Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
regsvr32
MSHTA
Control Panel Item
Executing Code as a Control Panel Item through an Exported Cplapplet Function
Code Execution through Control Panel Add-ins
CMSTP
InstallUtil
Using MSBuild to Execute Shellcode in C#
Forfiles Indirect Command Execution
Application Whitelisting Bypass with WMIC and XSL
Powershell Without Powershell.exe
Powershell Constrained Language Mode ByPass
Forcing Iexplore.exe to Load a Malicious DLL via COM Abuse
pubprn.vbs Signed Script Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Executing Code as a Control Panel Item through an Exported Cplapplet Function
This is a quick note that shows how to execute code in a .cpl file, which is a regular DLL file representing a Control Panel item.
The .cpl file needs to export a function CplApplet in order to be recognized by Windows as a Control Panel item.
Once the DLL is compiled and renamed to .CPL, it can simply be double clicked and executed like a regular Windows .exe file.

Code

item.cpl
1
// dllmain.cpp : Defines the entry point for the DLL application.
2
#include "stdafx.h"
3
#include <Windows.h>
4
​
5
//Cplapplet
6
extern "C" __declspec(dllexport) LONG Cplapplet(
7
HWND hwndCpl,
8
UINT msg,
9
LPARAM lParam1,
10
LPARAM lParam2
11
)
12
{
13
MessageBoxA(NULL, "Hey there, I am now your control panel item you know.", "Control Panel", 0);
14
return 1;
15
}
16
​
17
BOOL APIENTRY DllMain( HMODULE hModule,
18
DWORD ul_reason_for_call,
19
LPVOID lpReserved
20
)
21
{
22
switch (ul_reason_for_call)
23
{
24
case DLL_PROCESS_ATTACH:
25
{
26
Cplapplet(NULL, NULL, NULL, NULL);
27
}
28
case DLL_THREAD_ATTACH:
29
case DLL_THREAD_DETACH:
30
case DLL_PROCESS_DETACH:
31
break;
32
}
33
return TRUE;
34
}
Copied!
Once the DLL is compiled, we can see our exported function Cplapplet:

Demo

Below shows that double-clicking the .cpl item is enough to launch it:
CPL file can also be launched with control.exe <pathtothe.cpl> like so:
or with rundll32:
[email protected]
1
rundll32 shell32, Control_RunDLL \\VBOXSVR\Experiments\cpldoubleclick \cpldoubleclick\Debug\cpldoubleclick.cpl
Copied!

References

Staying Hidden on the Endpoint: Evading Detection with Shellcode | Mandiant
DueDLLigence/DueDLLigence.cs at master · mandiant/DueDLLigence
GitHub
Using CPLApplet - Win32 apps
docsmsft
Previous
Control Panel Item
Next
Code Execution through Control Panel Add-ins
Last modified 2yr ago
Copy link
Contents
Code
Demo
References