Published: 22/07/2010 Updated: 07/12/2023
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 1000
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote malicious users to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft windows server 2008

microsoft windows server 2008 -

microsoft windows server 2008 r2

microsoft windows xp -

microsoft windows 7 -

microsoft windows vista -

microsoft windows xp

microsoft windows vista

microsoft windows server 2003

microsoft windows 2003 server


## # $Id: ms10_046_shortcut_icon_dllloaderrb 10404 2010-09-21 00:13:30Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require ...
From: wwwivanlef0utuxfamilyorg/?p=411 1 Unzip the files in 'C: \' Start a DbgView or paste a KD to your VM 2 Rename 'suckmelnk_' to 'suckmelnk' and let the magic do the rest of shell32dll 3 Look at your logs ivanlef0unibblesfr/repo/suckmerar githubcom/offensive-security/exploitdb-bin-sploits/raw/master/bin- ...

Metasploit Modules

Microsoft Windows Shell LNK Code Execution

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.

msf > use exploit/windows/browser/ms10_046_shortcut_icon_dllloader
      msf exploit(ms10_046_shortcut_icon_dllloader) > show targets
      msf exploit(ms10_046_shortcut_icon_dllloader) > set TARGET <target-id>
      msf exploit(ms10_046_shortcut_icon_dllloader) > show options
            ...show and set options...
      msf exploit(ms10_046_shortcut_icon_dllloader) > exploit
Microsoft Windows Shell LNK Code Execution

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload inside a DLL, and generates a LNK file which must be sent to the target.

msf > use exploit/windows/smb/ms10_046_shortcut_icon_dllloader
      msf exploit(ms10_046_shortcut_icon_dllloader) > show targets
      msf exploit(ms10_046_shortcut_icon_dllloader) > set TARGET <target-id>
      msf exploit(ms10_046_shortcut_icon_dllloader) > show options
            ...show and set options...
      msf exploit(ms10_046_shortcut_icon_dllloader) > exploit

Github Repositories

Penetration Testing course at Haaga-Helia, fall 2018

pentesting Penetration Testing course at Haaga-Helia, fall 2018 This course was taught by Tero Karvinen at Haaga-Helia University of Applied Sciences in the fall of 2018 The course is the first of its kind at the school, and aims to teach students some basic pentesting skills to use in future cyber security tasks DISCLAIMER: Penetration testing uses methods that, when used ag

GAUSS MALWARE Source [Striking similarities with Duqu, FlameR!, Fanny, StuxNet and more.] Source coming soon! + Binaries + Video showing live-action (what it does, how to remove it & for those interested - how to change the source, compile it, and run it) (Only as a Academical Exercise obviously)

Gauss-Src GAUSS MALWARE Source [Striking similarities with Duqu, FlameR!, Fanny, Stuxnet and more] related: Fannybmp - the Precursor to STUXNET Stars Duqu FlamER These coming soon: Source code Binaries Video showing live-action (what it does, how to remove it &amp; for those interested - how to change the source, compile it, and run it) (Only as a Academical Exercise


FannyBMP or DementiaWheel ⚠️ (hopefully final `NOTICE`:) As writing really isn't my front; I decided to make (yet another) Branch called "only_malware" which ONLY CONTAINS THE FANNYBMP MALWARE please find it here only_malware Note! the technical report I wrote has a few* painfully-obvious flaws (like being wri

Enumeration nmap -sn -v /CIDR nmapAutomator All autorecon /CIDR NMAP TCP sudo -sS -sC -sV -oA tcp -v UDP sudo -sU -sS -sC -sV -oA udp -v FTP - 21 Brute force hydra -V -f -L &lt;USERS_LIST&gt; -P &lt;PASSWORDS_LIST&gt; ftp:// -u -vV Downloading file ftp PASSIVE BINARY get Uploading file ftp PASSIVE BINARY put SSH - 22 Brute force hydra -V -f -L &lt;U

One-command to detect all remotely exploitable KEV vulnerability. Sourced from CISA KEV, Google's Tsunami and Ostorlab's Asteroid.

