forked from Cr4sh/MsFontsFuzz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.TXT
41 lines (20 loc) · 1.39 KB
/
README.TXT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
*********************************************************
MsFontsFuzz: OpenType font format fuzzer for Windows
By Oleksiuk Dmytro (aka Cr4sh)
http://twitter.com/d_olex
http://blog.cr4.sh
mailto:cr4sh0@gmail.com
*********************************************************
USAGE:
> MsFontsFuzz.exe <font_name> <font_file_path> [options]
... where <font_name> and <font_file_path> – Text name of the font and path to the .TTF/.OTF font file.
The [options] can be:
--test – Just draw font characters and print file information without fuzzing.
--text – String that will be drawn during fuzzing using the specified font. By default - ASCII ñcharacters string in range 20h – 7Fh.
--noisy – Print detailed information about each fuzzing iteration.
--fix-crcs – Fix invalid checksums in specified font file without fuzzing.
EXAMPLE:
See Release\BrushScriptStd_Fuzzing.bat - you can run this scenario to start fuzzing with the Brush Script Std Regular font.
This fuzzer helps me to find remote (client-side) DoS 0day vulnerability in Windows kernel, with invalid decoding of 0x0d byte in the Type 2 Charstring Format Glyph, that drops ATMFD.DLL code into the infinite loop.
PoC code: http://dl.dropbox.com/u/22903093/blog/CFF_Type-1_0x0d_expl/CFF_Type-1_0x0d_expl.rar
Detailed analysis (russian): http://blog.cr4.sh/2012/06/0day-windows.html