Microsoft office 0day Exploit 2020 04-30-2020, 06:37 PM
#1
1. Item name : Microsoft Office
Â
2. Affected OS:
    Windows 7 32/64bit , Windows 8.1 32/64bit , windows 10 32/64bit
3. Vulnerable Target application versions and reliability. If 32 bit only, is 64 bit vulnerable?
Microsoft Office 2007 SP3
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 RT Service Pack 1 0
Microsoft Word 2010 Service Pack 2 (64-bit editions) 0
Microsoft Word 2010 Service Pack 2 (32-bit editions) 0
Microsoft Office 2010 (64-bit edition) SP2
Microsoft Office 2010 (32-bit edition) SP2
Microsoft Word 2016 Service Pack 1 (64-bit editions)
Microsoft Word 2016 Service Pack 1 (32-bit editions)
Microsoft Office: 365 ProPlusÂ
4. Does this exploit affect the current target version?
   [ - ] No
5. Privilege Level Gained
   [ - ] Medium
6. Minimum Privilege Level Required For Successful PE
   [ - ] Medium
7. Exploit Type (select all that apply)
   [ - ] Remote code execution
8. Delivery Method
   [ - ] Via file
9. Bug Class
   [ - ] memory corruption
12. Number of bugs exploited in the item: 2
13. Exploitation Parameters
   [ - ] Bypasses ASLR
   [ - ] Bypasses DEP / W ^ X
   [ - ] Bypasses EMET Version 5.52±
14. Is ROP employed?
 [ - ] Yes (but without fixed addresses)
More info after purchase , ROP chain is located in msvcr71.dll library.
15. Does this item alert the target user?
  NO , Completely Hidden shellcode Execution.
16. How long does exploitation take, in seconds?
   5.2mil
17. Does this item require any specific user interactions?
   NO , RCE without any interactions from target.
18. Any associated caveats or environmental factors? For example - does the exploit determine
   remote OS/App versioning,and is that required?
   NO its does not determine any app version if its not the affected app version it will cause DOS.
Â
19. Does it require additional work to be compatible with arbitrary payloads?
   [ - ] Yes
   The exploit uses the heap spray technique in order to execute arbitrary code
20. Is this a finished item you have in your possession that is ready for delivery immediately?
   [ - ] Yes
 21. Impact on framework (crashes, etc.).
Microsoft Office 2007 SP3Â = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 Service Pack 1 (64-bit editions) = APP crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 Service Pack 1 (32-bit editions) = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 RT Service Pack 1 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2010 Service Pack 2 (64-bit editions) 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2010 Service Pack 2 (32-bit editions) 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Office 2010 (64-bit edition) SP2 = no crash + perform the heap spray and execute a shellcode
Microsoft Office 2010 (32-bit edition) SP2 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2016 Service Pack 1 (64-bit editions) = APP crash + perform the heap spray and execute a shellcode
Microsoft Word 2016 Service Pack 1 (32-bit editions) = no crash + perform the heap spray and execute a shellcode
Microsoft Office: 365 ProPlus = APP crash + perform the heap spray and execute a shellcode
Other information : shellcode uses an incremental XOR to decode the malware
and then performs permutation on the first 512 bytes (to avoid PE detection)
Video: youtu.be/8t8COuqA19U
ICQ : 746229866
l33t.codes@gmail.com
Â
2. Affected OS:
    Windows 7 32/64bit , Windows 8.1 32/64bit , windows 10 32/64bit
3. Vulnerable Target application versions and reliability. If 32 bit only, is 64 bit vulnerable?
Microsoft Office 2007 SP3
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 RT Service Pack 1 0
Microsoft Word 2010 Service Pack 2 (64-bit editions) 0
Microsoft Word 2010 Service Pack 2 (32-bit editions) 0
Microsoft Office 2010 (64-bit edition) SP2
Microsoft Office 2010 (32-bit edition) SP2
Microsoft Word 2016 Service Pack 1 (64-bit editions)
Microsoft Word 2016 Service Pack 1 (32-bit editions)
Microsoft Office: 365 ProPlusÂ
4. Does this exploit affect the current target version?
   [ - ] No
5. Privilege Level Gained
   [ - ] Medium
6. Minimum Privilege Level Required For Successful PE
   [ - ] Medium
7. Exploit Type (select all that apply)
   [ - ] Remote code execution
8. Delivery Method
   [ - ] Via file
9. Bug Class
   [ - ] memory corruption
12. Number of bugs exploited in the item: 2
13. Exploitation Parameters
   [ - ] Bypasses ASLR
   [ - ] Bypasses DEP / W ^ X
   [ - ] Bypasses EMET Version 5.52±
14. Is ROP employed?
 [ - ] Yes (but without fixed addresses)
More info after purchase , ROP chain is located in msvcr71.dll library.
15. Does this item alert the target user?
  NO , Completely Hidden shellcode Execution.
16. How long does exploitation take, in seconds?
   5.2mil
17. Does this item require any specific user interactions?
   NO , RCE without any interactions from target.
18. Any associated caveats or environmental factors? For example - does the exploit determine
   remote OS/App versioning,and is that required?
   NO its does not determine any app version if its not the affected app version it will cause DOS.
Â
19. Does it require additional work to be compatible with arbitrary payloads?
   [ - ] Yes
   The exploit uses the heap spray technique in order to execute arbitrary code
20. Is this a finished item you have in your possession that is ready for delivery immediately?
   [ - ] Yes
 21. Impact on framework (crashes, etc.).
Microsoft Office 2007 SP3Â = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 Service Pack 1 (64-bit editions) = APP crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 Service Pack 1 (32-bit editions) = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 RT Service Pack 1 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2010 Service Pack 2 (64-bit editions) 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2010 Service Pack 2 (32-bit editions) 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Office 2010 (64-bit edition) SP2 = no crash + perform the heap spray and execute a shellcode
Microsoft Office 2010 (32-bit edition) SP2 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2016 Service Pack 1 (64-bit editions) = APP crash + perform the heap spray and execute a shellcode
Microsoft Word 2016 Service Pack 1 (32-bit editions) = no crash + perform the heap spray and execute a shellcode
Microsoft Office: 365 ProPlus = APP crash + perform the heap spray and execute a shellcode
Other information : shellcode uses an incremental XOR to decode the malware
and then performs permutation on the first 512 bytes (to avoid PE detection)
Video: youtu.be/8t8COuqA19U
ICQ : 746229866
l33t.codes@gmail.com