Windows NTLM Hash Disclosure Spoofing via .library-ms Files

This repository is a small proof-of-concept for NTLM hash leakage via malicious .library-ms files targeting Windows systems associated with CVE-2025-24054 and CVE-2025-24071. The repository contains three files: a README with usage notes and references, a Python generator script (exploit.py), and a sample malicious library file (xd.library-ms). The core exploit logic is in exploit.py. It accepts an attacker IP/hostname, optional SMB share name, and optional output filename, then generates an XML .library-ms file whose <url> field points to a UNC path of the form \\host\share. This is not a memory-corruption or code-execution exploit; instead, it is a credential-leak PoC. When a victim previews or opens the crafted file in Windows Explorer, Windows attempts to access the remote UNC path over SMB, which can trigger NTLM authentication to the attacker-controlled server and expose NTLMv2 hash material. The included xd.library-ms file is a ready-made sample pointing to \\10.10.14.22\share. This provides a concrete indicator of how the malicious file is structured. The exploit is straightforward and minimally weaponized: it only generates the lure file and relies on external infrastructure such as an SMB listener/Responder instance to capture hashes. No post-exploitation, cracking, relay, or shell payload is included. Notable repository inconsistencies: the README refers to generate_library_ms.py and Instructions_Responder.md, but the actual repository contains exploit.py and does not include the Responder instructions file. Despite that mismatch, the repository clearly functions as a valid PoC exploit generator.

This repository is a small Metasploit auxiliary module repository containing one exploit module (ntlm_hash_leak.rb) and a README. Because it is a Metasploit module, the relevant logic is concentrated in the single Ruby file. The module targets CVE-2025-24071, described as an NTLM hash leak in Windows Explorer triggered by extracting a ZIP archive containing a malicious .library-ms file. The exploit does not deliver code execution; instead, it creates a lure file that causes the victim system to authenticate over SMB to an attacker-controlled endpoint. The module registers four user-configurable options: FILENAME, ATTACKER_IP, LIBRARY_NAME, and SHARE_NAME. In run(), it builds XML for a .library-ms file whose <url> element contains a UNC path pointing to \\ATTACKER_IP\SHARE_NAME. It writes this XML to disk, packages it into a ZIP archive using Ruby's zip library, then deletes the standalone .library-ms file, leaving the ZIP as the deliverable artifact. It prints operator guidance indicating the ZIP should be hosted for the victim and that an SMB capture server should be running to collect NTLM hashes. It also records a Metasploit note tied to the attacker IP. Primary capability: generation of a malicious ZIP archive for credential leakage via outbound SMB authentication. Main target interaction: victim extracts the ZIP in Windows Explorer, which processes the embedded .library-ms file and attempts SMB access to the attacker-controlled UNC path. The repository is therefore a file-based/network-assisted credential capture exploit module rather than a scanner or detection script.

This repository is a small, single-purpose proof-of-concept for CVE-2025-24054, a Windows .library-ms NTLM hash disclosure issue. It contains two files: a README describing the attack flow and usage, and a Python script (poc.py) that serves as the sole executable entry point. The script accepts an attacker IP address plus optional library/share names, builds a malicious .library-ms XML file containing a UNC path of the form \\ATTACKER_IP\SHARE, and packages that file into a ZIP archive for delivery. The exploit capability is limited but clear: it does not execute code on the victim, but it weaponizes Windows Explorer behavior so that when a victim extracts the ZIP, Explorer attempts to resolve the embedded remote library location over SMB. That outbound authentication leaks the victim's Net-NTLMv2 hash to the attacker-controlled SMB listener. The README explicitly suggests using Responder to capture the hash. Structurally, this is not part of a larger exploit framework and is not a detection script. It is a straightforward PoC generator with no built-in listener, cracking, relay, or post-exploitation logic. There are no hardcoded external IPs or domains; the primary fingerprintable target is the operator-supplied UNC path embedded into the generated XML. The repository's purpose is to help an operator create a malicious archive for lab validation of NTLM hash disclosure via crafted .library-ms files.

