modules: add exploit for CVE-2025-33073 — Windows SMB client RCE (NTLM relay + RPC coercion)

[shaheeryasirofficial]

Summary

Add an exploit module for CVE-2025-33073: a Windows SMB client privilege escalation / remote code execution vector
that leverages DNS injection, NTLM relay, and MS-RPRN RPC coercion to coerce an authenticated domain user to authenticate to an attacker-controlled service.

• Module name (suggested): exploit/windows/smb/cve_2025_33073_smb_client_rce
• CVE: CVE-2025-33073
• Author: Shaheer Yasir (@shaheeryasirofficial)
• Target platforms: Windows 10/11, Windows Server 2016/2019/2022 (see module metadata for exact versions)
• Categories: exploit, windows, remote

---

Module behavior & safety

• check() implemented and non-destructive — performs safe probes to attempt identification of vulnerable behavior without delivering payloads.
• exploit() implements the attack chain. This module is dual-use; only run it in authorized test environments or with explicit written permission.
• The module documents required network preconditions (authenticated domain user on victim, absence of SMB signing or EPA, etc.) and required external tooling/dependencies (e.g., relay server).
• The PR includes a clear warning in the module header and README about authorized testing and responsible disclosure.

---

Affected versions (as tested / reported)

• Windows 11 (22H2, 22H3, 23H2, 24H2) — kernel builds 10.0.22621.x, 10.0.26100.x
• Windows Server 2022 (incl. 23H2)
• Windows Server 2019
• Windows 10 (various versions up to 22H2)
• See module metadata for the full list and discovery heuristics.

---

Disclosure & timeline

• CVE: CVE-2025-33073
• Remediation: Official vendor patch available (include link to MS advisory in final PR if public).
• Disclosure: [state vendor notification status e.g., "Vendor notified and patch available as of 2025-06-13"].
• This PR does not include any exploit-specific helper binaries; it only adds the Metasploit module code and docs.

---

Testing (lab-only instructions — high-level)

• Create an isolated AD lab (Domain Controller, vulnerable client VM, attacker VM). Do not test on production systems.
• Use domain-joined test hosts and ensure SMB signing / EPA settings reflect the vulnerable configuration for reproduction.
• Start the module from msfconsole:
  • msfconsole
  • use exploit/windows/smb/cve_2025_33073_smb_client_rce
  • set RHOSTS <relay-target>
  • set VICTIM <victim-ip>
  • set LHOST <attacker-ip>
  • run (only in authorized labs)
• The module includes a Verbose option to log high-level steps without delivering payloads.

Note: The PR includes a tests/ folder with sanitized example output and high-level lab setup notes. It intentionally omits automated exploit scripts or non-Ruby helper binaries.

---

Dependencies & notes for reviewers

• The module uses only framework APIs and documented Ruby libs. External tooling (e.g., impacket or samba-tool) may be mentioned in docs for local lab reproduction but are not required to run the Metasploit module itself.
• Code follows Metasploit conventions: metadata block, check() implemented, exploit() documented, register_options used for user-controlled settings.
• The PR includes:
  • The module file under modules/exploits/windows/smb/ (or the agreed path).
  • A short docs/ markdown with reproduction steps for an isolated lab and sanitized output.
  • A header with author, references, and disclosure date.

---

References

• CVE-2025-33073

---

Example (sanitized) output

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[msutovsky-r7]

There are some issues with this PR:

• when we submit a PR, we don't submit PR from master branch - instead, we create new branch from master branch with name that tells us what your contribution is, like module/exploit/cve_2025_33073
• also, when you're submitting module, you should include documentation for your module
• finally, you've submitted a Python script, which is not a module for Metasploit - modules in Metasploit are written in Ruby. In some cases, you can use Python exploit and call it from module, but should be clearly defined why. In this case, I think it can rewritten to Ruby and into module format.

In current state, I don't think this is ready for landing. While we appreciate contribution, this PR needs some work and should not be marked as ready to review. I think that the best approach now is mark it as draft, fix the issues mentioned above and then we can review it.

[shaheeryasirofficial]

I'll surely improve next time thank you for the review Regards Shaheer

…

On Wed, 1 Oct 2025, 16:22 msutovsky-r7, ***@***.***> wrote: *msutovsky-r7* left a comment (rapid7/metasploit-framework#20577) <#20577 (comment)> There are some issues with this PR: - when we submit a PR, we don't submit PR from master branch - instead, we create new branch from master branch with name that tells us what your contribution is, like module/exploit/cve_2025_33073 - also, when you're submitting module, you should include documentation for your module - finally, you've submitted a Python script, which is not a module for Metasploit - modules in Metasploit are written in Ruby. In some cases, you can use Python exploit and call it from module, but should be clearly defined why. In this case, I think it can rewritten to Ruby and into module format. In current state, I don't think this is ready for landing. While we appreciate contribution, this PR needs some work and should not be marked as ready to review. I think that the best approach now is mark it as draft, fix the issues mentioned above and then we can review it. — Reply to this email directly, view it on GitHub <#20577 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BHQFDMYFGDZRW6WNYAZGSPD3VO2P3AVCNFSM6AAAAACH7GLC2GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGNJVHA3DQMJQGU> . You are receiving this because you authored the thread.Message ID: ***@***.***>