https://github.com/helidem/cve-2025-24054-poc

Proof of Concept for the NTLM Hash Leak via .library-ms CVE-2025-24054
https://github.com/helidem/cve-2025-24054-poc

cve cve-2025-24054 cve-2025-24071 exploit library-ms ntlm ntlm-hash phishing poc windows

Last synced: 10 days ago
JSON representation

Proof of Concept for the NTLM Hash Leak via .library-ms CVE-2025-24054

• Host: GitHub
• URL: https://github.com/helidem/cve-2025-24054-poc
• Owner: helidem
• Created: 2025-04-22T13:04:41.000Z (13 days ago)
• Default Branch: main
• Last Pushed: 2025-04-22T13:22:27.000Z (13 days ago)
• Last Synced: 2025-04-25T15:08:12.044Z (10 days ago)
• Topics: cve, cve-2025-24054, cve-2025-24071, exploit, library-ms, ntlm, ntlm-hash, phishing, poc, windows
• Language: Python
• Homepage:
• Size: 6.84 KB
• Stars: 4
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# CVE-2025-24054 - NTLM Hash Leak via .library-ms Exploit

![PoC](https://img.shields.io/badge/type-poc-blue)

This PoC demonstrates the exploitation of the NTLM hash leak via `.library-ms` files on unpatched Windows systems (March 2025 Patch Tuesday).

> ⚠️ This is for educational and research purposes only. Do not use this on production or unauthorized systems.

## 🧠 Description

When a `.library-ms` file with a UNC path is opened (or previewed) in Windows Explorer, it triggers an SMB authentication request to the specified server, leaking the NTLMv2 hash.

## 📁 Files

- `generate_library_ms.py` : generates the malicious `.library-ms` file

- `xd.library-ms` : sample malicious file (points to a configurable SMB server)

- `Instructions_Responder.md` : how to set up a fake SMB server with Responder

## 🧪 How to Test

1. Start `Responder` on your attacker machine:

   ```bash

   sudo responder -I eth0

   ```

2. On the victim Windows VM:

   - Download or generate the `.library-ms` file

   - Preview it in File Explorer

3. On the attacker side:

   - Observe the captured NTLM hash in Responder's output

## 📸 Demo

![PoC Demo](./Screenshots/poc-demo.png)

## 📚 References

- [Check Point Research – CVE-2025-24054 Analysis](https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/)

- [Microsoft Patch Notes (March 2025)](https://borncity.com/win/2025/04/22/windows-ntlm-vulnerability-cve-2025-24054-is-being-exploited/)

## ✅ Mitigation

- Apply Microsoft's March 2025 patches

- Disable NTLM where possible

- Educate users to avoid interacting with `.library-ms` files from untrusted sources

## 🧑‍💻 Author

PoC created by [Helidem](https://github.com/helidem)