Shortcut Files (.lnk)

Shortcut files (.lnk) are Windows Shell Items that reference to an original file, folder, or application.

Shortcuts (.lnk files) are mainly a UI concept on Windows. It is a custom binary format. You can give it additional information about how to launch a program (minimized, maximized) and command line attributes. Common properties:

  • Target type (e.g. Application)
  • Target location (e.g. Office 16)
  • Target (e.g. C:\Program Files\…\WINWORD.EXE)
  • Start in (e.g. C:\Program Files\…\Office 16)
  • Shortcut key (e.g. None)
  • Run (e.g. Normal window)
  • Comment
  • Icon

Table of Contents

LNK Abuse

  • Exploits: e.g. Stuxnet (CVE-2010-2568)
  • Initial access: phishing/drive-by downloads
  • Persistence: create/upload LNKs
  • Defense Evasion: masquerading

LNK Vulnerability

Use lnk-generator from the lnk-it-up (GitHub) repository.

Microsoft will NOT fix it.

LNK file format:

  • ShellLinkHeader (required, fixed size): HeaderSize, LinkCLSID, LinkFlags, FileAttributes, CreationTime, AccessTime, WriteTime, FileSize, IconIndex, ShowCommand, HotKey, Reserved, Reserved, Reserved
  • LinkTargetIDList (almost always present): path to the file or folder
  • LinkInfo: Windows will try to locate the file if it does not exist at the location. LinkInfo contains extra metadata for Windows to find where the file may be now.
  • StringData: many strings, but often command line arguments
  • *ExtraData (0 to many blocks of ExtraData): when the path contains environment variables, the real full path is stored here

LinkFlags (4-byte long) determines what the rest of the file will be structured like, if LinkTargetIDList, LinkInfo, StringData and *ExtraData will be used.

Use unlikely combination of flags, unusual values, overflowing fieds, mismatch.

Example 1: Spoofed program

Displays “your-invoice.pdf” in Target but executes calc.exe. Always prioritizes the env variable path in ExtraData, but it needs to be a valid path. Adding the double quotes makes it invalid, so it will display ExtraData but fall back to execute LinkTargetIDList.

  • ShellLinkHeader: LinkFlags 0x00000201 (HasLinkTargetIDList, HasExpString)
  • LinkTargetIDList: C:\windows\system32\calc.exe
  • *ExtraData: “your-invoice.pdf”
  • Icon: Use the PDF icon.

Works well when there is no command arguments. When there are, they are displayed in the Target as “your-invoice.pdf” /c ping 127.0.0.1

python3 -m lnk-generator.generate SPOOFEXE_SHOWARGS_ENABLETARGET --target-executable "C:\windows\system32\calc.exe" --fake-path "C:\your-invoice.pdf" --output your-invoice.pdf.lnk

Example 2: Hidden arguments

Displays c:\Windows\System32\cmd.exe in Target but executes c:\Windows\System32\cmd.exe /c echo HAHA TRICKED YOU; ping 127.0.0.1. Arguments are hidden. The flags say that there will be an environment variable string but there is not (null value). So it falls back on LinkTargetIDList, makes the lnk read only, and for some obscure reason hides the command arguments…

  • ShellLinkHeader: LinkFlags 0x00000221 (HasLinkTargetIDList, HasArguments, HasExpString)
  • LinkTargetIDList: C:\windows\system32\cmd.exe
  • StringData: /c echo HAHA TRICKED YOU; ping 127.0.0.1
  • *ExtraData: (null)
  • Icon: Use the command prompt icon.

Example 3: Spoofed program

Displays “C:\README.txt” in Target but executes c:\Windows\System32\mshta.exe javascript:alert(“Hello audience!”);. Arguments are hidden. Preferred path order: ExtraData (file does not exist), LinkTargetIDList (invalid path), LinkInfo.

  • ShellLinkHeader: LinkFlags 0x00000223 (HasLinkTargetIDList, HasLinkInfo, HasArguments, HasExpString)
  • LinkTargetIDList: X:\___________________
  • LinkInfo: C:\Windows\System32.mshta.exe
  • StringData: javascript:alert(“Hello audience!”);
  • *ExtraData: C:\README.txt
  • Icon: Use the text file icon.

LinkInfo is meant to repair broken links. The .lnk file will be updated after clicking it and the Target will display the real payload!

Example 4: Spoof & Disable

Best version, is undetected, path is disabled, path is spoofed, spoofed arguments, and can use environment variables.

Displays F:\USB Drive in Target but executes powershell.exe /ec <base64 payload>. ExtraData expects one path in ANSI (UTF-8) and the other in unicode (UTF-16) but the second one was not provided. So it disables the fields and hides the arguments…

  • ShellLinkHeader: LinkFlags 0x00000221 (HasLinkTargetIDList, HasArguments, HasExpString)
  • LinkTargetIDList: F:\USB Drive
  • StringData: /ec <base64 payload>
  • *ExtraData: %WINDIR\WindowsPowerShell\v1.0\powershell.exe | (null), where powershell cmd is in UTF-8, (null) is UTF-16LE
  • Icon: Use the drive icon.

LinkInfo is meant to repair broken links. The .lnk file will be updated after clicking it and the Target will display the real payload!

Defense

Use lnk-tester from the lnk-it-up (GitHub) repository.

Reference