update 2024.1:fix broken links
Collection of office exploit used in the real world recent years with samples and writeup,please study them in virtual machine.Take responsibility yourself if you use them for illegal purposes.Samples should match hash in corresponding writeup if mentioned.
If you are looking for more poc(reported by researchers and never used in the real world),you can go to exploit-db search "microsoft office",and many researchers share their poc like https://srcincite.io/advisories/ and https://bugs.chromium.org/p/project-zero/issues/list.
What did Microsoft do to make office more secure?
1.Data Execution Prevention in Office 2010
2.enforce ASLR randomization natively without any additional setting on Win7 and above, even for those DLLs not originally compiled with /DYNAMICBASE flag in Office 2013
3.disable EPS in 2017.4's patch
4.disable DDE in 2017.12's patch
CVE | Type of Vuln | fix time |
---|---|---|
CVE-2012-0158 | stack overflow in ActiveX | 2012.4 |
CVE-2012-1856 | use after free in ActiveX | 2012.8 |
CVE-2013-3906 | array out of bounds in TIFF parser | 2013.12 |
CVE-2014-1761 | array out of bounds in RTF parser | 2014.4 |
CVE-2014-4114 | logic false in handling OLE object | 2014.10 |
CVE-2014-6352(patch bypass of CVE-2014-4114) | logic false in handling OLE object | 2014.11 |
CVE-2015-0097 | logic false in security zone | 2015.3 |
CVE-2015-1641 | type confusion in RTF parser | 2015.4 |
CVE-2015-2545 | use after free in EPS parser | 2015.9 |
CVE-2016-7193 | array out of bounds in RTF parser | 2016.10 |
CVE-2017-0199 | logic false in Office Moniker | 2017.4 |
CVE-2017-0261 | use after free in EPS parser | 2017.5 |
CVE-2017-0262 | type confusion in EPS parser | 2017.5 |
CVE-2017-8570(patch bypass of CVE-2017-0199) | logic false in Office Moniker | 2017.7 |
CVE-2017-8759 | logic false in .NET Framework | 2017.9 |
CVE-2017-11826 | type confusion in OOXML parser | 2017.10 |
CVE-2017-11882 | stack overflow in EQNEDT32.EXE | 2017.11 |
CVE-2018-0798 | stack overflow in EQNEDT32.EXE | 2018.1 |
CVE-2018-0802 | stack overflow in EQNEDT32.EXE | 2018.1 |