Trend Micro blog about itfew days ago.  This vulnerability is related to Hacking Team leaked email addresses . The issue is so trival that exploitation is a piece of cake.

 
Source: https://technet.microsoft.com/en-us/library/security/ms15-100
 
 

Based on POC  and description we just need to create a simple mcl file contains our executable path and preso it works.

The caveat for this attack is that you cannot passed an argument such as cmd.exe /c ipconfig  in the mcl file. However we can execute our payload externally via UNC PATH provided by a simple SMB Server. The steps required.

1. Generate evil payload exe
2. Setup a SMB Listener
3. Create MCL file that points to evil payload.
4. Profits.

I use Impacket SMB Server to simulate the steps above. If you are a bit creative, we can use DLL Hijacking  Method to cloak our payload .

Better patch it up fast.

Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution的更多相关文章

  1. Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution

    EDB-ID: 41929 Author: vportal Published: 2017-04-25 CVE: N/A Type: Remote Platform: Windows Aliases: ...

  2. [EXP]Microsoft Windows MSHTML Engine - "Edit" Remote Code Execution

    # Exploit Title: Microsoft Windows (CVE-2019-0541) MSHTML Engine "Edit" Remote Code Execut ...

  3. 实战Windows 7的Windows Media Center

    简介 本文讲述如何通过Windows 7的Windows Media Center搭建强劲的综合娱乐电视系统,同时讲述Windows Media Center的实际使用感受,以及如何通过Windows ...

  4. 使用 Windows Media Center 远程控制

    http://windows.microsoft.com/en-us/windows/getting-started-windows-media-center#getting-started-wind ...

  5. 在 Windows Media Center 中观看电视

    如果计算机具备了必要的硬件,则可以在电脑上使用 Windows Media Center 观看.暂停和快退直播的电视节目及录制的电视节目. 通过 Windows Media Center 观看直播电视 ...

  6. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  7. [EXP]Microsoft Windows CONTACT - Remote Code Execution

    [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3 ...

  8. win7自带windows media player 已停止工作

    解决方法如下: 在计算机开始,菜单找到控制面板 ,然后打开程序和功能,选择打开或关闭window功能,媒体功能.再取消windows Media Center Windows MediaPlayer选 ...

  9. 使用 Media Center 遥控器(Windows Vista Premium)

    本文适用于安装了 Windows Vista Premium 并附带遥控器的 HP 和 Compaq 台式电脑. 本文简要介绍了三种Windows Media Center 遥控器上每个按钮的功能. ...

随机推荐

  1. SPOJ705 SUBST1 - New Distinct Substrings(后缀数组)

    给一个字符串求有多少个不相同子串. 每一个子串一定都是某一个后缀的前缀.由此可以推断出总共有(1+n)*n/2个子串,那么下面的任务就是找这些子串中重复的子串. 在后缀数组中后缀都是排完序的,从sa[ ...

  2. POJ 2109 Inner Vertices(扫描线+树状数组)

    [题目链接] http://poj.org/problem?id=3109 [题目大意] 在一个棋盘上放满白子,现在把一些白子变成黑子, 如果一个白子上下左右都有黑子,就会变成黑子,问最终黑子个数 [ ...

  3. [CC-CHANOQ]Chef and odd queries

    题目大意: 给定$n(10^5)$个线段$[l_i,r_i](1\leq l_i,r_i\leq n)$,有$q(q\leq10^5)$组询问,每次给出$m_i(\sum m_i\leq n)$个点$ ...

  4. tld自定义标签系列--使用body-content的作用--比较有用

    body-content的值有下面4种: <xsd:enumeration value="tagdependent"/> <xsd:enumeration val ...

  5. VMware给虚拟机绑定物理网卡

    前言: 桥接模式:就是使用真实的IP地址 NAT模式:使用以VMnet 8所指定的子网中分配的IP地址,在外网信息交互中不存在这样的IP. 仅主机模式:仅用于虚拟机与真机之间的信息交互. 操作步骤: ...

  6. 有关奇葩的mex编程时的matlab出现栈内存错误的问题

    错误提示信息 (ntdll.dll) (MATLAB.exe中)处有未经处理的异常:0xC0000374:堆已损坏 该错误的表现是,matlab调用.mexw64函数时,第一次调用正常,第二次调用出现 ...

  7. Using ASIHTTPRequest in an iOS project

    1) Add the files Copy the files you need to your project folder, and add them to your Xcode project. ...

  8. FragmentTransaction的commit的异步操作

    FragmentTransaction是异步的,commit()仅是相当于把操作加入到FragmentManager的队列,然后FragmentManager会在某一个时刻来执行,并不是立即执行.所以 ...

  9. ArcGIS Viewer for Flex中引入google map作底图 (转)

    在ArcGIS Viewer for Flex开发中,经常需要用到google map作为底图,我们不能通过ArcGIS Viewer for Flex - Application Builder轻易 ...

  10. XShell命令行使用

    1.建立连接: 2.查看总体目录: 3.查看对应服务目录: 4.删除对应jar包后,再查看目录下文件: 5.上传对应的jar文件: 6.重启服务 7.查看服务日志: 8.mv old-name new ...