Windows SMB Client Improper Access Control Privilege Escalation

This repository is a small standalone exploit/orchestration project with 3 files: a README, the main Python exploit script (cupntlm.py), and a Bash setup helper (setup.sh). It is not itself a Metasploit/Nuclei module, but rather an operational wrapper around well-known offensive components: Impacket ntlmrelayx, krbrelayx dnstool, and PetitPotam. Primary capability: the tool automates an NTLM reflection/relay attack chain described as targeting CVE-2025-33073 in Active Directory environments. The workflow is: authenticate to the Domain Controller over LDAP using supplied domain credentials, add an attacker-controlled DNS record, trigger coerced authentication from target hosts using PetitPotam/MS-EFSRPC, and relay the resulting NTLM authentication to SMB, LDAP, or LDAPS targets using ntlmrelayx. The README explicitly describes outcomes such as SAM/LSA hash dumping, LAPS dumping, and delegate-access/RBCD-style machine account creation. Repository structure and purpose: - README.md: extensive operator documentation, prerequisites, manual exploitation steps, example commands, and mitigation guidance. - cupntlm.py: main automation logic. From the visible code, it handles CLI parsing, logging, target loading, LDAP-based DNS management via impacket, subprocess execution of dnstool.py, and command modes including single, per-target, relay-only, dns-add, dns-remove, dns-check, clear, and check. It also defines a hardcoded single-mode DNS record name using a marshalled suffix and writes timestamped log files. - setup.sh: environment bootstrap script. It checks for required tools/libraries, creates an exploit/ directory, locates or clones ntlmrelayx.py from Impacket, clones krbrelayx to obtain dnstool.py and lib/, downloads PetitPotam.py from GitHub, and copies cupntlm.py into exploit/. Operational modes described in the README: - check: validates feasibility, including SMB signing status and credential validity. - per-target: creates a unique DNS record per host, coerces one target at a time, and removes records between iterations for lower noise. - single: creates one persistent DNS record and keeps relay infrastructure running while iterating through many targets. - relay-only/dns-* modes are visible in the Python code, indicating additional utility functions for record management and relay orchestration. Notable endpoints and targets: the code and docs reference LDAP to the DC via ldap://<dc_ip>, SMB/LDAP/LDAPS relay targets such as smb://192.168.1.100, ldap://10.0.0.1, and ldaps://10.0.0.1, plus local file artifacts like exploit/ntlmrelayx.py, exploit/dnstool.py, exploit/PetitPotam.py, loot.txt, and timestamped log files. The setup script also reaches out to GitHub and raw.githubusercontent.com to fetch dependencies. Assessment: this is a real exploit automation/orchestration tool rather than a mere detector. It does not contain an embedded shell payload, but it operationalizes a full relay attack chain and can produce meaningful post-authentication impact through ntlmrelayx. Because payload behavior is largely delegated to external tools and options are somewhat fixed by workflow, the maturity is best characterized as OPERATIONAL.

Repository contains a small Python-based attack orchestrator plus a bundled ADIDNS manipulation utility. Structure & purpose: - CVE-2025-33073.py: Main entry point that automates an “attack chain” combining (1) adding an AD-integrated DNS record, (2) starting an Impacket NTLM relay listener, and (3) coercing a target Windows host to authenticate to the attacker-controlled name so the authentication can be relayed to a chosen SMB target. - DNStool.py: Dirk-jan Mollema’s ADIDNS tool (LDAP/RPC) used here specifically to add a DNS record in AD DNS pointing to the attacker IP. - README.md: Usage examples (GUI via xterm vs CLI-only), options for custom command execution and SOCKS mode, and troubleshooting notes. Exploit capabilities (as implemented): - ADIDNS record injection: CVE-2025-33073.py calls DNStool.py with action add, record name STATIC_DNS_RECORD, and data set to attacker IP, targeting the DC/DNS server specified by --dns-ip and zone derived from --dc-fqdn. - DNS propagation check: Uses dig to query the DC/DNS server directly until the record resolves. - NTLM relay setup: Launches impacket-ntlmrelayx targeting --target with SMB2 support. Optional features: - --custom-command: passes -c <command> to ntlmrelayx for command execution on successful relay. - --socks: enables SOCKS proxy mode for post-exploitation pivoting. - Authentication coercion: Uses NetExec (nxc) SMB module coerce_plus to trigger coerced authentication using one of: PetitPotam (default), Printerbug, or DFSCoerce, pointing the coerced connection at the STATIC_DNS_RECORD name. Notable operational dependencies/assumptions: - Requires valid domain credentials (DOMAIN\\user) and sufficient rights to add/modify ADIDNS records. - Relies on external tooling (impacket-ntlmrelayx, nxc, dig, optional xterm) rather than implementing the low-level exploit primitives itself. - Success depends on environmental conditions typical for NTLM relay attacks (e.g., SMB signing not required on the relay target, reachable SMB, and coercion method working against the chosen coercion target). Overall, this is an operational PoC-style automation script for an AD DNS + NTLM coercion/relay chain that can lead to remote command execution (via ntlmrelayx -c) or a SOCKS pivot, rather than a standalone memory corruption exploit.

