Skip to content

helidem/CVE-2025-24054_CVE-2025-24071-PoC

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

8 Commits
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

CVE-2025-24054 and CVE-2025-24071 - NTLM Hash Leak via .library-ms Exploit

PoC

This PoC demonstrates the exploitation of the NTLM hash leak via .library-ms files on unpatched Windows systems (March 2025 Patch Tuesday).

⚠️ This is for educational and research purposes only. Do not use this on production or unauthorized systems.

🧠 Description

When a .library-ms file with a UNC path is opened (or previewed) in Windows Explorer, it triggers an SMB authentication request to the specified server, leaking the NTLMv2 hash.

πŸ“ Files

  • generate_library_ms.py : generates the malicious .library-ms file
  • xd.library-ms : sample malicious file (points to a configurable SMB server)
  • Instructions_Responder.md : how to set up a fake SMB server with Responder

πŸ§ͺ How to Test

  1. Start Responder on your attacker machine:

    sudo responder -I eth0
  2. On the victim Windows VM:

    • Download or generate the .library-ms file
    • Preview it in File Explorer
  3. On the attacker side:

    • Observe the captured NTLM hash in Responder's output

πŸ“Έ Demo

PoC Demo

πŸ“š References

βœ… Mitigation

  • Apply Microsoft's March 2025 patches
  • Disable NTLM where possible
  • Educate users to avoid interacting with .library-ms files from untrusted sources

πŸ§‘β€πŸ’» Author

PoC created by Helidem

About

Proof of Concept for the NTLM Hash Leak via .library-ms CVE-2025-24054 / CVE-2025-24071

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages