Microsoft Office Equation Editor Memory Corruption RCE

This repository is a proof-of-concept (PoC) exploit for CVE-2018-0802, a vulnerability in Microsoft Office's Equation Editor that allows for arbitrary code execution via a crafted RTF file. The repository contains three files: a README with usage instructions, a sample malicious RTF file ('cve-2018-0802.rtf'), and a Python script ('cve-2018-0802_poc.py') that generates malicious RTF files. The Python script takes an executable command (such as 'calc.exe' or a remote executable path) and outputs an RTF file that, when opened in a vulnerable version of Microsoft Word, will execute the specified command. The exploit leverages the embedding of an OLE object with a crafted Equation.3 object to trigger the vulnerability. The main attack vector is through a malicious file delivered to the victim, and the payload is customizable to execute arbitrary commands. The exploit is a PoC and does not include advanced features such as evasion or persistence.

This repository provides a proof-of-concept exploit for CVE-2018-0802 (and optionally CVE-2017-11882), both critical vulnerabilities in the Microsoft Office Equation Editor. The main exploit script, 'packager_exec_CVE-2018-0802.py', generates a malicious RTF file that embeds a user-supplied executable using a Packager OLE object. When the RTF is opened in a vulnerable version of Microsoft Office, the exploit drops the embedded executable to the %TMP% directory and executes it via a WinExec call, achieving arbitrary code execution. The script supports an option to exploit both CVE-2018-0802 and CVE-2017-11882 in a single document. The repository also includes a sample malicious RTF ('example/example.rtf') that launches calc.exe, YARA rules for detection of the exploit, and a utility script ('yara/strip_keycodes.py') for removing obfuscating keycodes from RTF files. The exploit is a POC and requires the attacker to supply the payload executable. The attack vector is via malicious file delivery (RTF), and the main fingerprintable endpoint is the dropped file in the %TMP% directory.

This repository contains a Python proof-of-concept exploit for the Microsoft Office Equation Editor vulnerabilities CVE-2017-11882 and CVE-2018-0802. The main file, RTF_11882_0802.py, is a command-line tool that generates a malicious RTF file. The user specifies a command to execute on the target system and the output file name for the crafted RTF. Optionally, a template RTF can be provided. The exploit works by embedding a specially crafted OLE object into the RTF, which triggers the vulnerability in the Equation Editor component when the file is opened in a vulnerable version of Microsoft Office on Windows. The exploit does not contain any hardcoded payload; instead, it allows the user to specify any command, making it a flexible proof-of-concept. The repository also includes a README with usage instructions and references to research and advisories. No network endpoints or external IPs/domains are present; the attack vector is via a malicious file delivered to the victim.