This repository provides a working exploit chain for CVE-2025-33073, a high-severity authenticated remote code execution vulnerability in the Windows SMB client. The exploit targets Windows 10, 11, and Server 2012–2025 systems and leverages improper access control to achieve SYSTEM-level code execution via NTLM relay attacks. The main script, CVE-2025-33073.py, orchestrates the attack by first adding a malicious DNS record to the target Active Directory DNS using DNStool.py (included in the repo), then waiting for DNS propagation, starting an impacket-ntlmrelayx listener, and finally triggering a coercion method (PetitPotam, Printerbug, or DFSCoerce) to force the target to authenticate to the attacker's relay. The exploit allows for arbitrary command execution as SYSTEM, credential dumping, or establishing a SOCKS proxy for further post-exploitation. The attack requires valid credentials and network access to the target's DNS and SMB services. The README provides detailed usage instructions, mitigation advice, and context about the vulnerability's impact and exploitation in the wild. The code is operational and can be used for red teaming or security testing in controlled environments.

This repository provides a Bash-based exploit (exploit.sh) for CVE-2025-33073, targeting Windows Domain Controllers where the attacker has DNSAdmins privileges and WinRM is enabled. The exploit automates a reflection relay attack: it poisons DNS records using krbrelayx/dnstool.py to redirect authentication to the attacker's machine, then uses impacket's ntlmrelayx.py to relay NTLM authentication to WinRM, ultimately obtaining a SYSTEM shell on the target. Once access is gained, the script runs a series of commands to enumerate users, privileges, and automatically extract flag files from user desktops (commonly used in CTFs). The script requires several external tools (impacket, netexec, krbrelayx, netcat) and logs all actions for review. The README provides user-friendly instructions and describes the tool's features, but the main exploit logic resides in exploit.sh. No hardcoded IPs or credentials are present; all sensitive information is provided interactively by the user. The attack vector is network-based, leveraging DNS and WinRM. The endpoints include DNS records, log files, and Windows file paths for flag extraction.

This repository is a research and exploit framework for CVE-2025-33073, a critical privilege escalation vulnerability in the Windows SMB client. The codebase includes Python and PowerShell implementations for exploiting the vulnerability, as well as a batch script for launching the exploit with administrator privileges. The main exploit logic is implemented in 'smb_exploit_framework.py' and 'cve_2025_33073_exploit.py', which both set up a malicious SMB server on the attacker's machine (defaulting to 127.0.0.1:445, with fallbacks to other ports if needed). The exploit works by sending specially crafted SMB2 negotiation and session setup packets to the target, exploiting improper access control in the SMB client to achieve privilege escalation. The PowerShell script ('exploit.ps1') provides similar functionality for Windows environments. Logging is performed to 'exploit.log'. The repository is modular and designed for research, with clear warnings and usage restrictions. No hardcoded external IPs or domains are present; all network activity is local or user-specified. The exploit is operational and can be used for controlled testing and research on affected Windows systems.

This repository provides a functional exploit chain for CVE-2025-33073, a high-severity authenticated remote code execution vulnerability in the Windows SMB client. The exploit targets Windows 10, 11, and Server 2012–2025 systems that have not applied the June 2025 patch. The main script, CVE-2025-33073.py, orchestrates the attack by: 1. Adding a malicious DNS record to the Domain Controller using DNStool.py (included in the repo), leveraging LDAP. 2. Waiting for the DNS record to propagate, ensuring the target will resolve it. 3. Starting an impacket-ntlmrelayx listener to relay NTLM authentication and execute commands on the target (default: secretsdump, but customizable). 4. Using the nxc tool to trigger authentication from the target to the attacker's listener via a coercion method (PetitPotam, Printerbug, or DFSCoerce). The exploit requires valid domain credentials and network access to the Domain Controller and the target machine. It leverages a chain of tools and techniques to bypass NTLM reflection mitigations and achieve SYSTEM-level code execution, enabling lateral movement or full domain compromise in vulnerable environments. The repository includes two main Python scripts (the exploit orchestrator and DNStool for DNS record manipulation) and a detailed README with usage instructions, mitigations, and troubleshooting tips. No hardcoded IPs or domains are present; all endpoints are provided as arguments, making the exploit adaptable to different environments.

This repository provides a functional exploit chain for CVE-2025-33073, a high-severity authenticated remote code execution vulnerability in the Windows SMB client. The exploit consists of two main Python scripts: 1. CVE-2025-33073.py: The main exploit orchestrator. It automates the attack chain by: - Adding a malicious DNS record to the Domain Controller using DNStool.py (via LDAP). - Waiting for DNS propagation. - Launching an impacket-ntlmrelayx listener to relay NTLM authentication to the target machine. - Triggering a coercion attack (PetitPotam, Printerbug, or DFSCoerce) using the nxc tool to force the target to authenticate to the attacker's relay. - Optionally running a custom command or establishing a SOCKS proxy for post-exploitation. 2. DNStool.py: A third-party tool (by Dirk-jan Mollema) for manipulating DNS records in Active Directory via LDAP. It is used to add or remove DNS records as part of the attack chain. The README.md provides detailed background, usage instructions, mitigation advice, and example attack scenarios. The exploit targets Windows 10, 11, and Server 2012–2025 systems that have not applied the June 2025 patch. It requires valid domain credentials and network access to the Domain Controller and target machine. The attack leverages improper access control in the SMB client, bypasses NTLM reflection mitigations, and can result in SYSTEM-level code execution and full domain compromise in vulnerable environments. No hardcoded IPs or domains are present; all endpoints are supplied by the user at runtime. The exploit is operational and can be customized for post-exploitation activities.

