Re: LNK Exploit Export

[Florian Roth <Neo.X () web de>]

Hey, thanks,

I did the following but struggled because it did not work as I
expected.  

I changed the contents of the LNK to the name of my DLL.

But that didn't do the trick. 
I had to use the following string with a trailing space and double
point. 

00000080  00 00 00 6a 00 00 00 00  00 00 20 00 3a 00 43 00  |...j...... .:.C.|
00000090  3a 00 5c 00 42 00 4e 00  57 00 45 00 6a 00 42 00  |:.\.B.N.W.E.j.B.|
000000a0  63 00 66 00 49 00 71 00  2e 00 64 00 6c 00 6c 00  |c.f.I.q...d.l.l.|
000000b0  00 00                                             |..|
000000b2


The tricky thing is, that changing this does not seem to make it work. I
had to rename the link file to "linkfile.lnk_" in command line and back
in EXPLORER to invoke the process defined in my DLL (calc.exe).

I suppose that the renaming causes a cache to be renewed and EXPLORER to
check the symbol of the link again. Without that it won't envoke the
exploit coded in the DLL in my testing environment. 

Additional information:
A second way to invoke the exploiting was to use the windows search and
search for a portion of the LNK file name. The listing of the modified
LNK file in the search results lead also to an execution.  

Every method worked only once per session. I had to log off and login
again to make it work another time.

Hope that helped someone.
That way I am able to generate a DLL with a special payload and ship it
with my prepared LNK file.

Thanks  


On Sun, 2010-07-25 at 10:30 +0200, Hendrik Baecker wrote:
> Am 24.07.10 21:47, schrieb Florian Roth:
> >  
> > I noticed that every time I copied the generated DLL and LNK file to a
> > different directory, the exploit does not work anymore. So I suppose
> > that the code is bound to a fixed path where the DLL has to be located.
> Don't suppose - know!
>
> hexdump -C /path/to/your.lnk ^^
>
> > I'd like to send the exploit to a friend who wants to demonstrate the
> > impact to the rest of the IT staff. 
> > Is there a possibility to export the exploit or change the absolute path
> > to the DLL so he is able to put the LNK and DLL to i.e. "C:\" ?? 
>
> I would try to hexedit the lnk to change the voodoo you found by
> hexdump. Didn't try it myself yet, maybe some more knowledge about LNK
> file structure / the weak M$ code is needed.
> I wouldn't say the DLL itself might be a problem - it's just a PE DLL'd
> payload.
>
> Back to your question - I'm not aware of an export function in metasploit.
>
> Cherio!
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework

-- 
Sincerely
Saludos cordiales
Mit freundlichen Grüßen
Florian Roth

Tel:    +49 06251 - 827 9402
Mobil:  +49 175 - 7240 363       
Fax:    +49 12125 - 11699510
eMail:  Florian.Roth () email de

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework