infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update some documentation

bug/bundler_fix
Brent Cook 2017-08-03 17:09:44 -05:00
parent 81500f7336
commit da3ca9eb90
2 changed files with 16 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
documentation/modules/exploit/windows/fileformat/cve_2017_8464_lnk_rce.md
View File

@ -1,10 +1,13 @@
## Vulnerable Application
Any Windows versions without the patch for CVE-2017-8464. The exploit doesn't appear to work with UNC drives. Because of this the DLL file needs to be on the local file system or an USB drive. A fix was released on June 2017 Patch Tuesday.
This vulnerability affects any Windows version without the patch for
CVE-2017-8464. The exploit does not appear to work with UNC drives. Because of
this, the exploit DLL file needs to be on a local file system or an USB drive.
A fix was released in the June 2017 Patch Tuesday.
## Vulnerable Setup
To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464. To test the bypass, make sure that MS10-046 & MS15-020 are installed.
To set up the vulnerable environment, install a Windows version without the patch for CVE-2017-8464. To test the bypass, ensure that MS10-046 & MS15-020 are installed.
## Verification Steps
@ -31,15 +34,15 @@ To set up the vulnerable environment, install a Windows version without the patc
**FILENAME**
The file name of the LNK file. This file name can be renamed in a letter stage. If not set, a random name will be generated.
The file name of the LNK file. This file name can be renamed later. If the value is not set, a random name will be generated.
**DLLNAME**
The file name of the DLL file. This file name cannot be renamed as this will invalidate the LNK file(s). If not set, a random name will be generated.
The file name of the DLL file. This file cannot be renamed, as this will invalidate the LNK file(s). If not set, a random name will be generated.
**DRIVE**
Drive letter assigned to USB drive on victim's machine. If not set LNK files for drive D till Z will be created. Copy all these LNK files to the USB drive to make it more likely that the vulnerability is triggered.
Drive letter assigned to USB drive on victim's machine. If not set, LNK files for drive D till Z will be created. Copy all these LNK files to the USB drive to increase the chance that the vulnerability will be triggered.
### Windows 10 x64 (Build 14393)

5
modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
View File

@ -17,8 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote
info,
'Name' => 'LNK Code Execution Vulnerability',
'Description' => %q{
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
that contain a dynamic icon, loaded from a malicious DLL.
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL.
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
similar except an additional SpecialFolderDataBlock is included. The folder ID set
@ -57,7 +56,7 @@ class MetasploitModule < Msf::Exploit::Remote
[ 'Windows x64', { 'Arch' => ARCH_X64 } ],
[ 'Windows x86', { 'Arch' => ARCH_X86 } ]
],
'DefaultTarget' => 0, # Default target is 64-bit
'DefaultTarget' => 0, # Default target is Automatic
'DisclosureDate' => 'Jun 13 2017'
)
)