bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/41144.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

36 lines
No EOL
2.6 KiB
Text
Raw Blame History

# Exploit Title: Microsoft Power Point Java Payload Code Execution
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Demo Video : https://www.youtube.com/watch?v=DOJSUJK7hRo
# Video Tutorial : https://www.youtube.com/watch?v=Li_h-iuXgEM
# Youtube Channel: https://www.youtube.com/user/cutehack3r
# Date: Jan 21, 2017
# Vendor Homepage: https://www.microsoft.com/
# Software Link: https://www.office.com/
# Version: Windows 7 x64 Ultimate Build 7601 Service Pack 1 Without any updates
# Tested on: Windows 7 x64 Ultimate Build 7601 SP1 Without any updates, Power Point 2016 MSO 16.0.4266.1001 64-bit professional plus and Java Version 8 Update 101 (build 1.8.0_101-b13).
Microsoft power point allows users to insert objects of arbitrary file types, at presentation time these objects can be activated by mouse movement or clicking.
If the user have JAVA (or python or similar interpreters) an attacker can insert jar file or py file into the presentation and trigger it when mouse moves, for easier exploitation the attacker can use ppsx file which will load automatically in presentation mode and once the user opens the file and moves mouse it will trigger the payload.
To exploit this issue:
1 - Create a new power point presentation.
2 - Insert object and choose "create from file" and choose the jar payload.
3 - On the insert tab, click action and in both "mouse over" and "mouse click" tabs choose "object action" and choose "activate"
4 - Scale the object to fit the whole slide so when the user opens the file it mouse will be over it, and just in case also if the user clicks it will open the jar file.
5 - Save the file as ppsx file.
POC file that will open a java pop up when executed but any java payload will also work including the meterpreter payloads generated by metasploit.
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41144.ppsx
Please note that in a fully patched version a pop up will show asking the user to run the file which is useful if you're good at social engineering ;)
Timeline:
Aug 10, 2016 - Reported To Microsoft
Sep 7, 2016 - Microsoft Said they're unable to have the same behaviour and asked me to update My system and check again.
Sep 8, 2016 - sent to Microsoft to confirm that a pop up shows in case of a fully updated windows 7 version.
Sep 17, 2016 - Microsoft asked for a video showing the bug in both updated and not updated versions, I sent the video in the same day.
Sep 27, 2016 - Microsoft confirmed that the behavior can only produced in a non patched version and considered as not reproducible.
Reference in a new issue View git blame Copy permalink