# Exploit Title:  Microsoft Windows 'VCF' or 'Contact' File URL Manipulation Arbitrary Code Execution Vulnerability -- Remote!

# Google Dork: N/A

# Date: January, 21 2019

# Exploit Author:  Eduardo Braun Prado

# Vendor Homepage: http://www.microsoft.com/

# Software Link: http://www.microsoft.com/

# Version: Windows 7 SP1, 8.1, 10 v.1809 with full patches up to January 2019. both x86 and x64 architectures.

# Tested on: Windows 7 SP1, 8.1, 10 v.1809 with full patches up to January 2019. both x86 and x64 architectures.

# CVE : n/a


Important note: password for the ZIP archive is: poc


** special thanks: Hyp3rlinx (aka John Page) **


MS Windows 'Wab.exe' application have 2 flaws upon parsing hyperlinks embedded on VCF and Contact files:

1) The application incorrectly misinterprets specially crafted hyperlinks and instead of passing the URL to the default browser or default
program for handling the particular URL protocol, it will search for files in the working directory. Because upon opening 'VCF' and 'Contact' files either
from local or remote folders (via SMB/WebDAV shares), the program responsible for handling these file types (wab.exe) is started in the target folder where
the file resides, its possible to trick it into searching for arbitrary files based on the hyperlink, from the same directory (or a subdir) of the crafted 'VCF' or 'Contact' files.

2) The application allows for manipulating the hyperlink displayed to the user, so to look innocent (see the 3 pictures provided); While on Windows 7 the issue is slightly more serious because
it totally allows to write a hyperlink that in no way look suspicious or malicious, on Windows 8.1 and 10 (latest release) it still allows to display an innocent looking link because it will never display
the last file extension:

code portion:  <c:Value>www.microsoft.com/en-us/msrc                                                                                                                                                                                            \..\..\..\aaaaaaaaa\poc.lnk</c:Value>

So, by combining the main vulnerability found by my friend Hyp3rlinx with the URL manipulation weakness I found and the remote vector (so that users doesnt need to download archives, extract internal files etc)
its possible to run arbitrary code by simply interacting with a crafted 'VCF' or 'Contact' file placed on a WebDAV or SMB share.


			==Instructions==


1) Create an anonymously accessible share on the machine that will act as the server.
You may wish to create a subfolder to place the 'Contact' files and the directories containing the files that will run arbitrary code.

2) Using an Hex Editor program, edit the file 'poc.lnk_' located at the 'aaaaaaaaa' folder by overwriting the full path to the CPL file with you custom one.
Make sure not to exceed the provided path length or you will corrupt the shortcut file. Save it as 'poc.lnk'.

3) Compile your custom DLL with a 'DllMain' function. Note: some IDEs/programming languages do allow to create DLLs, but they dont support the 'DllMain' entrypoint. Using MS Visual Studio 2017 and the 'C++' language might
do the job just fine. Problem with Visual Studio is that you may have some major headaches as Windows evolves. For instance, a C++ Dll that was compiled with Visual Studio 2008 or 2010 might not work on the latest releases of Windows 10.
You may prefer the good old C language and 'gcc' to compile your source code, as Hyp3rlinx shows in his 1st 'VCF' PoC:

http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt

4) Place the contact files in the folder that you have shared (or a subfolder) and the 'aaaaaaaaa' and 'x' directories in the same folder of the 'Contact' files.
Note: the DLL file (which you may rename to CPL) must be placed in the 'x' folder.


5) Depending on the target OS you are testing, access the remote share and then open the correct 'Contact' file and further click on the hyperlink. Code placed in the 'DllMain' function of your DLL should be executed.
Tip: for working on x86 and x64, when compiling the DLL, make sure its a 32-bits platform.
The 'Contact' file for Windows 8.1/10 works fine on Windows 7, but will leave some blank space chars, with underline below it, however it will work just fine too.

Tip2: The picture for the 'Contact' file can be manipulated, just get another bitmap picture and encode it to base64 and then copy and paste the code replacing the original.

Tip3: The 'Contact' file usually doesnt have 3rd parties softwares that take over the file association, while VCF yes (eg. MS Outlook), so it has higher chances to be associated with 'Wab.exe' program.


video demo: https://youtu.be/FsoIJkRuOx8





