This module exploits an access control issue in Windows SMB clients to deploy a remote agent with SYSTEM privileges through a multi-stage attack chain: 1. DNS Injection: Adds a malicious DNS record 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' via LDAP to the domain controller, pointing to the attacker's IP address. 2. NTLM Relay: Starts an ntlmrelayx server that waits for SMB authentication attempts and relays them to install an agent with SYSTEM privileges on the target system. 3. RPC Coercion: Forces the victim system to authenticate to the attacker-controlled DNS name using coercion techniques. Domain credentials from a regular user are required. The deployed agent gains SYSTEM privileges, allowing complete control of the compromised system. Affected versions: Windows 10 - 21H2 with os build less than 19044.5965 Windows 10 - 22H2 with os build less than 19045.5965 Windows 11 - 22H2 with os build less than 22621.5472 Windows 11 - 23H2 with os build less than 22631.5472 Windows 11 - 24H2 with os build less than 26100.4349 Windows Server 2019 with os build less than 17763.7434 Windows Server 2022 with os build less than 20348.3807
CVE Link
Exploit Platform
Product Name