Home

Awesome

office-exploit-case-study

update 2024.1:fix broken links

Collection of office exploit used in the real world recent years with samples and writeup,please study them in virtual machine.Take responsibility yourself if you use them for illegal purposes.Samples should match hash in corresponding writeup if mentioned.

If you are looking for more poc(reported by researchers and never used in the real world),you can go to exploit-db search "microsoft office",and many researchers share their poc like https://srcincite.io/advisories/ and https://bugs.chromium.org/p/project-zero/issues/list.

What did Microsoft do to make office more secure?

1.Data Execution Prevention in Office 2010

2.enforce ASLR randomization natively without any additional setting on Win7 and above, even for those DLLs not originally compiled with /DYNAMICBASE flag in Office 2013

3.disable EPS in 2017.4's patch

4.disable DDE in 2017.12's patch

CVEType of Vulnfix time
CVE-2012-0158stack overflow in ActiveX2012.4
CVE-2012-1856use after free in ActiveX2012.8
CVE-2013-3906array out of bounds in TIFF parser2013.12
CVE-2014-1761array out of bounds in RTF parser2014.4
CVE-2014-4114logic false in handling OLE object2014.10
CVE-2014-6352(patch bypass of CVE-2014-4114)logic false in handling OLE object2014.11
CVE-2015-0097logic false in security zone2015.3
CVE-2015-1641type confusion in RTF parser2015.4
CVE-2015-2545use after free in EPS parser2015.9
CVE-2016-7193array out of bounds in RTF parser2016.10
CVE-2017-0199logic false in Office Moniker2017.4
CVE-2017-0261use after free in EPS parser2017.5
CVE-2017-0262type confusion in EPS parser2017.5
CVE-2017-8570(patch bypass of CVE-2017-0199)logic false in Office Moniker2017.7
CVE-2017-8759logic false in .NET Framework2017.9
CVE-2017-11826type confusion in OOXML parser2017.10
CVE-2017-11882stack overflow in EQNEDT32.EXE2017.11
CVE-2018-0798stack overflow in EQNEDT32.EXE2018.1
CVE-2018-0802stack overflow in EQNEDT32.EXE2018.1