Fun with lnk files

Stuxnet used an 0day .lnk icon dll-loading vulnerability to own its targets via thumb drives. But if you don’t have a fancy 0day, chances are, you can still get someone to open a link. Link files are great because they often escape the scrutiny of executable .exe files or batch scripts since they don’t directly execute code. Link files are also convenient because the icon can be set to any system or application icon of choice, and their true targets are usually not directly viewable. Furthermore, suppose you placed link files on thumb drives or CD’s lying around the parking lot. You don’t need to put any other files with suspicious extensions on the drive, and you don’t need the target of the shortcut to be any external file. Instead, point it to the trusted system executable cmd.exe, and use a short command stager as the command line. The command line is limited to 256 chars, which is sufficient for a vbs stager, although embedded environment variables in the shortcut file can extend this; i.e. set command line to “cmd /c %a% %b% %c%” and define long environment variables a, b, and c. See the spec here: http://msdn.microsoft.com/en-us/library/dd871305(PROT.10).aspx

PoC of the entire process starts here http://scriptjunkie1.110mb.com/security/lnk.htm. Click to download a .lnk file that displays the icon of a folder, and launches a vbs stager to an executable that opens calc.exe.

You can create these .lnk files with any windows box, but you are likely to leak information about your system that created the link in the process. If you want to generate your own with a Metasploit payload, of course there’s a Metasploit module for that: http://scriptjunkie1.110mb.com/security/lnk_social.rb.

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: