BrennerLittle
GitHub
parent
e733d225b6
commit
58be84b3b8
|
|
@ -0,0 +1,30 @@
|
|||
## Description
|
||||
|
||||
This module allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
|
||||
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files <c:Url> node param which takes an expected website value, however if an attacker references an
|
||||
executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.
|
||||
Executable files can live in a sub-directory so when the ".contact" website link is clicked it traverses directories towards the executable and runs.
|
||||
Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected with certain archive utilitys.
|
||||
The "." chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.
|
||||
This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Windows
|
||||
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. `./msfconsole`
|
||||
2. `use exploit/windows/fileformat/`
|
||||
3. `set lport <lport>`
|
||||
4. `set lhost <lhost>`
|
||||
5. `exploit`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### microsoft_windows_contact_remote_code_execution Tested on Windows 10.0.18282
|
||||
|
||||
```
|
||||
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > exploit
|
||||
[*] Creating 'John Smith.zip'
|
||||
Loading…
Reference in New Issue