From 58be84b3b8922d03b8afc9399a6a97c4983b94ed Mon Sep 17 00:00:00 2001 From: BrennerLittle <46569863+BrennerLittle@users.noreply.github.com> Date: Mon, 1 Apr 2019 09:55:03 -0500 Subject: [PATCH] Create microsoft_windows_contact_remote_code_execution.md added documentation --- ...t_windows_contact_remote_code_execution.md | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 documentation/modules/exploit/windows/fileformat/microsoft_windows_contact_remote_code_execution.md diff --git a/documentation/modules/exploit/windows/fileformat/microsoft_windows_contact_remote_code_execution.md b/documentation/modules/exploit/windows/fileformat/microsoft_windows_contact_remote_code_execution.md new file mode 100644 index 0000000000..9ba1c1520c --- /dev/null +++ b/documentation/modules/exploit/windows/fileformat/microsoft_windows_contact_remote_code_execution.md @@ -0,0 +1,30 @@ +## Description + +This module allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. +User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files node param which takes an expected website value, however if an attacker references an +executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user. +Executable files can live in a sub-directory so when the ".contact" website link is clicked it traverses directories towards the executable and runs. +Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected with certain archive utilitys. +The "." chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory. +This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well. + +## Vulnerable Application + +Windows + + +## Verification Steps + +1. `./msfconsole` +2. `use exploit/windows/fileformat/` +3. `set lport ` +4. `set lhost ` +5. `exploit` + +## Scenarios + +### microsoft_windows_contact_remote_code_execution Tested on Windows 10.0.18282 + +``` +msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > exploit +[*] Creating 'John Smith.zip'