Known Exploited Vulnerabilities Detector Introduction This project is dedicated to the detection of known exploited vulnerabilities Our goal is to provide a single command to detect all of these vulnerabilities Requirements Docker is required to run scans locally To install docker, please follow these instructions Installing Ostorlab ships as a Python package on pypi To in

Recent Articles

Threats to users of adult websites in 2018
Securelist • Kaspersky Lab • 21 Feb 2019

More graphs and statistics in full PDF version
2018 was a year that saw campaigns to decrease online pornographic content and traffic. For example, one of the most adult-content friendly platforms – Tumblr – announced it was banning erotic content (even though almost a quarter of its users consume adult content). In addition, the UK received the title of ‘The Second Most Porn-Hungry Country in the World‘ and is now implementing a law on age-verification for pornography lovers that...

USB threats from malware to miners
Securelist • Kaspersky Lab • 25 Sep 2018

In 2016, researchers from the University of Illinois left 297 unlabelled USB flash drives around the university campus to see what would happen. 98% of the dropped drives were picked up by staff and students, and at least half were plugged into a computer in order to view the content. For a hacker trying to infect a computer network, those are pretty irresistible odds.
USB devices have been around for almost 20 years, offering an easy and convenient way to store and transfer digital files ...

Exploits: how great is the threat?
Securelist • Kaspersky Lab • 20 Apr 2017

How serious, really, is the danger presented by exploits? The recent leak of an exploit toolset allegedly used by the infamous Equation Group suggests it’s time to revisit that question. Several zero-days, as well as a bunch of merely ‘severe’ exploits apparently used in-the-wild were disclosed, and it is not yet clear whether this represents the full toolset or whether there’s more to come, related to either Equation or another targeted threat actor.
Of course, Equation Group is n...

Slammer worm slithers back online to attack ancient SQL servers
The Register • Darren Pauli • 05 Feb 2017

If you get taken down by this 13-year-old malware, you probably deserve it

One of the world's most famous net menaces, SQL Slammer, has resumed attacking servers some 13 years after it set records by infecting 75,000 servers in 10 minutes, researchers say.
The in-memory worm exploits an ancient flaw in Microsoft SQL server and Desktop Engine triggering denial of service, and at the time of its emergence significantly choking internet traffic.
Researcher Michael Bacarella first raised the alarm to Slammer which was created on the back of public proof-of-conc...

It's 2017 and 200,000 services still have unpatched Heartbleeds
The Register • Darren Pauli • 23 Jan 2017

What does it take to get people patching? Not Reg readers, obviously. Other, silly people

Some 200,000 systems are still susceptible to Heartbleed more than two years and 9 months after the huge vulnerability was disclosed.
Patching efforts spiked after news dropped in April 2014 of the world's most well-known and at the time then most catastrophic bug.
The vulnerability (CVE-2014-0160) that established the practice of branding bugs lived up to its reputation: the tiny flaw in OpenSSL allows anyone to easily and quietly plunder vulnerable systems stealing passwords, login...

Kids these days can't even write a decent virus
The Register • Darren Pauli • 18 May 2016

Researchers find crusty Stuxnet, Conficker, are still the web's top threats

The crusty headless Conficker worm is the web's most prolific web threat, says security Check Point.
The net menace was the one-time world's biggest bot worming its way since 2008 through millions of machines across every country in the world, smashing through social networks including Facebook, Skype, and popular email services.
It exploits a Windows vulnerability (CVE-2008-4250) shuttered in a Microsoft critical update that year.
Check Point says it registered the worm as the...

Six-year-old patched Stuxnet hole still the web's biggest killer
The Register • Darren Pauli • 09 May 2016

Crusty bait makes for great phishing

The six-year-old vulnerability first burnt by Stuxnet remains the internet's chief pwning vector and is a key instrument of the world's worst exploit kit known as Angler.
The vulnerability is a hole in Windows Shell that is both long since patched and well publicised as part of its discovery in the US' Stuxnet worm, the killer malware that laid waste to the Natanz uranium enrichment plant.
Many malware families exploit the vulnerability but users would be most likely to encounter it ...

