Immunity Canvas: SPECIAL_LNK

Should you want to create the LNK and DLL for distribution via other means, using
disk-paths such as C:\users\target\callback.dll will work.

NOTE : To reiterate: an LNK path starting with \HOSTLOCAL will tell the
module to host the LNK itself. If you do not want this to happen, simply specify
an on-disk path.

Tested on:
- Windows 10 (64 bit) with (local + remote) DLL path
- Windows 8 (32 bit) with local DLL path
- Windows 7 (32 bit) with (local + remote) DLL path

HIGHLY IMPORTANT NOTE
In our testing, we have discovered that this exploit is not just a clientside.
On multiple Windows 10 x64 systems we have noticed that in certain repeatable
circumstances, SearchProtocolHost.exe, a SYSTEM-privileged process, will
render the LNK. This behavior has not been observed on Windows 7 or Windows 8.

In order to use this exploit as an LPE, just rename the original LNK after
you have a shell

We have observed in our labs that using a UNC path that maps to a WebDAV share
is incredibly slow regardless of the software behind the share. For this reason
we recommend the use of an SMB share for remote/clientside exploitation where
delivery of only the LNK is possible.

Special thanks to Haifei Li and VXJump for their analysis.

Date public: 06/27/2017
CVE Url: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8464
CVSS: 7.5