Tuesday, July 7, 2009

Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption - Metasploit exploit module

The exploit found is used to preform drive-by attacks via compromised Chinese web sites.
Original exploit (as it is in-the-wild) can be found here (shellcode changed to execute calc.exe) - aa.rar.
You can read the translated post here or read this post from ISC diary.

Here’s a Metasploit exploit module I wrote that exploit this vulnerability.
Tested successfully on the following platforms (fully patched 06/07/09):

- Internet Explorer 6, Windows XP SP2
- Internet Explorer 7, Windows XP SP3

Download msvidctl_mpeg2.rb.

Also, if you want to test this vulnerability manually, here’s a little Ruby script I wrote that build GIF files to trigger the vulnerability:
Download msvidctl_gif.rb.

Source rec-sec.com

No comments: