Microsoft Power Point Java Payload Code Execution

`# Exploit Title: Microsoft Power Point Java Payload Code Execution  
# Exploit Author: Fady Mohamed Osman (@fady_osman)  
# Exploit-db : http://www.exploit-db.com/author/?a=2986  
# Demo Video : https://www.youtube.com/watch?v=DOJSUJK7hRo  
# Video Tutorial : https://www.youtube.com/watch?v=Li_h-iuXgEM  
# Youtube Channel: https://www.youtube.com/user/cutehack3r  
# Date: Jan 21, 2017  
# Vendor Homepage: https://www.microsoft.com/  
# Software Link: https://www.office.com/  
# Version: Windows 7 x64 Ultimate Build 7601 Service Pack 1 Without any  
updates  
# Tested on: Windows 7 x64 Ultimate Build 7601 SP1 Without any updates,  
Power Point 2016 MSO 16.0.4266.1001 64-bit professional plus and Java  
Version 8 Update 101 (build 1.8.0_101-b13).  
  
Microsoft power point allows users to insert objects of arbitrary file  
types, at presentation time these objects can be activated by mouse  
movement or clicking.  
  
If the user have JAVA (or python or similar interpreters) an attacker can  
insert jar file or py file into the presentation and trigger it when mouse  
moves, for easier exploitation the attacker can use ppsx file which will  
load automatically in presentation mode and once the user opens the file  
and moves mouse it will trigger the payload.  
  
To exploit this issue:  
  
1 - Create a new power point presentation.  
2 - Insert object and choose "create from file" and choose the jar payload.  
3 - On the insert tab, click action and in both "mouse over" and "mouse  
click" tabs choose "object action" and choose "activate"  
4 - Scale the object to fit the whole slide so when the user opens the file  
it mouse will be over it, and just in case also if the user clicks it will  
open the jar file.  
5 - Save the file as ppsx file.  
  
Attached a file that will open a java pop up when executed but any java  
payload will also work including the meterpreter payloads generated by  
metasploit.  
  
Please note that in a fully patched version a pop up will show asking the  
user to run the file which is useful if you're good at social engineering ;)  
  
Timeline:  
Aug 10, 2016 - Reported To Microsoft  
Sep 7, 2016 - Microsoft Said they're unable to have the same behaviour and  
asked me to update My system and check again.  
Sep 8, 2016 - sent to Microsoft to confirm that a pop up shows in case of a  
fully updated windows 7 version.  
Sep 17, 2016 - Microsoft asked for a video showing the bug in both updated  
and not updated versions, I sent the video in the same day.  
Sep 27, 2016 - Microsoft confirmed that the behavior can only produced in a  
non patched version and considered as not reproducible in fully patched  
system.  
  
--   
  
*Regards,*  
  
  
[image: Fady Osman on about.me]  
  
Fady Osman  
about.me/Fady_Osman  
<http://about.me/Fady_Osman>  
`