Fun with lnk files


Stuxnet used an 0day .lnk icon dll-loading vulnerability to own its targets via thumb drives. But if you don't have a fancy 0day, chances are, you can still get someone to open a link. Link files are great because they often escape the scrutiny of executable .exe files or batch scripts since they don't directly execute code. Link files are also convenient because the icon can be set to any system or application icon of choice, and their true targets are usually not directly viewable. Furthermore, suppose you placed link files on thumb drives or CD's lying around the parking lot. You don't need to put any other files with suspicious extensions on the drive, and you don't need the target of the shortcut to be any external file. Instead, point it to the trusted system executable cmd.exe, and use a short command stager as the command line. The command line is limited to 256 chars, which is sufficient for a vbs stager, although embedded environment variables in the shortcut file can extend this; i.e. set command line to "cmd /c %a% %b% %c%" and define long environment variables a, b, and c. See the spec here: http://msdn.microsoft.com/en-us/library/dd871305(PROT.10).aspx

PoC of the entire process starts here http://scriptjunkie1.110mb.com/security/lnk.htm. Click to download a .lnk file that displays the icon of a folder, and launches a vbs stager to an executable that opens calc.exe.

You can create these .lnk files with any windows box, but you are likely to leak information about your system that created the link in the process. If you want to generate your own with a Metasploit payload, of course there's a Metasploit module for that: http://www.scriptjunkie.us/files/lnk_social.rb.

  1. #1 by lester on June 25, 2011 - 3:58 am

    The links above to the POC for fun with lnk files do not work.

  2. #2 by scriptjunkie on June 25, 2011 - 4:58 pm

    Hmm. I just tried on a Windows XP and a Windows Vista VM, and it worked on both. Maybe .vbs files are not associated with cscript or wscript on your machine? What OS are you using?

(will not be published)