All About HackingBlackhat Hacking ToolsFree CoursesHacking

Exploiting MS15-100 Vulnerability (CVE-2015-2509)

In this article we will learn about Exploiting MS15-100 Vulnerability.

Introduction[Exploiting MS15-100 Vulnerability]

This article explains how to get a shellback using MS15-100. MS15-100 is a remote code execution vulnerability in Windows Media Center. This vulnerability is caused by Media Center application link files not being handled correctly. We can create a special Media Center Link file and run it with Windows Media Center to achieve code execution. This can provide an attacker with a reverse shell.

According to Microsoft: “This vulnerability could allow remote code execution if Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less affected than those operating with administrative user rights.”

Related article:The Hacker Methodology 2023


Below is the setup I used to write this article.


  • Kali Linux running inside a virtual box
  • A Windows 7 PC running inside a virtual box
  • Kali and Windows 7 are linked with “Host Only Adapter”.

Vulnerability testing

To test the vulnerability, simply open Notepad on a Windows computer and type the following:

Save this file with a “.mcl” extension, which represents a Media Center Link file.

Figure: file created with the name “calc.mcl”

For these lazy bugs, a Python script has been made available on exploit-db that will create this POC file by simply running the script.

Here are the details:

The Python script is available at the following link.

We can run this script to generate a Music.mcl file. It contains the same file content that we entered in notepad earlier.

Now, run this file. We should see a calculator popping up as shown below.

Figure: running calc.mcl

Popping a shell

Regarding the exploit, Microsoft says: “In order to exploit this vulnerability, an attacker would have to trick the user into installing the .mcl file on the local computer. Malicious code referenced by the .mcl file could then be executed from a location controlled by the attacker”.

Below are the steps to successfully exploit this vulnerability:

  • An attacker must create a malicious executable.
  • This file must be made available for download via a malicious mcl file using a UNC path.
  • Create a malicious “.mcl” file and send it to the victim.
  • Set listeners.
  • Get the shell when the victim opens the “.mcl” file.

Therefore, we must first create a malicious file on the attacking computer and it must be accessible via a UNC path so that our malicious mcl file can download it and provide us with a reverse shell when executed.

Note: The malicious executable that provides us with a reverse shell was created using the “windows/shell_reverse_tcp” payload by msfvenom with 443 as the listening port.

I also created an SMB share on my attacking machine.

Below is the final “exploit.mcl” file that can be passed to the victim.

We need to pass this exploit.mcl file to the victim somehow and convince him to open it.

Set up a Netcat listener on port 443 since payload was created using this port.

Figure: Netcat listening on port 443

Once everything is set, open up the exploit.mcl file as shown below.

Figure: running exploit.mcl file

We should get reverse shell on the Windows Machine as shown below.

Figure: reverse shell obtained using netcat listener

The shell we got will have the same rights as the user logged in. In my case, “Administrator” 😉

Instead of Netcat, we can use any other listener of your choice. If you are Metasploit lover, here are the steps for you.

Figure: reverse shell obtained using Metasploit listener

If you are worried about Netcat’s clear text transmissions, here is an ncat listener for you.

Figure: reverse shell obtained using the ncat listener

To automate the whole process, Metasploit also has released a module for this, which is available at the following links.


All About Carding, Spamming , And Blackhat hacking contact now on telegram : @blackhatpakistan_Admin

Blackhat Pakistan:

Subscribe to our Youtube Channel Blackhat Pakistan. check our latest spamming course 2023 Learn from BLACKHATPAKISTAN and get master

Leave a Reply

Your email address will not be published. Required fields are marked *