Add Windows Defender BlueHammer LPE exploit (CVE-2026-33825)#21521
Add Windows Defender BlueHammer LPE exploit (CVE-2026-33825)#21521anasabugaddara-ux wants to merge 9 commits into
Conversation
|
Demo video coming soon—currently resolving lab environment issues. |
|
I've seen no demo sent to the msfdev mailing list, it also looks like that text might have been AI generated. Without proof that this has been tested, we're going to close it out per our polices. You need to prove that this was tested and working before we'll process it. If you're still working on it, please mark it as a draft. |
|
Hello,
I have sent the demo as a link, plus the video attacked to the email
itself, and yes i still working on it, after I received the first response
from Julien Voison ***@***.***), i want to edit according to the suggestions
he gave me.
…On Mon, 1 Jun 2026 at 3:39 PM Spencer McIntyre ***@***.***> wrote:
*smcintyre-r7* left a comment (rapid7/metasploit-framework#21521)
<#21521 (comment)>
I've seen no demo sent to the msfdev mailing list, it also looks like that
text might have been AI generated. Without proof that this has been tested,
we're going to close it out per our polices.
You need to prove that this was tested and working before we'll process
it. If you're still working on it, please mark it as a draft.
—
Reply to this email directly, view it on GitHub
<#21521?email_source=notifications&email_token=B7QNMVLUTI3G6ODBMDJJALD45V2RHA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINJZGI3DKNBQGU2KM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L#issuecomment-4592654054>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/B7QNMVM6V73YJFAEFS4CCML45V2RHAVCNFSM6AAAAACZUDFJ6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DKOJSGY2TIMBVGQ>
.
Triage notifications, keep track of coding agent tasks and review pull
requests on the go with GitHub Mobile for iOS
<https://github.com/notifications/mobile/ios/B7QNMVO2IUTE5W4UAXMMLPD45V2RHA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINJZGI3DKNBQGU2KM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KUZTPN52GK4S7NFXXG>
and Android
<https://github.com/notifications/mobile/android/B7QNMVM523LBWEJBBXTKERD45V2RHA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINJZGI3DKNBQGU2KM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2K4ZTPN52GK4S7MFXGI4TPNFSA>.
Download it today!
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
I'm not seeing the video. This is a public exploit for Windows though so there's not much reason to keep the video private. Please post the video to the PR or at least a screenshot showing the exploit and payload running. |
|
Hi, Demo Video: https://drive.google.com/file/d/1-oSDkqtWKPj_ylhVyZzyUM9EM6ZydJ86/view?usp=drive_link (Note: For a quicker review, feel free to watch the recording at 2x speed.) Let me know if you need any additional information. |
|
Done,
I am sharing the link since the video is large, and i can not upload it
even if compressed.
…On Mon, 1 Jun 2026 at 3:52 PM Spencer McIntyre ***@***.***> wrote:
*smcintyre-r7* left a comment (rapid7/metasploit-framework#21521)
<#21521 (comment)>
I'm not seeing the video. This is a public exploit for Windows though so
there's not much reason to keep the video private. Please post the video to
the PR or at least a screenshot showing the exploit and payload running.
—
Reply to this email directly, view it on GitHub
<#21521?email_source=notifications&email_token=B7QNMVIVUDXA4TT2P5E6RKL45V4ADA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINJZGI3TINJVGYYKM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L#issuecomment-4592745560>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/B7QNMVPYV6BGEBQZDLC2C3345V4ADAVCNFSM6AAAAACZUDFJ6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DKOJSG42DKNJWGA>
.
Triage notifications, keep track of coding agent tasks and review pull
requests on the go with GitHub Mobile for iOS
<https://github.com/notifications/mobile/ios/B7QNMVLL63ZXBXVCFFNQOB345V4ADA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINJZGI3TINJVGYYKM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KUZTPN52GK4S7NFXXG>
and Android
<https://github.com/notifications/mobile/android/B7QNMVKWU3YA4MCPDL4R3NT45V4ADA5CNFSNUABFM5UWIORPF5TWS5BNNB2WEL2JONZXKZKDN5WW2ZLOOQXTINJZGI3TINJVGYYKM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2K4ZTPN52GK4S7MFXGI4TPNFSA>.
