office-exploit-case-study

update 2024.1:fix broken links

Collection of office exploit used in the real world recent years with samples and writeup,please study them in virtual machine.Take responsibility yourself if you use them for illegal purposes.Samples should match hash in corresponding writeup if mentioned.

If you are looking for more poc(reported by researchers and never used in the real world),you can go to exploit-db search "microsoft office",and many researchers share their poc like https://srcincite.io/advisories/ and https://bugs.chromium.org/p/project-zero/issues/list.

What did Microsoft do to make office more secure?

1.Data Execution Prevention in Office 2010

2.enforce ASLR randomization natively without any additional setting on Win7 and above, even for those DLLs not originally compiled with /DYNAMICBASE flag in Office 2013

3.disable EPS in 2017.4's patch

4.disable DDE in 2017.12's patch

CVE Type of Vuln fix time
CVE-2012-0158 stack overflow in ActiveX 2012.4
CVE-2012-1856 use after free in ActiveX 2012.8
CVE-2013-3906 array out of bounds in TIFF parser 2013.12
CVE-2014-1761 array out of bounds in RTF parser 2014.4
CVE-2014-4114 logic false in handling OLE object 2014.10
CVE-2014-6352(patch bypass of CVE-2014-4114) logic false in handling OLE object 2014.11
CVE-2015-0097 logic false in security zone 2015.3
CVE-2015-1641 type confusion in RTF parser 2015.4
CVE-2015-2545 use after free in EPS parser 2015.9
CVE-2016-7193 array out of bounds in RTF parser 2016.10
CVE-2017-0199 logic false in Office Moniker 2017.4
CVE-2017-0261 use after free in EPS parser 2017.5
CVE-2017-0262 type confusion in EPS parser 2017.5
CVE-2017-8570(patch bypass of CVE-2017-0199) logic false in Office Moniker 2017.7
CVE-2017-8759 logic false in .NET Framework 2017.9
CVE-2017-11826 type confusion in OOXML parser 2017.10
CVE-2017-11882 stack overflow in EQNEDT32.EXE 2017.11
CVE-2018-0798 stack overflow in EQNEDT32.EXE 2018.1
CVE-2018-0802 stack overflow in EQNEDT32.EXE 2018.1