This repository provides a fully automated Bash-based exploit (exploit.sh) for CVE-2025-33073, a critical vulnerability affecting Microsoft Windows Domain Controllers (Server 2016/2019/2022) when a user has DNSAdmins privileges and WinRM is enabled. The exploit leverages DNS record manipulation (via krbrelayx/dnstool.py), NTLM relay attacks (via impacket's ntlmrelayx.py), and coercion techniques (using NetExec and PetitPotam) to achieve SYSTEM-level code execution on the target DC. The script is interactive, prompting the user for necessary information (attacker IP, target DC IP, domain, credentials), and automates the entire attack chain: DNS poisoning, NTLM relay setup, coercion, and shell access. Once SYSTEM shell access is obtained, the script runs PowerShell commands to enumerate users and extract flag files (such as *flag*.txt, *root*.txt, *user*.txt, proof.txt) from all user desktops, saving the results in structured log files. The repository is structured with a single main exploit script (exploit.sh) and a README.md that provides comprehensive usage instructions, attack flow, and troubleshooting. The exploit is operational, tested in CTF and lab environments, and is intended for authorized penetration testing and research only.

This repository provides a full exploit chain for CVE-2025-33073, a vulnerability in Microsoft Active Directory environments that allows NTLM relay attacks via malicious DNS records and coercion techniques. The main script, CVE-2025-33073.py, orchestrates the attack by: 1. Adding a malicious DNS record to the AD DNS using dnstool.py (via LDAP). 2. Waiting for the DNS record to propagate. 3. Launching an ntlmrelayx listener (from impacket) to relay NTLM authentication to a specified target (SMB, HTTP, LDAP, etc.). 4. Triggering a coercion attack (PetitPotam, Printerbug, or DFSCoerce) using the nxc tool to force the target to authenticate to the attacker's relay. The repository is structured with modular Python code, including client and server implementations for various protocols (SMB, HTTP, LDAP, DNS) and utility functions for Kerberos and SPNEGO operations. The exploit is operational and leverages both in-repo code and external tools (impacket, nxc, xterm). It is not a detection script but a working exploit chain that, if successful, can result in command execution or credential extraction from the target. The attack vector is network-based, requiring access to the target AD environment and the ability to add DNS records and relay authentication traffic.

This repository contains a proof-of-concept exploit tool written in Python, designed to test authentication relay paths in Windows Active Directory environments. The main script, 'main.py', chains together several attack techniques: it injects a DNS A record into a target DNS server (typically a Domain Controller) using 'samba-tool', verifies the record's propagation, starts an NTLM relay listener using 'impacket-ntlmrelayx', and finally coerces a victim machine to authenticate to the attacker's relay endpoint via an RPC call using 'rpcping' (MS-RPRN coercion). The tool requires administrative credentials for DNS injection and relies on external tools for each stage of the attack chain. The README provides a high-level overview and usage disclaimer. The exploit is a POC and does not target a specific CVE, but demonstrates a realistic attack chain for credential relay in AD environments.

This repository is a Proof-of-Concept (PoC) exploit for CVE-2025-33073, a critical NTLM reflection vulnerability affecting Microsoft Active Directory Domain Controllers. The main entry point is 'CVE-2025-33073.py', which orchestrates a multi-step attack chain: 1. It uses 'dnstool.py' to inject a malicious DNS record into Active Directory via LDAP, leveraging valid domain credentials. 2. It waits for the DNS record to propagate, ensuring the attack can proceed. 3. It launches an NTLM relay listener (ntlmrelayx, from impacket) targeting a specified machine (SMB/HTTP/LDAP). 4. It triggers a coercion attack (e.g., PetitPotam, Printerbug, DFSCoerce) using NetExec (nxc) to force the target to authenticate to the attacker's relay. 5. Upon successful relay, it can execute a default or custom command on the target (such as secretsdump for credential extraction), or establish a SOCKS proxy for further exploitation. The repository includes a modular library structure under 'lib/', supporting various relay clients and servers for SMB, HTTP, LDAP, and DNS, as well as Kerberos and SPNEGO utilities. The exploit is highly configurable via command-line arguments, allowing the attacker to specify all relevant endpoints (attacker IP, DNS/DC IP, FQDNs, targets, etc.). The exploit is a PoC and not weaponized; it requires manual setup and external tools (impacket, NetExec). It is intended for ethical testing and research. The README provides detailed usage instructions, prerequisites, and troubleshooting tips. No hardcoded IPs or domains are present; all endpoints are user-supplied at runtime. The exploit chain is network-based, targeting Windows environments with vulnerable Domain Controllers.