CVE-2025-24071 PoC — Microsoft Windows File Explorer 信息泄露漏洞

Source

Associated Vulnerability

Description

CVE-2025-24071 Proof Of Concept

Readme

# CVE-2025-24071 - Windows File Explorer Spoofing Vulnerability Proof of Concept

## Overview

**CVE-2025-24071** is a spoofing vulnerability in Windows File Explorer that allows an unauthenticated attacker to expose sensitive information over a network. The vulnerability arises due to the implicit trust and automatic parsing behavior of `.library-ms` files in Windows Explorer. By crafting malicious archive files (e.g., RAR/ZIP) containing `.library-ms` files with embedded SMB paths, an attacker can trigger an SMB authentication request upon extraction, potentially exposing the user's NTLM hash.

- **CVE ID**: CVE-2025-24071
- **Severity**: Medium (CVSS v3.1 Base Score: 6.5)
- **Vector**: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- **CWE**: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
- **Published**: March 11, 2025
- **Last Updated**: April 16, 2025

## Affected Systems

The vulnerability affects the following Windows versions:

- Windows 10 (versions 1607, 1809, 21H2, 22H2)
- Windows 11 (versions 22H2, 23H2, 24H2)
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025

For a comprehensive list of affected systems, refer to the [Microsoft Security Update Guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24071).

## Exploitation Details

An attacker can exploit this vulnerability by:

1. Crafting a `.library-ms` file with a malicious SMB path.
2. Embedding the `.library-ms` file within a RAR or ZIP archive.
3. Distributing the archive to the target user.
4. Upon extraction, Windows Explorer automatically processes the `.library-ms` file, initiating an SMB authentication request to the attacker's server.
5. This process can lead to the exposure of the user's NTLM hash.

This method leverages the behavior of Windows Explorer in handling `.library-ms` files and the SMB protocol's authentication mechanism.

## Proof of Concept

This repository contains a PoC demonstrating the vulnerability, in this case uplaoding the file via smb:

- `exploit.py`: Script to generate a malicious `.library-ms` file and package it into a ZIP archive.

**Usage:**

```bash
python exploit.py --ip $IP --filename payload --share share-name
```
### First, we craft the payload using our exploit.py

![image](https://github.com/user-attachments/assets/46e8c8c6-35f8-445f-9631-bf04e4122283)


### On another tab we setup our listener which will receive the hash
![image](https://github.com/user-attachments/assets/ba4743c8-7a39-4d3f-98b0-3eacb58dd0a8)


### We then Upload the file an wait for someone to open it

![poc](https://github.com/user-attachments/assets/7dd9b784-0e20-4fd9-bc3c-31a006c054df)

### Finally, after being opened we receive the user's hash
![poc](https://github.com/user-attachments/assets/e22fb4e9-0465-4441-9fb1-fea05205ba01)

File Snapshot

 [4.0K]  /data/pocs/191e4d38194e6423feaefa511b509d02d2ebbc65
├── [1.5K]  exploit.py
└── [2.8K]  README.md

0 directories, 2 files

Remarks