Download it today!
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>
anasabugaddara-ux
left a comment
anasabugaddara-ux
left a comment
There was a problem hiding this comment.
@jvoisin Thank you for the detailed review! I have addressed all your feedback.
Please let me know if any further changes are needed.
dwelch-r7
added
module
rn-modules
There was a problem hiding this comment.
Reviewed this PR and it seems like most of it is AI-generated as module contains errors and it cannot be loaded by framework because of that. After fixing those errors, the module still does not work as expected which leads me to conclusion that you've submitted something you didn't test before. My suggestion here is to fix the issues and make sure to test the code you've submitted. Otherwise, this PR will be closed/taken over by someone else.
| system-level access to extract credentials or shadow copies. | ||
| }, | ||
| 'License' => MSF_LICENSE, | ||
| 'Author' => [ 'Anas Abu Ghaddara' ], |
There was a problem hiding this comment.
Give creds to the researchers who discovered this: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825
| current_version = ::Regexp.last_match(1) | ||
| print_status("Detected Defender Version: #{current_version}") | ||
| if Rex::Version.new(current_version) < Rex::Version.new('4.18.26050.3011') | ||
| return Exploit::CheckCode::Appears |
There was a problem hiding this comment.
Add messages as arguments to CheckCodes
There was a problem hiding this comment.
This is wrong folder for documentation, it should be documentation/modules/exploit/.. - that leads me to question, if the content Scenarios is actual output of your run of module, because it seems it's missing some information.
Also, you should run ruby tools/dev/msftidy_docs.rb for this documentation and fix the issues it prompts.
| check_result = cmd_exec("icacls \"#{target_file}\"") | ||
| if check_result.include?('BUILTIN\\Users') | ||
| print_good("Success! Privilege escalation confirmed.") | ||
| return true |
There was a problem hiding this comment.
This is wrong, exploit method does not return true/false and it actually breaks the module:
3041 [06/11/2026 13:42:32] [e(0)] core: /home/ms/git/metasploit-framework/modules/exploits/windows/local/blue_hammer.rb failed to load - SyntaxError /home/ms/git/metasploit-framework/modules/exploits/windows/local/blue_hammer.rb:105: Invalid retur n in class/module body
3042 return true
3043 ^~~~~~
3044 /home/ms/git/metasploit-framework/modules/exploits/windows/local/blue_hammer.rb:108: Invalid return in class/module body
3045 return false
|
|
||
| # We loop rapidly to catch the precise moment Defender's NT AUTHORITY\SYSTEM thread | ||
| # opens the file but before it applies its remediation action. | ||
| datastore['ITERATIONS'].times do |i| |
There was a problem hiding this comment.
The ITERATIONS datastore option is not defined
github-project-automation
Bot
moved this from Todo
to Waiting on Contributor
in Metasploit Kanban
|
Hi @msutovsky-r7, Thank you for the detailed review. I have addressed all the structural feedback: Added messages to all CheckCodes (Appears, Safe, Unknown) I am also currently working on improving the reliability of the exploit with Defender fully active. I will update the PR once I have confirmed consistent results. Please let me know if any further changes are needed on the current fixes. |
5 participants
Summary
This PR adds a new local privilege escalation exploit module targeting CVE-2026-33825 (BlueHammer), a vulnerability in Microsoft Defender Antimalware Platform versions up to (excluding) 4.18.26030.3011.
The exploit abuses a TOCTOU race condition in Defender's remediation engine to elevate privileges to NT AUTHORITY\SYSTEM, enabling extraction of SAM/SYSTEM registry hives for offline hash cracking.
Files Changed
modules/exploits/windows/local/blue_hammer.rb– The exploit moduledocumentation/modules/exploits/windows/local/blue_hammer.md– Usage documentationVerification
msfconsoleuse exploit/windows/local/blue_hammerset SESSION <id>(where<id>is an active Meterpreter session on the target)set BASE_DIR C:\Users\Public\Downloads\HammerSpacecheck→ Verify output returnsAppearsfor vulnerable Defender versionsexploit→ Verify successful privilege escalation to NT AUTHORITY\SYSTEMTesting Environment
References