office-exploit-case-study

update 2024.1:fix broken links

Collection of office exploit used in the real world recent years with samples and writeup,please study them in virtual machine.Take responsibility yourself if you use them for illegal purposes.Samples should match hash in corresponding writeup if mentioned.

If you are looking for more poc(reported by researchers and never used in the real world),you can go to exploit-db search "microsoft office",and many researchers share their poc like https://srcincite.io/advisories/ and https://bugs.chromium.org/p/project-zero/issues/list.

What did Microsoft do to make office more secure?

1.Data Execution Prevention in Office 2010

2.enforce ASLR randomization natively without any additional setting on Win7 and above, even for those DLLs not originally compiled with /DYNAMICBASE flag in Office 2013

3.disable EPS in 2017.4's patch

4.disable DDE in 2017.12's patch

CVE	Type of Vuln	fix time
CVE-2012-0158	stack overflow in ActiveX	2012.4
CVE-2012-1856	use after free in ActiveX	2012.8
CVE-2013-3906	array out of bounds in TIFF parser	2013.12
CVE-2014-1761	array out of bounds in RTF parser	2014.4
CVE-2014-4114	logic false in handling OLE object	2014.10
CVE-2014-6352(patch bypass of CVE-2014-4114)	logic false in handling OLE object	2014.11
CVE-2015-0097	logic false in security zone	2015.3
CVE-2015-1641	type confusion in RTF parser	2015.4
CVE-2015-2545	use after free in EPS parser	2015.9
CVE-2016-7193	array out of bounds in RTF parser	2016.10
CVE-2017-0199	logic false in Office Moniker	2017.4
CVE-2017-0261	use after free in EPS parser	2017.5
CVE-2017-0262	type confusion in EPS parser	2017.5
CVE-2017-8570(patch bypass of CVE-2017-0199)	logic false in Office Moniker	2017.7
CVE-2017-8759	logic false in .NET Framework	2017.9
CVE-2017-11826	type confusion in OOXML parser	2017.10
CVE-2017-11882	stack overflow in EQNEDT32.EXE	2017.11
CVE-2018-0798	stack overflow in EQNEDT32.EXE	2018.1
CVE-2018-0802	stack overflow in EQNEDT32.EXE	2018.1