exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Power Point Java Payload Code Execution

Microsoft Power Point Java Payload Code Execution
Posted Jan 22, 2017
Authored by Fady Mohamed Osman

Microsoft power point allows users to insert objects of arbitrary file types. At presentation time these objects can be activated by mouse movement or clicking.

tags | exploit, arbitrary
SHA-256 | 2d838b7169aaadc022b8b58be4e89a994a898f95dd32856f8fa4e1c3b5cff755

Microsoft Power Point Java Payload Code Execution

Change Mirror Download
# Exploit Title: Microsoft Power Point Java Payload Code Execution
# Exploit Author: Fady Mohamed Osman (@fady_osman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Demo Video : https://www.youtube.com/watch?v=DOJSUJK7hRo
# Video Tutorial : https://www.youtube.com/watch?v=Li_h-iuXgEM
# Youtube Channel: https://www.youtube.com/user/cutehack3r
# Date: Jan 21, 2017
# Vendor Homepage: https://www.microsoft.com/
# Software Link: https://www.office.com/
# Version: Windows 7 x64 Ultimate Build 7601 Service Pack 1 Without any
updates
# Tested on: Windows 7 x64 Ultimate Build 7601 SP1 Without any updates,
Power Point 2016 MSO 16.0.4266.1001 64-bit professional plus and Java
Version 8 Update 101 (build 1.8.0_101-b13).

Microsoft power point allows users to insert objects of arbitrary file
types, at presentation time these objects can be activated by mouse
movement or clicking.

If the user have JAVA (or python or similar interpreters) an attacker can
insert jar file or py file into the presentation and trigger it when mouse
moves, for easier exploitation the attacker can use ppsx file which will
load automatically in presentation mode and once the user opens the file
and moves mouse it will trigger the payload.

To exploit this issue:

1 - Create a new power point presentation.
2 - Insert object and choose "create from file" and choose the jar payload.
3 - On the insert tab, click action and in both "mouse over" and "mouse
click" tabs choose "object action" and choose "activate"
4 - Scale the object to fit the whole slide so when the user opens the file
it mouse will be over it, and just in case also if the user clicks it will
open the jar file.
5 - Save the file as ppsx file.

Attached a file that will open a java pop up when executed but any java
payload will also work including the meterpreter payloads generated by
metasploit.

Please note that in a fully patched version a pop up will show asking the
user to run the file which is useful if you're good at social engineering ;)

Timeline:
Aug 10, 2016 - Reported To Microsoft
Sep 7, 2016 - Microsoft Said they're unable to have the same behaviour and
asked me to update My system and check again.
Sep 8, 2016 - sent to Microsoft to confirm that a pop up shows in case of a
fully updated windows 7 version.
Sep 17, 2016 - Microsoft asked for a video showing the bug in both updated
and not updated versions, I sent the video in the same day.
Sep 27, 2016 - Microsoft confirmed that the behavior can only produced in a
non patched version and considered as not reproducible in fully patched
system.

--

*Regards,*


[image: Fady Osman on about.me]

Fady Osman
about.me/Fady_Osman
<http://about.me/Fady_Osman>
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close