LNK (Windows File Shortcut) Parser

CVE-2010-2568 will need to have a LNK file with a malicious dll to cause harm. Feeling the urgency of parsing the LNK file to trace any present dll, we modified a small portion of the code from metasploit’s project to make it run independently from the metasploit framework. The original code is here. The main purpose of the dumplinks.rb is for getting information for each of LNK files. The code is originally coded by davehull. Here is the output of the modified code:

The code in bold shows that the DLL that is  loaded in the LNK file. Below is the result from p0c provided by ivanlef0u.

2 thoughts on “LNK (Windows File Shortcut) Parser

  1. ab says:

    If you don’t mind can you share the poc?

  2. mahmud says:

    Hi ab, you can get the copy here:http://blog.honeynet.org.my/mirror/lnk_parse.rb.

Leave a Reply

Your email address will not be published. Required fields are marked *