Remote Code Execution via Use-After-Free in JScript.dll (CVE-2025-30397)
🧠 Description
This repository contains a proof-of-concept (PoC) exploit for a Use-After-Free vulnerability in the JScript engine (jscript.dll) affecting Windows Server 2025 (build 25398 and prior). The vulnerability allows remote code execution by exploiting memory corruption through heap spraying techniques. The PoC demonstrates execution of calc.exe via Internet Explorer 11 on the affected system.
🔍 CVE Details
- CVE ID: CVE-2025-30397
- Vendor: Microsoft
- Affected Platforms: Windows Server 2025 (build 25398 and prior)
- Tested On: Windows Server 2025 + Internet Explorer 11 (x86)
- Vulnerability Type: Use-After-Free in
jscript.dll - Impact: Remote Code Execution (RCE)
- Severity: Critical
⚙️ Technical Summary
This PoC exploits a Use-After-Free bug caused by improper management of object references in the legacy JScript engine. When triggered via a specially crafted HTML page, the vulnerability allows attackers to corrupt memory and achieve remote code execution. The exploit uses heap spraying to place shellcode in memory, ultimately executing calc.exe on vulnerable systems running Windows Server 2025 with Internet Explorer 11. This demonstrates the impact of the flaw and confirms exploitability under real conditions.
Author
Mohammed Idrees Banyamer