In September 2015, Microsoft released MS15-100 (CVE-2015-2509) to address a remote code execution vulnerability in Windows Media
Question:
In September 2015, Microsoft released MS15-100 (CVE-2015-2509) to address a remote code execution vulnerability in Windows Media Center. The vulnerability was discovered due to leaked emails from a 2015 data breach. As a member of the information security team, you need to identify vulnerable company computers and, if necessary, apply the appropriate mitigation measures.
Verify Vulnerabilities
Scenario I
Your company needs this threat mitigated as soon as possible. Therefore, your goals are to identify vulnerabilities in our own systems and then validate those vulnerabilities against our systems (if applicable).
1.Read up on the CVE information to determine which company machines are vulnerable to the exploit.
Note: The login for the Windows 7 machine is the usernameadministratorand the p..P@ssw0rd.
Note: The login for the Windows Server 2012 machine is the usernameAdministratorand the p..P@ssword.
Note: The login for the Kali machine is the usernamerootand the passwordtoor.
2.After reading the CVE reports, you discovered a potential vulnerable machine. Login to the Windows 7 machine and use thecommand lineto determine its Service Pack information.
3.Realizing Windows 7 SP1 is vulnerable, validate the Media Center Link (MCL) vulnerability. To do so, make an MCL fileon the Desktoputilizing the application element to run the calc.exe. Save this file aspoctest.mcl. Then, verify the calculator (calc.exe) opens up correctly and play around with it to verify the application is working.
4.There is a legit calc.exe application on the Kali Desktop. Use it as a template to make a malicious calculator executable usingmsfvenomfrom the command line. Output the file to the Desktop as poccalc.exe.
Note: The payload should generate a reverse windows meterpreter shell using the HTTPS port.
5.The reverse shell you created needs something to bind to. Add to thehandler.rcfile in /root/ so it uses amulti/handlerwith areverse_tcppayload. Then, run the file to begin the payload handler.
6.Figure out a way to move the poccalc.exe file onto the Windows machine and place it on theDesktop.
7.Run the .mcl file again (after making appropriate modifications) and go back to your Kali box to verify the reverse shell's generation. If successful, run thesysinfocommand through the meterpreter shell.
Mitigate the Vulnerability
Scenario II
After verifying the machine is vulnerable and successfully exploiting the Windows machine, install the updates to patch the vulnerability.
1.One way to mitigate the issue is to prevent .mcl links from executing. Login to the Windows Server machine and edit theComtech Domain PolicyandDefault Domain PolicyComputer Configuration settings to forbid Media Center Live from launching.
2.After updating the Group Policy settings, refresh the Windows 7 machine's group policies using a command prompt to sync the changes.
3.Rerun the handler and .mcl file to verify you have successfully mitigated the vulnerability.
4.Lastly, check other Windows 7 functionalities and applications to verify the update did not impact other system components.