Microsoft Virtual Hard Disk (VHDX) 11 – Remote Code Execution (RCE)

• Exploit Database
• 7 阅读

• 作者： nu11secur1ty
  日期： 2025-08-03
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/52394/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220

  # Titles: Microsoft Virtual Hard Disk (VHDX) 11 - Remote Code Execution (RCE) # Author: nu11secur1ty # Date: 07/23/2025 # Vendor: Microsoft # Software: https://www.microsoft.com/en-us/windows/windows-11?r=1 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-49683 # Base Score: 7.8 HIGHVector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H   ## Overview   This PowerShell script (`vdh.ps1`) demonstrates a **soft corruption vulnerability** in Windows Virtual Hard Disk (VHDX) handling, related to **CVE-2025-49683**.   The script performs the following:   - Creates a new dynamic VHDX file (virtual disk) of 10MB size. - Mounts the VHDX as a new drive in the system. - Initializes, partitions, and formats the virtual disk with NTFS. - Dismounts the VHDX and applies **soft byte-level corruption** at an 8 KB offset inside the VHDX file. - Re-mounts the corrupted VHDX to observe potential filesystem or mounting errors. - Lists the contents of the corrupted volume to show the impact. - Creates an **immediate restart batch script (`your-salaries.bat`)** inside the mounted volume which forces a system restart when executed. - Offers cleanup options to dismount and delete the corrupted VHDX file.   ---   ## Purpose   This PoC is designed for **security researchers and penetration testers** to:   - Understand how minor VHDX file corruptions can lead to system instability or vulnerability exploitation. - Demonstrate how CVE-2025-49683 affects VHDX mounting and usage. - Help develop detection and mitigation strategies for such virtual disk corruption attacks.   ---   ## Usage Instructions   1. **Run the script in an elevated PowerShell session** (Run as Administrator - The already malicious authorized user):   ```powershell .\vdh.ps1     2. The script will:   - Create, mount, and format a new VHDX file.   - Corrupt the file at the byte level.   - Re-mount and attempt to read the volume.   - Create a batch file your-salaries.bat inside the mounted drive.   3. To trigger an immediate restart, navigate to the mounted drive (e.g., D:\) and run:     ``` your-salaries.bat ```     4. At script end, press 0 to clean up (dismount and delete the corrupted VHDX), or press any other key to exit and keep the file for further analysis.     ### Important Warnings & Considerations   - Run only on test or isolated environments. This script creates corruption and forcibly restarts the system via the batch file. Do not run on production or important machines.   - Immediate Restart Batch File The your-salaries.bat file triggers an immediate system restart without any warning or confirmation. Be cautious when executing it.   - Corruption is simulated and subtle. The corruption at 8 KB offset is a soft corruption intended for demonstration. Real-world attacks could apply more complex modifications.   - Impact may vary by OS version and environment. Results depend on Windows version and configuration. Some systems may detect and repair corruption automatically.   - Elevated privileges required. Script requires administrative rights to create, mount, initialize, and corrupt VHDX files.   ### Technical Details   - Corruption offset: 8192 bytes (8 KB) into the VHDX file.   - Corruption pattern: Byte sequence [0x00, 0xFF, 0x00, 0xFF, 0xDE, 0xAD, 0xBE, 0xEF].   - Disk initialization: MBR partition style with a single NTFS partition.   - Batch restart command: shutdown /r /t 0 /f to force immediate restart.     ### Sample Output   ```vbnet [*] Checking for existing VHDX file to avoid conflicts... WARNING: [!] Could not dismount VHDX, maybe not mounted: The path "C:\Users\MicrosoftLoosers\Desktop\CVE-2025-49683\corrupted_test.vhdx" is not the path to a mounted virtual hard disk file. [*] Removed existing VHDX file. [*] Creating new VHDX (Virtual Hard Disk) file... Size: 10 MB Path: C:\Users\MicrosoftLoosers\Desktop\CVE-2025-49683\corrupted_test.vhdx [*] Mounting the new VHDX... [*] Disk initialized and formatted with NTFS. This disk emulates a real drive to test mounting and corruption handling. [*] Drive mounted as E: You can access this drive like a physical hard disk in Windows Explorer. [*] Dismounting the VHDX before applying corruption... [*] Simulating corruption by modifying bytes at offset 8 KB... This models how subtle corruption can affect VHDX file integrity, which may lead to file system errors or crashes when accessed. [+] Corruption successfully applied. Note: This is a soft corruption for testing and demonstration purposes only. [*] Re-mounting the corrupted VHDX to observe effects... [*] Drive letter(s) assigned after corruption: E [*] Listing contents of the mounted drive to detect file system anomalies... [*] Attempting to list contents of drive E:\ ... [*] Created immediate restart batch script: your-salaries.bat Running this batch will force an immediate restart.   [*] Script complete. This demo showcases how VHDX file corruption at the byte level can impact system behavior and why patching CVE-2025-49683 is crucial.   [*] Press &apos;0&apos; to clean up and remove the corrupted VHDX, or any other key to exit. [*] Cleaning up... [*] VHDX dismounted. [*] Deleted VHDX file. ```   ### License & Disclaimer   This script is provided for educational and research purposes only. The author and distributor disclaim all liability for any damage caused by misuse.   Use responsibly, and always obtain proper authorization before testing or exploiting vulnerabilities on any system.       ### References   [CVE-2025-49683]( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49683) (Windows VHDX file corruption vulnerability)   Microsoft Windows Virtual Hard Disk (VHDX) documentation   Windows PowerShell documentation       # Video: [href](https://www.youtube.com/watch?v=lkEu_AZnzk4)   # Source: [href]( https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-49683)     # Buy me a coffee if you are not ashamed: [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)     # Source download [href]( https://nu11secur1ty.github.io/DownGit/#/home?url=https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-49683 )   # Time spent: 05:35:00     -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>   --   System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>