This repository is a small Metasploit auxiliary module project consisting of a license, a README, and one Ruby exploit module: ntlm_hash_leak.rb. Because it is a Metasploit module, the main analysis centers on that single Ruby file. The module uses Metasploit's FILEFORMAT mixin to generate a malicious ZIP archive rather than directly exploiting a remote service. Its purpose is to weaponize CVE-2025-24054, formerly referred to as CVE-2025-24071, by placing a crafted .library-ms file inside a ZIP. The embedded XML contains a search connector URL pointing to an attacker-controlled UNC path in the form \\ATTACKER_IP\SHARE_NAME. When a victim on Windows extracts or otherwise causes Explorer to process the .library-ms file, Windows attempts SMB authentication to that remote path, leaking the victim's NTLM hash. Core capabilities: the module registers configurable options for the output ZIP filename, attacker IP, .library-ms filename, and fake SMB share name; builds the malicious XML; inserts it into a ZIP archive; and writes the archive to Metasploit's local output directory. It does not itself capture hashes or deliver a shell. Instead, it prepares the lure file used to induce outbound SMB authentication. The README explains intended operational use with Metasploit's SMB capture module or external tools like Responder/Impacket. Repository structure is minimal and coherent: Readme.md documents the vulnerability, installation, and usage; ntlm_hash_leak.rb contains the exploit logic; LICENSE is standard MIT text. There is no detection-only behavior, no destructive logic, and no obvious signs of fakery. This is a real exploit module for file generation and credential leakage, best classified as a Metasploit weaponized auxiliary/file-format exploit with network impact via SMB authentication leakage.

Repository contains a minimal PoC for CVE-2025-24054 with two files: a tiny README and a single Python script (cve-2025-24054.py). The script is a generator that creates a crafted Windows “.library-ms” XML file and packages it into a ZIP (default: exploit.zip). The XML’s <url> element points to a user-specified UNC path (\\host\share) or, if given a bare host/IP, to \\<target>\shared. When the victim opens/imports the .library-ms on Windows 10/11, Windows may attempt to access the remote UNC location, potentially triggering an outbound NTLM authentication attempt and disclosing NTLM hashes/credentials to the remote SMB share. The code includes basic input validation (hostname/IP/UNC checks) and filename sanitization, supports interactive prompts, a --dry-run mode to print the XML without writing files, and a --force option to overwrite an existing ZIP. No additional payload execution is present beyond generating the coercive .library-ms artifact.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-24054 and CVE-2025-24071, targeting a vulnerability in Windows where opening a specially crafted .library-ms file can trigger an SMB authentication attempt to an attacker-controlled server, leaking the victim's NTLM hash. The repository contains three files: a Python script (exploit.py) that generates malicious .library-ms files pointing to arbitrary UNC paths, a sample .library-ms file (xd.library-ms) configured to point to \\10.10.14.22\share, and a README with detailed usage instructions. The exploit requires the victim to open or preview the malicious file on an unpatched Windows system. The attack vector is local (user interaction required), and the main fingerprintable endpoint is the UNC path embedded in the .library-ms file. The exploit is a PoC and does not include a payload for post-exploitation, but it enables credential theft via NTLM hash capture.

This repository provides a comprehensive proof-of-concept (PoC) toolkit for exploiting a chain of vulnerabilities in Windows Explorer's handling of certain file formats, resulting in zero-click NTLMv2-SSP hash disclosure. The repository contains two main exploit scripts: 1. 'ntml-disclosure-poc.py' (Python): Generates a malicious .searchConnector-ms (XML) file with an embedded UNC path pointing to an attacker-controlled SMB server, packages it in a ZIP archive, and is designed to exploit CVE-2025-24054. When a victim opens the ZIP in Windows Explorer, the embedded UNC path is automatically resolved, causing the system to attempt SMB authentication and leak the NTLM hash. 2. 'patch_bypass.ps1' (PowerShell): Generates a malicious .lnk (shortcut) file with its TargetPath set to a UNC path (again pointing to the attacker's SMB server), then packages it in a ZIP archive. This script targets the patched scenario (CVE-2025-50154 and CVE-2025-59214), bypassing Microsoft's initial fixes by leveraging Windows Explorer's icon and metadata fetching behavior. The LNK file can also be distributed standalone. Both scripts are operational exploits, not just detection tools. The README provides detailed technical background, usage instructions, and deployment scenarios, including social engineering vectors. The main attack vector is network-based, leveraging SMB authentication over UNC paths. The only fingerprintable endpoints are the attacker-controlled UNC paths (e.g., \\192.168.1.100\share or \\attacker-host\share\file), which must be accessible to the victim. The repository is well-structured, with clear separation between the Python and PowerShell implementations, and is intended for offensive security research and demonstration of the described vulnerabilities.

