module
MS12-004 midiOutPlayNextPolyEvent Heap Overflow
| Disclosed | Created |
|---|---|
| Jan 10, 2012 | May 30, 2018 |
Disclosed
Jan 10, 2012
Created
May 30, 2018
Description
This module exploits a heap overflow vulnerability in the Windows Multimedia
Library (winmm.dll). The vulnerability occurs when parsing specially crafted
MIDI files. Remote code execution can be achieved by using the Windows Media Player
ActiveX control.
Exploitation is done by supplying a specially crafted MIDI file with
specific events, causing the offset calculation being higher than what is
available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing
us to either "inc al" or "dec al" a byte. This can be used to corrupt an array
(CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects,
which leverages remote code execution under the context of the user.
Note: At this time, for IE 8 target, msvcrt ROP is used by default. However,
if you know your target's patch level, you may also try the 'MSHTML' advanced
option for an info leak based attack. Currently, this module only supports two
MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3.
Or 8.0.6001.19120, which is patch level before the MS12-004 fix.
Also, based on our testing, the vulnerability does not seem to trigger when
the victim machine is operated via rdesktop.
Library (winmm.dll). The vulnerability occurs when parsing specially crafted
MIDI files. Remote code execution can be achieved by using the Windows Media Player
ActiveX control.
Exploitation is done by supplying a specially crafted MIDI file with
specific events, causing the offset calculation being higher than what is
available on the heap (0x400 allocated by WINMM!winmmAlloc), and then allowing
us to either "inc al" or "dec al" a byte. This can be used to corrupt an array
(CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects,
which leverages remote code execution under the context of the user.
Note: At this time, for IE 8 target, msvcrt ROP is used by default. However,
if you know your target's patch level, you may also try the 'MSHTML' advanced
option for an info leak based attack. Currently, this module only supports two
MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3.
Or 8.0.6001.19120, which is patch level before the MS12-004 fix.
Also, based on our testing, the vulnerability does not seem to trigger when
the victim machine is operated via rdesktop.
Authors
Shane Garrett
juan vazquez juan.vazquez@metasploit.com
sinn3r sinn3r@metasploit.com
juan vazquez juan.vazquez@metasploit.com
sinn3r sinn3r@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.