Exploiting MS15-100 Vulnerability (CVE-2015-2509)

Ahmad Khan March 20, 2023March 20, 2023 0 Comments black hat pakistan, Ethical hacking, Exploiting MS15-100 Vulnerability, hacking

In this article we will learn about Exploiting MS15-100 Vulnerability.

Introduction[Exploiting MS15-100 Vulnerability]

This article explains how to get a shellback using MS15-100. MS15-100 is a remote code execution vulnerability in Windows Media Center. This vulnerability is caused by Media Center application link files not being handled correctly. We can create a special Media Center Link file and run it with Windows Media Center to achieve code execution. This can provide an attacker with a reverse shell.

According to Microsoft: “This vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less affected than those operating with administrative user rights.”

Related article:The Hacker Methodology 2023

Establish

Below is the setup I used to write this article.

Virtualbox

Kali Linux running inside a virtual box
A Windows 7 PC running inside a virtual box
Kali and Windows 7 are linked with “Host Only Adapter”.

Vulnerability testing

To test the vulnerability, simply open Notepad on a Windows computer and type the following:

Save this file with a “.mcl” extension, which represents a Media Center Link file.

Figure: file created with the name “calc.mcl”

For these lazy bugs, a Python script has been made available on exploit-db that will create this POC file by simply running the script.

Here are the details:

The Python script is available at the following link.

https://www.exploit-db.com/exploits/38151/

We can run this script to generate a Music.mcl file. It contains the same file content that we entered in notepad earlier.

Now, run this file. We should see a calculator popping up as shown below.

Figure: running calc.mcl

Popping a shell

Regarding the exploit, Microsoft says: “In order to exploit this vulnerability, an attacker would have to trick the user into installing the .mcl file on the local computer. Malicious code referenced by the .mcl file could then be executed from a location controlled by the attacker”.

Below are the steps to successfully exploit this vulnerability:

An attacker must create a malicious executable.
This file must be made available for download via a malicious mcl file using a UNC path.
Create a malicious “.mcl” file and send it to the victim.
Set listeners.
Get the shell when the victim opens the “.mcl” file.

Therefore, we must first create a malicious file on the attacking computer and it must be accessible via a UNC path so that our malicious mcl file can download it and provide us with a reverse shell when executed.

Note: The malicious executable that provides us with a reverse shell was created using the “windows/shell_reverse_tcp” payload by msfvenom with 443 as the listening port.

I also created an SMB share on my attacking machine.

Below is the final “exploit.mcl” file that can be passed to the victim.