Patch Tuesday March 2015 – Stuxnet LNK 0day Fixed
Securelist • Kurt Baumgartner • 11 Mar 2015

Wait, what? Wasn’t the Stuxnet LNK vulnerability CVE-2010-2568, reported by Sergey Ulasen, patched years ago? Didn’t Kim Zetter have enough time to write 448 pages of thoroughly footnoted research on this digital weaponry?
Yes, it was, but MS10-046 didn’t completely fix all of the vulnerable code path. And, we just might start to call it the Fanny LNK 0day, after Equation’s poorly QA’d USB worm spread across Pakistan exploiting the same LNK vulnerability years earlier than ...

A Fanny Equation: “I am your father, Stuxnet”
Securelist • GReAT • 17 Feb 2015

At the Virus Bulletin conference in 2010, researchers from Kaspersky Lab partnered with Microsoft to present findings related to Stuxnet. The joint presentation included slides dealing with various parts of Stuxnet, such as the zero-days used in the attack.
Perhaps the most interesting zero-day exploit from Stuxnet was the LNK exploit (CVE-2010-2568). This allowed Stuxnet to propagate through USB drives and infect even machines that had Autorun disabled.
It was discovered during...

Oi! Rip Van Winkle: PATCH, already
The Register • Darren Pauli • 20 Aug 2014

Stuxnet, Sality, Gauss, Flame still infecting your unpatched boxen

Nearly 20 million computers remain infected with malware targeting a vulnerability first targeted four years ago by the Stuxnet worm.
The flaw (CVE-2010-2568) was a Windows operating system bug in the way shortcuts worked allowing quiet download of the random dynamic library on Win Server 2003 and XP through to version 7.
Since July 2010 it has continued to power the Sality worm, and fueled Stuxnet and its derivatives Flame and Gauss on unpatched machines.
The Red October malwa...

The echo of Stuxnet
Securelist • Kaspersky Lab • 05 Aug 2014

Full PDF version
At Kaspersky Lab we regularly conduct threat studies dedicated to a particular type of cyber threat. This summer we decided to look closely at what versions of Windows Operating System are most popular among our users and also at what kind of vulnerabilities are used in cyber-attacks involving exploits. As a result we prepared a study called “Windows usage and vulnerabilities’. Some of its results were rather predictable – but some were really surprising.

The Rise of Cybercrime in Dubai and UAE
Securelist • Mohamad Amin Hasbini • 23 Jun 2014

A lot of our everyday communication and commercial activities are now taking place online, the threat from cybercrime is increasing, targeting citizens, businesses and governments at a rapidly growing rate.
Organizations and individuals are worried about the increase of Cybercrime, not just because of financial damage, but loss of privacy and intellectual property, in addition to reputation problems.
Recent statistics have shown dramatic growth in the Cybercrime in the UAE. Emergin...

Kaspersky Security Bulletin 2013. Overall Statistics for 2013
Securelist • Christian Funk Maria Garnaeva • 10 Dec 2013

This section of the report forms part of the Kaspersky Security Bulletin 2013 and is based on data obtained and processed using Kaspersky Security Network (KSN). KSN integrates cloud-based technologies into personal and corporate products, and is one of Kaspersky Lab’s most important innovations.
The statistics in this report are based on data obtained from Kaspersky Lab products installed on users’ computers worldwide and were obtained with the full consent of the users involved.

Gauss: Abnormal Distribution
Securelist • GReAT • 09 Aug 2012

You can download PDF version of this article here.
While analyzing the Flame malware that we detected in May 2012, Kaspersky Lab experts identified some distinguishing features of Flame’s modules. Based on those features, we discovered that in 2009, the first variant of the Stuxnet worm included a module that was created based on the Flame platform. This indicates that there was some form of collaboration between the groups that developed the Flame and Tilded (Stuxnet/Duqu) platforms.

Gauss: Nation-state cyber-surveillance meets banking Trojan
Securelist • GReAT • 09 Aug 2012


Gauss is the most recent cyber-surveillance operation in the Stuxnet, Duqu and Flame saga.
It was probably created in mid-2011 and deployed for the first time in August-September 2011.
Gauss was discovered during the course of the ongoing effort initiated by the International Telecommunications Union (ITU), following the discovery of Flame. The effort is aimed at mitigating the risks posed by cyber-weapons, which is a key component in achieving the o...

