LNK (Windows File Shortcut) Parser

CVE-2010-2568 will need to have a LNK file with a malicious dll to cause harm. Feeling the urgency of parsing the LNK file to trace any present dll, we modified a small portion of the code from metasploit’s project to make it run independently from the metasploit framework. The original code is here. The main purpose of the dumplinks.rb is for getting information for each of LNK files. The code is originally coded by davehull. Here is the output of the modified code:

[+]Processing: lalameta.lnk
[+]Found CLSID=00021401-0000-0000-C000-0000000000460
lalameta.lnk:
Access Time       = Tue Jul 27 17:16:06 +0800 2010
Creation Date     = Thu Jul 22 01:16:24 +0800 2010
Modification Time = Thu Jul 22 01:16:24 +0800 2010
Contents of lalameta.lnk:
Flags:
Attributes:
Target file's MAC Times stored in lnk file:
Creation Time     = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time       = Thu Jan 01 07:30:00 +0730 1970. (UTC)
ShowWnd value(s):
Target file's MAC Times stored in lnk file:
Creation Time     = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time       = Thu Jan 01 07:30:00 +0730 1970. (UTC)
[+]checking offset of 0x80 to find DLL from metasploit code generator
[+]:\\192.168.20.2\xyTxzY\CjmX.dll

The code in bold shows that the DLL that is  loaded in the LNK file. Below is the result from p0c provided by ivanlef0u.

[+]Processing: suckme.lnk_
129
suckme.lnk_:
Access Time       = Tue Jul 27 17:52:02 +0800 2010
Creation Date     = Mon Jul 19 10:32:26 +0800 2010
Modification Time = Sun Jul 18 00:37:30 +0800 2010
Contents of suckme.lnk_:
Flags:
Shell Item ID List exists.
Attributes:
Target file's MAC Times stored in lnk file:
Creation Time     = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time       = Thu Jan 01 07:30:00 +0730 1970. (UTC)
ShowWnd value(s):
SW_SHOW.
SW_NORMAL.
SW_SHOWMINNOACTIVE.
SW_SHOWMAXIMIZED.
SW_RESTORE.
Target file's MAC Times stored in lnk file:
Creation Time     = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Modification Time = Thu Jan 01 07:30:00 +0730 1970. (UTC)
Access Time       = Thu Jan 01 07:30:00 +0730 1970. (UTC)
[+]checking offset of 0x80 to find DLL from metasploit code
[+]: :C:\dll.dllMises ? jour automatiquesCo

2 thoughts on “LNK (Windows File Shortcut) Parser

  1. ab says:

    If you don’t mind can you share the poc?

  2. mahmud says:

    Hi ab, you can get the copy here:http://blog.honeynet.org.my/mirror/lnk_parse.rb.

Leave a Reply