Microsoft Office 0day Exploit

l33t-coder

New Member
Registered User
Joined
Apr 28, 2020
Messages
1
Likes
0
Points
0
Age
38
1. Item name : Microsoft Office


2. Affected OS:
Windows 7 32/64bit , Windows 8.1 32/64bit , windows 10 32/64bit

3. Vulnerable Target application versions and reliability. If 32 bit only, is 64 bit vulnerable?
Microsoft Office 2007 SP3
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 RT Service Pack 1 0
Microsoft Word 2010 Service Pack 2 (64-bit editions) 0
Microsoft Word 2010 Service Pack 2 (32-bit editions) 0
Microsoft Office 2010 (64-bit edition) SP2
Microsoft Office 2010 (32-bit edition) SP2
Microsoft Word 2016 Service Pack 1 (64-bit editions)
Microsoft Word 2016 Service Pack 1 (32-bit editions)
Microsoft Office: 365 ProPlus


4. Does this exploit affect the current target version?
[ - ] No

5. Privilege Level Gained
[ - ] Medium


6. Minimum Privilege Level Required For Successful PE
[ - ] Medium


7. Exploit Type (select all that apply)
[ - ] Remote code execution


8. Delivery Method
[ - ] Via file

9. Bug Class
[ - ] memory corruption


12. Number of bugs exploited in the item: 2

13. Exploitation Parameters
[ - ] Bypasses ASLR
[ - ] Bypasses DEP / W ^ X
[ - ] Bypasses EMET Version 5.52±

14. Is ROP employed?
[ - ] Yes (but without fixed addresses)
More info after purchase , ROP chain is located in msvcr71.dll library.

15. Does this item alert the target user?
NO , Completely Hidden shellcode Execution.

16. How long does exploitation take, in seconds?
5.2mil

17. Does this item require any specific user interactions?
NO , RCE without any interactions from target.

18. Any associated caveats or environmental factors? For example - does the exploit determine
remote OS/App versioning,and is that required?
NO its does not determine any app version if its not the affected app version it will cause DOS.

19. Does it require additional work to be compatible with arbitrary payloads?
[ - ] Yes
The exploit uses the heap spray technique in order to execute arbitrary code

20. Is this a finished item you have in your possession that is ready for delivery immediately?
[ - ] Yes

21. Impact on framework (crashes, etc.).

Microsoft Office 2007 SP3 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 Service Pack 1 (64-bit editions) = APP crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 Service Pack 1 (32-bit editions) = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 RT Service Pack 1 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2010 Service Pack 2 (64-bit editions) 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2010 Service Pack 2 (32-bit editions) 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Office 2010 (64-bit edition) SP2 = no crash + perform the heap spray and execute a shellcode
Microsoft Office 2010 (32-bit edition) SP2 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2016 Service Pack 1 (64-bit editions) = APP crash + perform the heap spray and execute a shellcode
Microsoft Word 2016 Service Pack 1 (32-bit editions) = no crash + perform the heap spray and execute a shellcode
Microsoft Office: 365 ProPlus = APP crash + perform the heap spray and execute a shellcode

Other information : shellcode uses an incremental XOR to decode the malware
and then performs permutation on the first 512 bytes (to avoid PE detection)

ICQ : 746229866
[email protected]
 
Top Bottom