1. Item name : Microsoft Office
2. Affected OS:
Windows 7 32/64bit , Windows 8.1 32/64bit , windows 10 32/64bit
3. Vulnerable Target application versions and reliability. If 32 bit only, is 64 bit vulnerable?
Microsoft Office 2007 SP3
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 RT Service Pack 1 0
Microsoft Word 2010 Service Pack 2 (64-bit editions) 0
Microsoft Word 2010 Service Pack 2 (32-bit editions) 0
Microsoft Office 2010 (64-bit edition) SP2
Microsoft Office 2010 (32-bit edition) SP2
Microsoft Word 2016 Service Pack 1 (64-bit editions)
Microsoft Word 2016 Service Pack 1 (32-bit editions)
Microsoft Office: 365 ProPlus
4. Does this exploit affect the current target version?
[ - ] No
5. Privilege Level Gained
[ - ] Medium
6. Minimum Privilege Level Required For Successful PE
[ - ] Medium
7. Exploit Type (select all that apply)
[ - ] Remote code execution
8. Delivery Method
[ - ] Via file
9. Bug Class
[ - ] memory corruption
12. Number of bugs exploited in the item: 2
13. Exploitation Parameters
[ - ] Bypasses ASLR
[ - ] Bypasses DEP / W ^ X
[ - ] Bypasses EMET Version 5.52±
14. Is ROP employed?
[ - ] Yes (but without fixed addresses)
More info after purchase , ROP chain is located in msvcr71.dll library.
15. Does this item alert the target user?
NO , Completely Hidden shellcode Execution.
16. How long does exploitation take, in seconds?
5.2mil
17. Does this item require any specific user interactions?
NO , RCE without any interactions from target.
18. Any associated caveats or environmental factors? For example - does the exploit determine
remote OS/App versioning,and is that required?
NO its does not determine any app version if its not the affected app version it will cause DOS.
19. Does it require additional work to be compatible with arbitrary payloads?
[ - ] Yes
The exploit uses the heap spray technique in order to execute arbitrary code
20. Is this a finished item you have in your possession that is ready for delivery immediately?
[ - ] Yes
21. Impact on framework (crashes, etc.).
Microsoft Office 2007 SP3 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 Service Pack 1 (64-bit editions) = APP crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 Service Pack 1 (32-bit editions) = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2013 RT Service Pack 1 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2010 Service Pack 2 (64-bit editions) 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2010 Service Pack 2 (32-bit editions) 0 = no crash + perform the heap spray and execute a shellcode
Microsoft Office 2010 (64-bit edition) SP2 = no crash + perform the heap spray and execute a shellcode
Microsoft Office 2010 (32-bit edition) SP2 = no crash + perform the heap spray and execute a shellcode
Microsoft Word 2016 Service Pack 1 (64-bit editions) = APP crash + perform the heap spray and execute a shellcode
Microsoft Word 2016 Service Pack 1 (32-bit editions) = no crash + perform the heap spray and execute a shellcode
Microsoft Office: 365 ProPlus = APP crash + perform the heap spray and execute a shellcode
