Topic: Relative path in LNK-exploit

Hello VX-world!

I am many researched Windows ShortCut's - flags, locked lnk and others interesting things.
StuxNet has opened me quite new subject. Shortcut on Control panel & DllMain...

So, possible create LNK and prescribe ABSOLUTE network path, and provide mass infection on LAN-network. smile
(\\comp\hidden-shared$\test.dll)

But...how can prescribe relative path in vulnerable lnk?
e.g. ".\test.dll"

Re: Relative path in LNK-exploit

i'm not sure about this but as the bug is in explorer, my tests using a relative path like .\bla.dll always resulted in bla.dll being executed from the same drive as the system dir (as it's being executed from explorer, it does make sense) so from that it does not seem possible so i ended up making copies for each drive letter that would be relevant

Last edited by crim (2011-11-11 14:45:57)

forum have become too shitty lately, if you need me find me at coru or dk, 10-4 over and out.

+1

Re: Relative path in LNK-exploit

around 10 or 12 years ago i found the "pif" tech. ...

the principle was easy, a .pif is handled as an executable, my idea was to include more things in the .pif.
structure was :
______________
pif commands ( & icon)
--
bat script
--
irc script
______________

When run as a .pif, the file copied itself as a .bat, adding an autostart, and copied itself as a .ini in irc client directory
When run as a .bat, the file could made many things
When load as a .ini (in irc client), the file was an irc backdoor

As you see, such "shortcut file" can include many different things or codes inside, playing with extensions only the linked code will be executed.
You can probably find some of thoses "pif worms" on vxnetlux. I've lost almost all the things i did.


Sadly my ".pif" idea was badly copied, all the worms or trojans using it were just .exe renamed, without editing the ".pif".

Last edited by Del_Armg0 (2011-11-11 15:03:44)

+1

Re: Relative path in LNK-exploit

Del_Armg0 wrote:

around 10 or 12 years ago i found the "pif" tech. ...

the principle was easy, a .pif is handled as an executable, my idea was to include more things in the .pif.
structure was :
______________
pif commands ( & icon)
--
bat script
--
irc script
______________

When run as a .pif, the file copied itself as a .bat, adding an autostart, and copied itself as a .ini in irc client directory
When run as a .bat, the file could made many things
When load as a .ini (in irc client), the file was an irc backdoor

As you see, such "shortcut file" can include many different things or codes inside, playing with extensions only the linked code will be executed.
You can probably find some of thoses "pif worms" on vxnetlux. I've lost almost all the things i did.


Sadly my ".pif" idea was badly copied, all the worms or trojans using it were just .exe renamed, without editing the ".pif".

while the subject is interesting it's not really relevant to the topic as the vulnerability lies in how windows handles the icon loading in .lnk files

forum have become too shitty lately, if you need me find me at coru or dk, 10-4 over and out.

+1

Re: Relative path in LNK-exploit

more here
[Register or log in to view the URL]

Re: Relative path in LNK-exploit

И да, через 2 с лишним месяца после обнаружения stuxnet'a, M$ наконец таки открывает формат lnk-файла.
[Register or log in to view the URL]

Last edited by kiber_punk (2011-11-11 16:52:09)

Re: Relative path in LNK-exploit

английски, пожалуйста

Re: Relative path in LNK-exploit

Del_Armg0 wrote:

английски, пожалуйста

Sorry, "untransferable russian folklore". ))
And sorry for my eng.
----------------------------
I have said that certain time (~2 month) after detect stuxnet-worm* , Microsoft "clamp heart" [скрепя сердцем] has opened [Register or log in to view the URL].

* [Register or log in to view the URL] in its blog. Much interesting.