I’m writing this quickpost just in case you hadn’t figured this out for yourself: the techniques I described to protect machines from the .LNK vulnerability also help you mitigate the DLL preloading issue.
The .LNK vulnerability mitigation examples I gave with Ariad (no file execute) and SRP prevent loading of DLLs from untrusted locations (USB sticks, network drives, …). These will also prevent DLLs from loading from untrusted sources in the case of DLL Preloading exploits.
I updated my .LNK template with info I got from comments from WndSks and Forrest Gump. This new version identifies well-known Shell GUIDs:
Microsoft has issued an emergency patch (MS10-046) for the .LNK file vulnerability (CVE-2010-2568).
I’m releasing two small tools I developed to help me investigate this vulnerability.
First one is a 010 Editor template file for the .LNK binary file format.
Second one is a ClamAV signature file to find all .LNK shortcuts that load a DLL (malicious or benign).
To scan your drive C, issue command
clamscan.exe -d LNK-CPL-CVE-2010-2568.ndb -l scan.log -r c:\
Today I tested @Ivanlef0u ‘s .LNK PoC with my latest Ariad tool.
I adapted the PoC to work on a CD-ROM for drive D. When you load the CD-ROM with the PoC (I use an ISO file inside a VM) and take a look at DbgView’s output, you’ll notice that payload gets executed:
With Ariad installed on the machine in its default configuration (just block \autorun.inf), the PoC still works:
But configuring Ariad to block access to executables (this includes .LNK) prevents the PoC from executing:
Access to the .LNK file is denied, and Windows Explorer can’t start the payload.
And configuring Ariad to prevent files to be mapped in memory (this is something done by Windows with executables) also prevents the PoC from executing:
This time, access to the .LNK file is not denied, but dll.dll is prevented from loading into memory, thus again preventing the payload from executing.
You can use Ariad if you want to mitigate attacks with these shortcut links until Microsoft releases a patch. As it is expected that Microsoft will not release a patch for Windows XP SP2, Ariad can offer permanent mitigation.
Be sure to read Ariad‘s documentation before using it.
Last year for Brucon, I produced some reverse engineering challenges (and I’m producing new ones for this year’s edition).
The Hex Factor blog posted the solution for level 300.
The source code for the challenge can be downloaded here. It’s completely written in assembler, even the I/O routines.
Here’s a trick I used to create your own EXE from assembler code, without any library:
A simple assembly program:
BITS 32
ret
Assemble with nasm: nasm -f win32 ret.asm -o ret.o
And link with mingw32‘s linker: ld -s ret.o -o ret.exe
Result:
I wrote an article in Hakin9 magazine how to write shellcode with a C-compiler.
People before me have worked out methods to do this; the advantage of my method is that you can debug your shellcode inside the Visual Studio IDE.
The template can be found here.
Now that malicious PDFs using the /Launch action become more prevalent, I release a new PDFiD version to detect (and disarm) the /Launch action.
NetworkMashup.xls is a spreadsheet with VBA macros I scraped from the Internet to execute pings and name/address resolution from within Excel with WIN32 API calls.
Not only is it handy when you need to do some network mapping in a restricted environment, but also if you’ve just a list of machines to monitor.
The spreadsheet contains several sheets. One sheet to perform a single ping:
One sheet to ping/resolve a list:
One sheet to list the IP addresses of the current machine:
And last, a sheet with settings:
Download here.
I’ve added 2 new assembly source files for shellcode to execute a ping.
First one does a simple ping, second one does a ping with the computername and username in the ICMP packet data.
Didier Stevens 