Microsoft Edge Renderer Process (Mojo IPC) 134.0.6998.177 - Sandbox Escape

# Titles: Microsoft Edge Renderer Process (Mojo IPC) 134.0.6998.177 - Sandbox Escape
# Author: nu11secur1ty
# Date: 08/07/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en-us/software-download/windows11
# Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49730
# CVE-2025-2783

## Description

This project contains a **proof-of-concept (PoC)** simulation for
**CVE-2025-2783**, a sandbox escape and privilege escalation vulnerability
affecting the Microsoft Mojo IPC subsystem on Windows 11 Pro.
The simulation demonstrates how a malicious renderer process could exploit
a crafted IPC message to escape sandbox restrictions and escalate
privileges, potentially leading to full system compromise.

---

## Disclaimer

**This code is provided for educational and responsible disclosure purposes
only.**
Do NOT use it for unauthorized testing or attacks on systems you do not own
or have explicit permission to test.

The author(s) created this simulation in a controlled environment (virtual
machine) to safely demonstrate the vulnerability before reporting it to
Microsoft Security Response Center (MSRC).

---

## Components

- `kur.py`: The main PoC Python script.
  It can run as either:
  - A phishing server hosting a malicious payload file
  - An exploit client that downloads the payload, simulates IPC
communication, and triggers the sandbox escape.

- `malicious_input.mojopipe`: The generated malicious payload JSON file
(created at runtime).

- `incident.log`: Log file recording actions and simulated system
information captured during exploitation.

---

## Usage

### Prerequisites

- Python 3.7 or later on Windows 11 Pro (preferably in a VM for safety).
- Administrator privileges recommended for full information output.

### Steps

1. **Start the phishing server** (in one terminal):
    ```bash
    python kur.py
    ```
    Enter choice: `1`
    This hosts the malicious payload file on `http://<your_ip>:8080/`.

2. **Run the exploit client** (in another terminal on the same machine):
    ```bash
    python kur.py
    ```
    Enter choice: `2`
    This downloads the payload, simulates the IPC communication, and
attempts sandbox escape.

3. **Observe logs** in `incident.log` and console output for evidence of
the simulated exploit.

---

## Technical Details

- The PoC simulates Mojo IPC message passing using Python's
`multiprocessing.connection` module.
- The exploit payload contains a special handle value that triggers the
sandbox escape simulation.
- When triggered, the PoC logs user and system info to demonstrate
privilege escalation.
- The phishing server serves the malicious payload to mimic real-world
attack vector.

---

## Responsible Disclosure

This simulation was developed to responsibly disclose the vulnerability to
Microsoft Security Response Center (MSRC). Please coordinate with MSRC
before any public release or use.

# Video-demo:
[href](https://www.youtube.com/watch?v=MvwtRybi6ac)


# Buy me a coffee if you are not ashamed:
[href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)



# Time spent:
03:35:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>