Name | special_lnk |
---|---|
CVE | CVE-2017-8464 Exploit Pack |
CVE Name: CVE-2017-8464 | |
VENDOR: Microsoft | |
NOTES: | |
DIALOG BOX | |
In the dialog box, both remote and local paths can be specified in such a way | |
that the LNK and DLL-based callback can be hosted by Canvas. To make Canvas | |
put the correct IP in for your own system, start the SMB path with \HOSTLOCAL. | |
Other names than HOSTLOCAL can be entered as well, but HOSTLOCAL will be replaced | |
with the IP that your callback is listening on. |
Should you want to create the LNK and DLL for distribution via other means, using
disk-paths such as C:\users\target\callback.dll will work.
NOTE : To reiterate: an LNK path starting with \HOSTLOCAL will tell the
module to host the LNK itself. If you do not want this to happen, simply specify
an on-disk path.
Tested on:
- Windows 10 (64 bit) with (local + remote) DLL path
- Windows 8 (32 bit) with local DLL path
- Windows 7 (32 bit) with (local + remote) DLL path
HIGHLY IMPORTANT NOTE
In our testing, we have discovered that this exploit is not just a clientside.
On multiple Windows 10 x64 systems we have noticed that in certain repeatable
circumstances, SearchProtocolHost.exe, a SYSTEM-privileged process, will
render the LNK. This behavior has not been observed on Windows 7 or Windows 8.
In order to use this exploit as an LPE, just rename the original LNK after
you have a shell
We have observed in our labs that using a UNC path that maps to a WebDAV share
is incredibly slow regardless of the software behind the share. For this reason
we recommend the use of an SMB share for remote/clientside exploitation where
delivery of only the LNK is possible.
Special thanks to Haifei Li and VXJump for their analysis.
Date public: 06/27/2017
CVE Url: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8464
CVSS: 7.5