Comments on: Windows ‘LNK’ Exploit Demonstration

By: Emails Being Blocked - Web Hosting

Emails Being Blocked - Web Hosting — Mon, 04 Oct 2010 17:39:34 +0000

[...] allowed per Company security policy LNK files typically identify the LNKexploit malware attack as discussed here, which was why my earlier post suggested it was rightly filtered as both file type and as Spam [...]

By: Matt

Matt — Wed, 28 Jul 2010 14:05:20 +0000

@strcmp: Good point.. maybe it’s time for those who are tired of being jerked around by Microsoft to switch to a better operating system. Might I suggest Linux?

By: strcmp

strcmp — Wed, 28 Jul 2010 04:08:50 +0000

From nemesis.te-home.net:
“This program is a proof of concept and is provided “as is”. Any express or implied warranties are disclaimed. In no event shall the author be liable for any damages caused arising in any way out of the use of this software, even if advised of the possibility of such damage.
License: Creative Commons Attribution.”

After patching, the old shell32.dll is saved as “shell32.backup” in system32\ folder. If you compare shell32.dll with shell32.backup you can notice the patch is only 4 bytes for any Service Pack of Windows XP. Source code for this patch program is included.

If Microsoft no longer provides patches for OS’es that are still in use, we’ll see only 3rd party patches, if any.

By: Matt

Matt — Tue, 27 Jul 2010 15:07:31 +0000

@strcmp: I get that.. but my concerns would be:

1) Who’s providing the patch?
2) Can the provider be trusted?
3) Do they provide the source code of the patch?
And, ultimately.. 4) Is this thing a backdoor?

To be honest, in most circumstances, I would say using a 3rd party patch to fix this problem might expose you to more risks than not patching it at all.

By: strcmp

strcmp — Tue, 27 Jul 2010 05:23:25 +0000

“I guess I’d be a little apprehensive using something not provided by Microsoft”

The patch applies to OS’es no longer supported by Microsoft.

By: Week 29 in Review – 2010 | Portable Digital Video Recorder

Week 29 in Review – 2010 | Portable Digital Video Recorder — Mon, 26 Jul 2010 05:46:24 +0000

[...] Windows ‘LNK’ Exploit Demonstration – attackvector.org [...]

By: Matt

Matt — Sun, 25 Jul 2010 22:01:35 +0000

@elva: Unlike the video, try using explorer.exe rather than IE to access the share and see if it works.

By: elva

elva — Sun, 25 Jul 2010 14:29:02 +0000

i have no exploitation.
after running exploit and i can get a.dll and b.lnk
but no session established.
it stopped at Sending dll payload 192.168.1.16:1065….

windows xp sp2 + ie6.0
i wanna know why and anyone has the same result?

By: Matt

Matt — Sat, 24 Jul 2010 13:12:43 +0000

@strcmp: Nice.. I hadn’t seen that yet. I guess I’d be a little apprehensive using something not provided by Microsoft, though.

By: strcmp

strcmp — Sat, 24 Jul 2010 11:33:50 +0000

There is a patch for shell32.dll and it’s not made by Microsoft.

http://nemesis.te-home.net/News/20100723_Patch_for_0day__LNK_file_handling_vulnerability_up.html