Note that the extension should be. mcl, that is, the type is Media Center link (. mcl.
Figure 1: create a file named calc. mcl
For lazy people like the author, another effort-saving method is to download a corresponding Python script from exploit-db and then run it to get the POC file. Now let's talk about the specific steps.
This Python script is: https://www.exploit-db.com/exploits/38151/
If you run this file, a file named Music. mcl will be generated, but its content is the same as the one we created in notepad.
Figure 2: Create a Music. mcl file using a python script
Now let's run this file. A calculator will pop up immediately, as shown in.
Figure 3: Run calc. mcl
0 × 05 pop-up shell
Next, we will introduce how to exploit this vulnerability. According to Microsoft, to exploit this vulnerability, attackers must trick users into installing the. mcl file on a local computer. Then, malicious code referenced by the. mcl file may be executed from a location controlled by attackers.
This is the procedure required to successfully exploit this vulnerability:
1. Attackers must create a malicious executable file;
2. This file must be able to be downloaded by malicious mcl files through the UNC path;
3. Create a malicious. mcl file and send it to the victim;
4. Create a listener;
5. When the victim opens the. mcl file, we will get a shell.
Therefore, the first thing we need to do is to create a malicious file on our machine and enable it to be accessed through the UNC path. In this way, our malicious mcl file can be downloaded, and returns a reverse shell when it is executed.
Note that to create a malicious executable file that returns reverse shell, we can use msfvenom's "windows/shell_reverse_tcp" effective load, which listens to port 443.
In addition, I created an SMB shared file on my machine (the one used to launch the attack.
The final version of the exploit. mcl file to be passed to the victim is shown below.
We need to try to send this exploit. mcl to the victim and find a way to open the file.
Configure Netcat to make it listen on port 443, because this port is used for our effective load.
Figure 4: Netcat listening on port 443
After completing the preceding steps, open the exploit. mcl file, as shown in.
Figure 5: run the exploit. mcl File
In this way, we will get a reverse shell on our Windows system, as shown in.
Figure 6: reverse shell
The shell obtained is equivalent to the Administrator permission.
In addition to Netcat, we can also use any other listener, which depends on your own preferences. If you like Metasploit, follow these steps.
Figure 7: reverse shell received by the Metasploit listener
If you do not like Netcat's plaintext communication method, you can choose to use ncat.
Figure 8: reverse shell received by the ncat listener
To automate the entire process, Metasploit provides a module specifically, as shown below:
Https://www.exploit-db.com/exploits/38195/http://www.rapid7.com/db/modules/exploit/windows/fileformat/ms15_100_mcl_exe