Windows SPNEGO Extended Negotiation RCE

漏洞信息

漏洞名称: Windows SPNEGO Extended Negotiation RCE

漏洞编号:

  • CVE: CVE-2025-47981

漏洞类型: 缓冲区溢出

漏洞等级: 严重

漏洞描述: 该漏洞影响Windows操作系统的SPNEGO扩展协商安全机制,具体表现为在SPNEGO扩展协商处理过程中存在堆缓冲区溢出漏洞(ntoskrnl!SpnegoHandleExtended)。攻击者可以通过发送多个超大的SPNEGO_TOKEN结构来碎片化堆,然后利用精心构造的MechTypeList元素触发溢出,覆盖SECURITY_CONTEXT函数指针,最终通过ROP链部署shellcode实现远程代码执行。受影响的版本包括Windows 11和Windows Server的多个版本,以及Windows 10的多个版本。此漏洞的利用可以通过SMB over TCP(端口445)、HTTP/S(端口80/443,使用Negotiate认证)和Kerberos(端口88)等服务进行。由于漏洞允许远程代码执行,且无需用户交互即可被利用,因此被评级为严重级别。攻击者可以利用此漏洞完全控制受影响的系统,执行任意代码,导致数据泄露、服务中断等严重后果。

产品厂商: Microsoft

产品名称: Windows

影响版本: Windows 11 Version 24H2, Windows Server 2025, Windows Server 2022, 23H2 Edition (Server Core installation), Windows 11 Version 23H2, Windows 11 version 22H3, Windows 11 version 22H2, Windows Server 2022, Windows 10 Version 22H2, Windows 10 Version 21H2, Windows 10 Version 1809, Windows Server 2019, Windows 10 Version 1607, Windows Server 2016, Windows 10 Version 1507

来源: https://github.com/detectrespondrepeat/CVE-2025-47981

类型: CVE-2025:github search

仓库文件

  • README.md

来源概述

CVE-2025-47981 Windows SPNEGO Extended Negotiation RCE

Affected Component: SPNEGO Extended Negotiation Security Mechanism

🧠 Technical Details

Vulnerability: Heap-based buffer overflow during SPNEGO extended negotiation handling (ntoskrnl!SpnegoHandleExtended).

  1. Send multiple oversized SPNEGO_TOKEN structures to fragment heap
  2. Trigger overflow with crafted MechTypeList element
  3. Overwrite SECURITY_CONTEXT function pointer
  4. Redirect execution to ROP chain deploying shellcode

📌 Network Exposure Indicators

Critical Services:

Port Service
445 SMB over TCP
80/443 HTTP/S (Negotiate auth)
88 Kerberos

Vulnerable Versions:

Product
Windows 11 Version 24H2
Windows Server 2025
Windows Server 2022, 23H2 Edition (Server Core installation)
Windows 11 Version 23H2
Windows 11 version 22H3
Windows 11 version 22H2
Windows Server 2022
Windows 10 Version 22H2
Windows 10 Version 21H2
Windows 10 Version 1809
Windows Server 2019
Windows 10 Version 1607
Windows Server 2016
Windows 10 Version 1507

🔧 Usage

1
python3 spnegowin.py -t <target> -p <port> -c "<command>"
Options:
Flag Description
-t Target IP address
-p Service port (default: 445/SMB)
-c Command to execute
--proto Protocol: smb (default), http, ldap

📜 Disclaimer

This PoC is for authorized security research only. Use violates Microsoft’s terms and applicable laws. The author assumes no liability for misuse.

Download

Github Poc
#CVE-2025:github search #缓冲区溢出
Windows SPNEGO Extended Negotiation RCE
http://example.com/2025/07/15/github_2797813776/
作者
lianccc
发布于
2025年7月15日
许可协议