# Titles: Sandbox Escape in Microsoft Edge Renderer Process (Mojo IPC) # Author: nu11secur1ty # Date: 08/07/2025 # Vendor: Microsoft # Software: https://www.microsoft.com/en-us/software-download/windows11 # Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49730 # CVE-2025-2783 ## Description This project contains a **proof-of-concept (PoC)** simulation for **CVE-2025-2783**, a sandbox escape and privilege escalation vulnerability affecting the Microsoft Mojo IPC subsystem on Windows 11 Pro. The simulation demonstrates how a malicious renderer process could exploit a crafted IPC message to escape sandbox restrictions and escalate privileges, potentially leading to full system compromise. --- ## Disclaimer **This code is provided for educational and responsible disclosure purposes only.** Do NOT use it for unauthorized testing or attacks on systems you do not own or have explicit permission to test. The author(s) created this simulation in a controlled environment (virtual machine) to safely demonstrate the vulnerability before reporting it to Microsoft Security Response Center (MSRC). --- ## Components - `kur.py`: The main PoC Python script. It can run as either: - A phishing server hosting a malicious payload file - An exploit client that downloads the payload, simulates IPC communication, and triggers the sandbox escape. - `malicious_input.mojopipe`: The generated malicious payload JSON file (created at runtime). - `incident.log`: Log file recording actions and simulated system information captured during exploitation. --- ## Usage ### Prerequisites - Python 3.7 or later on Windows 11 Pro (preferably in a VM for safety). - Administrator privileges recommended for full information output. ### Steps 1. **Start the phishing server** (in one terminal): ```bash python kur.py ``` Enter choice: `1` This hosts the malicious payload file on `http://<your_ip>:8080/`. 2. **Run the exploit client** (in another terminal on the same machine): ```bash python kur.py ``` Enter choice: `2` This downloads the payload, simulates the IPC communication, and attempts sandbox escape. 3. **Observe logs** in `incident.log` and console output for evidence of the simulated exploit. --- ## Technical Details - The PoC simulates Mojo IPC message passing using Python's `multiprocessing.connection` module. - The exploit payload contains a special handle value that triggers the sandbox escape simulation. - When triggered, the PoC logs user and system info to demonstrate privilege escalation. - The phishing server serves the malicious payload to mimic real-world attack vector. --- ## Responsible Disclosure This simulation was developed to responsibly disclose the vulnerability to Microsoft Security Response Center (MSRC). Please coordinate with MSRC before any public release or use. # Video-demo: [href](https://www.youtube.com/watch?v=MvwtRybi6ac) # Buy me a coffee if you are not ashamed: [href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY) # Time spent: 03:35:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>