CVE-2010-3143

Microsoft Windows Contacts - Untrusted Search Path and DLL Hijacking via Trojan Horse wab32res.dll

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2010-3143. PoCs published by storm.

AI-analyzed exploit summary This exploit demonstrates a DLL hijacking vulnerability in Microsoft Windows Contacts by creating a malicious wab32res.dll that executes arbitrary code (calc.exe) when loaded by affected file types (.contact, .group, .p7c, .vcf, .wab). The DllMain function triggers the payload upon DLL initialization.

Description

Untrusted search path vulnerability in Microsoft Windows Contacts allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wab32res.dll that is located in the same folder as a .contact, .group, .p7c, .vcf, or .wab file. NOTE: the codebase for this product may overlap the codebase for the product referenced in CVE-2010-3147.

Exploits (3)

exploitdb WORKING POC VERIFIED
by storm · clocalwindows
https://www.exploit-db.com/exploits/14778

This exploit demonstrates a DLL hijacking vulnerability in Microsoft Windows Contacts by creating a malicious wab32res.dll that executes arbitrary code (calc.exe) when loaded by affected file types (.contact, .group, .p7c, .vcf, .wab). The DllMain function triggers the payload upon DLL initialization.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows Contacts (Windows Vista SP2)
No auth needed
Prerequisites: Ability to place malicious DLL in a directory with higher search order priority than the legitimate DLL
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/14733

This exploit demonstrates a DLL hijacking vulnerability in Microsoft Windows 7's wab.exe by replacing the legitimate wab32res.dll with a malicious one. When a file with specific extensions is opened, the malicious DLL executes arbitrary code (calc.exe in this case).

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Windows 7 wab.exe (6.1.7600 and prior)
No auth needed
Prerequisites: Compile the code and rename the output to wab32res.dll · Place the DLL in the same directory as a file with .vcf, .p7c, .group, or .contact extension
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/14745

This exploit demonstrates a DLL hijacking vulnerability in Microsoft Address Book by creating a malicious wab32res.dll that executes arbitrary code (calc.exe) when a file with a vulnerable extension (.wab, .p7c) is opened. The exploit leverages the insecure DLL loading mechanism in Windows.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Address Book 6.00.2900.5512
No auth needed
Prerequisites: Ability to place a malicious DLL and a file with a vulnerable extension in a directory searched by the application
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7224
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/14778/
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/64446

Scores

EPSS 0.0882
EPSS Percentile 92.7%

Details

Status published
Products (1)
microsoft/windows
Published Aug 27, 2010
Tracked Since Feb 18, 2026