Name | special_lnk |
CVE | CVE-2017-8464 |
Exploit Pack | CANVAS |
Description | special_lnk |
Notes | References: ['https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464', 'http://paper.seebug.org/357/', 'http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt'] CVE Name: CVE-2017-8464 VENDOR: Microsoft NOTES: **DIALOG BOX** In the dialog box, both remote and local paths can be specified in such a way that the LNK and DLL-based callback can be hosted by Canvas. To make Canvas put the correct IP in for your own system, start the SMB path with \HOSTLOCAL. Other names than HOSTLOCAL can be entered as well, but HOSTLOCAL will be replaced with the IP that your callback is listening on. Should you want to create the LNK and DLL for distribution via other means, using disk-paths such as C:\users\target\callback.dll will work. **NOTE** : To reiterate: an LNK path starting with \HOSTLOCAL will tell the module to host the LNK itself. If you do not want this to happen, simply specify an on-disk path. Tested on: - Windows 10 (64 bit) with (local + remote) DLL path - Windows 8 (32 bit) with local DLL path - Windows 7 (32 bit) with (local + remote) DLL path **HIGHLY IMPORTANT NOTE** In our testing, we have discovered that this exploit is not just a clientside. On multiple Windows 10 x64 systems we have noticed that in certain repeatable circumstances, SearchProtocolHost.exe, a SYSTEM-privileged process, will render the LNK. This behavior has not been observed on Windows 7 or Windows 8. **In order to use this exploit as an LPE, just rename the original LNK after you have a shell** We have observed in our labs that using a UNC path that maps to a WebDAV share is incredibly slow regardless of the software behind the share. For this reason we recommend the use of an SMB share for remote/clientside exploitation where delivery of only the LNK is possible. Special thanks to Haifei Li and VXJump for their analysis. Date public: 06/27/2017 CVE Url: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8464 CVSS: 7.5 |
Learn more about the CANVAS Exploit Pack here: CANVAS |