Microsoft Office Remote Code Execution Vulnerability

This repository contains a Bash script ('auto') and a README.md file. The script automates the process of generating a malicious Microsoft Office PPSX file exploiting CVE-2017-8570. The attacker sets their own IP address and port, and the script uses msfvenom to generate a Meterpreter reverse shell payload. It clones a toolkit from GitHub, prepares the payload, and sets up a Metasploit handler. The attacker is instructed to send the generated Invoice.ppsx file to the victim. When the victim opens the file, it triggers a download of the Meterpreter payload via PowerShell, resulting in a reverse shell connection to the attacker's machine. The main attack vector is phishing via a malicious Office document. The script is operational and automates the exploit setup, but relies on external tools and manual delivery of the malicious file.

This repository provides a Python tool ('generate_ppsx.py') that generates a malicious PowerPoint Show (.ppsx) file and an associated XML file to exploit CVE-2017-8570, a vulnerability in Microsoft Office. The exploit works by embedding a reference to a remote XML file in the .ppsx file. The XML file, when accessed by PowerPoint, triggers PowerShell to download and execute a remote payload (such as an executable or script) from an attacker-controlled server. The README.md provides detailed usage instructions, including example command lines and required setup steps. The exploit requires the attacker to host both the payload and the XML file on a web server, and for the victim to open the crafted .ppsx file in PowerPoint. The repository contains two files: a README.md with instructions and a Python script that automates the creation of the exploit files. The main attack vector is via a malicious file, and the exploit leverages remote URLs for payload delivery and execution.

This repository is a Proof of Concept exploit for CVE-2017-8570 (the 'Composite Moniker' vulnerability in Microsoft Office). The main exploit script, 'packager_composite_moniker.py', generates a malicious RTF file that embeds a scriptlet (.sct) file using the Packager.dll trick. When a vulnerable version of Microsoft Office opens the generated RTF, it drops the SCT file into the %TEMP% directory (or a fake path) and executes it, leading to arbitrary code execution. The provided 'calc.sct' payload demonstrates code execution by launching calc.exe. The repository also includes a YARA rule for detection and an example RTF file. The exploit is a POC and does not include weaponized features such as payload customization or C2 communication. The main attack vector is via malicious file delivery (RTF document).