This repository contains a single Python script (PoC.py) that generates a malicious .library-ms file, which is then zipped into 'exploit.zip'. The script takes two arguments: a base filename and an IP address. It creates an XML-based .library-ms file referencing a remote SMB share at the provided IP address. When a victim opens this file on a Windows system, their machine attempts to connect to the attacker's SMB server, potentially leaking NTLM credentials. The exploit demonstrates a classic 'SMB relay' or 'NTLM credential theft' vector via a crafted Windows Library file. The repository is a proof-of-concept and does not include a server component to capture credentials. The only file present is PoC.py, written in Python, and the exploit targets Windows systems by leveraging their handling of .library-ms files.

This repository provides a proof-of-concept (POC) exploit for CVE-2025-24054, a vulnerability in Microsoft Windows that allows NTLMv2 hash leakage via malicious .library-ms files. The repository contains two main Python scripts: - ELAINA-POC.py: A full-featured POC tool that can generate a malicious .library-ms file pointing to an attacker-controlled SMB share (using the 'create' command) and extract NTLM hashes from Responder logs (using the 'extract' command). It includes argument parsing and integrity checks for the ASCII logo. - CVE-2025-24054.py: A minimal script to extract NTLM hashes from a log file, using a regular expression. - Exploit.library-ms: A sample malicious .library-ms file with a placeholder for the attacker's SMB share. - README.md: Instructions in both Vietnamese and English on how to use the scripts to generate the malicious file, send it to a victim, and extract hashes from captured logs. The exploit works by generating a .library-ms file that, when opened by a Windows user, causes the system to attempt authentication to an attacker-controlled SMB server, leaking NTLMv2 hashes. The attacker can then extract these hashes from their SMB server logs using the provided scripts. The repository is structured for ease of use, with clear separation between payload generation and hash extraction functionality.

This repository is a proof-of-concept (PoC) exploit for CVE-2025-24054 and CVE-2025-24071, targeting a vulnerability in Windows where opening a specially crafted .library-ms file causes the system to initiate an SMB authentication to an attacker-controlled server, leaking the user's NTLMv2 hash. The repository contains three files: a Python script (exploit.py) that generates a malicious .library-ms file pointing to a configurable SMB server, a sample .library-ms file (xd.library-ms) with a hardcoded attacker IP, and a README with detailed usage instructions. The exploit requires the attacker to run an SMB server (such as Responder) and the victim to open or preview the malicious file. The main attack vector is local file execution leading to a network-based NTLM hash leak. The repository is structured as a PoC and does not include weaponized or automated exploitation features.

This repository contains a proof-of-concept exploit for CVE-2025-24054, a Windows NTLM credential theft vulnerability. The main file, CVE-2025-24054.py, is a Python script that generates a malicious .library-ms file. When this file is opened on a vulnerable Windows system, it causes the system to connect to an attacker-controlled SMB share (specified by the attacker IP and share name), resulting in the victim's NTLM hashes being sent to the attacker's server. The repository consists of the exploit script and a brief README describing the vulnerability. The exploit does not include a payload for post-exploitation, but demonstrates the credential theft vector via crafted file generation.

This repository contains a single Python script, 'create_library_ms.py', which generates a malicious Windows Library file (.library-ms). The script prompts the user for an attacker-controlled server address and creates a .library-ms file embedding a UNC path (e.g., \\attacker_ip\evilshare). When a victim opens this file in Windows Explorer, the system attempts to access the specified UNC path, causing Windows to authenticate to the attacker's SMB server and leak Net-NTLMv1/v2 hashes. The script is a proof-of-concept for credential capture attacks leveraging Windows' handling of library files and SMB authentication. The repository is structured as a single, self-contained exploit generator, and is intended for educational/lab use only. No hardcoded endpoints are present; the attacker provides the target server at runtime.