Kaspersky Security Bulletin. Malware Evolution 2010
Securelist • Alexander Gostev • 17 Feb 2011

This is Kaspersky Lab’s annual threat analysis report covering the major issues faced by corporate and individual users alike as a result of malware, potentially harmful programs, crimeware, spam, phishing and other different types of hacker activity.
The report has been prepared by the Global Research & Analysis Team (GReAT) in conjunction with Kaspersky Lab’s Content & Cloud Technology Research and Anti-Malware Research divisions.
The year 2010 has been almost identical...

IT Threat Evolution for Q3-2010
Securelist • Yury Namestnikov • 17 Dec 2010

The third quarter of 2010 turned out to be more eventful than the preceding quarter. Over 600 million attempts to infect users’ computers with malicious and potentially unwanted programs were blocked during this period; an increase of 10% on the second quarter of this year. Out of all of the objects detected, over 534million were malicious programs. There was an emergence of ultra- sophisticated malware in this quarter too. This was the first time we have seen malware which used not one, but f...

Monthly Malware Statistics, November 2010
Securelist • Vyacheslav Zakorzhevsky • 02 Dec 2010

By far the biggest threat to users this month was drive-by downloads. This type of attack can result in users’ computers being infected even when visiting legitimate sites.
Here’s a quick reminder of how drive-by downloads infect computers. First of all, a user visits a legitimate site that has been infected or a site belonging to cybercriminals where a redirect script is located. A good example of just such a script is Downloader.JS.Pegel, one of the most prevalent redirects of recent...

Monthly Malware Statistics, October 2010
Securelist • Vyacheslav Zakorzhevsky • 03 Nov 2010

Kaspersky Lab presents its malware rankings for October.
Overall, October was relatively quiet, although there were a few incidents worthy of note. Virus.Win32.Murofet, which infected a large number of PE files, was detected at the beginning of the month. What makes this malware interesting is that it generates links using a special algorithm based on the current date and time on the infected computer. Murofet gets the system’s current year, month, date, and minute, generates two double ...

Cybercrime Raiders
Securelist • Vyacheslav Zakorzhevsky • 12 Oct 2010

The security was tight enough, but the raider knew exactly where the weak point in the system was. He had undergone special training to help him slip unnoticed through loopholes like these and infiltrate the network. The raider creates the loophole that lets others in — spies, thieves or secret agents, who then force the system to operate according to their bosses’ wishes. As long as the loophole stays open…
This is not a scene from a computer game, this type of scenario is played ou...

Monthly Malware Statistics, September 2010
Securelist • Vyacheslav Zakorzhevsky • 05 Oct 2010

Kaspersky Lab presents its malware rankings for September.
There are relatively few new malicious programs in either ranking. It is, however, worth highlighting a new ‘bundle’: Trojan-Dropper.Win32.Sality.cx which installs Virus.Win32.Sality.bh to an infected computer. The dropper spreads using a vulnerability in WinLNK files (i.e., Windows shortcuts). It’s also worth noting that in September the number of exploits targeting CVE-2010-1885 (the Windows Help and Support Center vulnerab...

Monthly Malware Statistics: August 2010
Securelist • Vyacheslav Zakorzhevsky • 01 Sep 2010

In August, there was a significant increase in exploits of the CVE-2010-2568 vulnerability. Worm.Win32.Stuxnet, which notoriously surfaced in late July, targets this vulnerability, as does the Trojan-Dropper program which installs the latest variant of the Sality virus – Virus.Win32.Sality.ag. Unsurprisingly, black hats lost no time in taking advantage of this latest vulnerability in the most commonly used version of Windows. However, on 2 August Microsoft released MS10-046 which provides a pa...

LNK zero-day, the fundamentals
Securelist • Roel Schouwenberg • 19 Jul 2010

Over the weekend I spent more time looking into the zero-day LNK (shortcut) Windows vulnerability that Aleks blogged about last week. It’s now been classified as CVE-2010-2568 and is being actively exploited in the wild.
My main conclusion is that this vulnerability is a fundamental part of how Windows handles LNK files. This means there are two huge negatives – firstly, as this functionality is pretty standard, it’s going to be harder to create effective generic detections which do...