CVE-2025-24054

This PoC generates a .library-ms XML file that points to a UNC path, exploiting a spoofing vulnerability in Windows 10/11. The script creates a zip file containing the malicious library file, which, when opened, directs the user to a specified network share.

This PoC generates a .library-ms XML file that points to a UNC path, which when opened on Windows, triggers an NTLM hash disclosure via SMB authentication. It is a legitimate exploit for CVE-2025-24054.

This advisory describes an NTLM hash disclosure vulnerability in Microsoft's .library-ms files, originally reported in 2018 and later assigned CVE-2025-24054. It provides historical context, references, and disclosure timeline but lacks functional exploit code.

This repository contains a functional PowerShell script that generates a malicious .LNK file to exploit CVE-2025-50154 and CVE-2025-59214, triggering NTLMv2-SSP hash disclosure via Windows File Explorer without user interaction. The exploit leverages a bypass in Microsoft's patch by crafting a shortcut with a remote SMB target path, forcing Explorer to fetch PE icons and leak authentication hashes.

This PoC exploits CVE-2025-24054 (formerly CVE-2025-24071) by generating a malicious `.library-ms` file embedded in a ZIP archive. When extracted by a victim, it triggers an SMB connection to an attacker-controlled IP, leaking NetNTLMv2 hashes.

This PoC demonstrates an NTLM hash leak vulnerability via `.library-ms` files on unpatched Windows systems. It generates a malicious `.library-ms` file that triggers an SMB authentication request to a specified server when opened or previewed in Windows Explorer.

This PoC generates a malicious .library-ms file that exploits CVE-2025-24054 by embedding a UNC path to a remote SMB share, which can trigger arbitrary code execution when opened by a vulnerable system. The script creates a zip file containing the exploit file for delivery.

This repository contains a proof-of-concept exploit for CVE-2025-24054, which leverages Windows File Explorer's automatic UNC path resolution during file preview operations to disclose NTLMv2-SSP hashes. The exploit includes both a Python-based implementation targeting SearchConnector files and a PowerShell-based bypass for subsequent patches.

This PoC exploits CVE-2025-24054 by creating a malicious .library-ms file to trigger an SMB connection to an attacker-controlled server, capturing NTLMv2 hashes. It includes functionality to generate the exploit file and extract hashes from Responder logs.

This repository contains a functional Metasploit module that exploits CVE-2025-24054 (formerly CVE-2025-24071) to leak NTLM hashes via a malicious .library-ms file embedded in a ZIP archive. The module generates a crafted ZIP file that, when extracted by Windows Explorer, triggers an SMB authentication request to an attacker-controlled server.

The repository contains only a README.md file with minimal information, mentioning CVE-2025-24054 and CVE-2025-24071 but no actual exploit code or technical details.

This PoC generates a malicious .library-ms file that exploits CVE-2025-24054 to trigger NTLM hash theft by pointing to an attacker-controlled SMB share. The script automates the creation of the file with user-provided attacker IP and share name.

This PoC generates a malicious .library-ms file that exploits CVE-2025-24054 to trigger an SMB connection to an attacker-controlled server, capturing Net-NTLM hashes. It automates the creation of the XML file with a UNC path pointing to the attacker's server.