Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption exploit

Microsoft CorporationThe CSIS Security Group found (credit correction - see the update below) a 0day exploit in-the-wild that exploit a vulnerability within Microsoft DirectShow (msvidctl.dll) in the way it handles MPEG-2 files.

The exploit found is used to preform drive-by attacks via compromised Chinese web sites.
Original exploit (as it is in-the-wild) can be found here (shellcode changed to execute calc.exe) - aa.rar.
You can read the translated post here or read this post from ISC diary.

Here’s a Metasploit exploit module I wrote that exploit this vulnerability.
Tested successfully on the following platforms (fully patched 06/07/09):
- Internet Explorer 6, Windows XP SP2
- Internet Explorer 7, Windows XP SP3

Download msvidctl_mpeg2.rb.
Also on Metasploit.

Also, if you want to test this vulnerability manually, here’s a little Ruby script I wrote that build GIF files to trigger the vulnerability:
Download msvidctl_gif.rb.

This is the second exploit found in-the-wild in the past month that exploit a vulnerability in Microsoft DirectShow. In June, an exploit was found in-the-wild that exploit a vulnerability in DirectShow QuickTime Movie Parser Filter (quartz.dll). Liam O Murchu of Symantec wrote an analysis for this exploit here:
DirectShow Exploit In the Wild
DirectShow Exploit In the Wild, Part II

This post will update with additional updates about this vulnerability.

Metasploit msvidctl_mpeg2

msvidctl_mpeg2 from 4xteam on Vimeo.