Exploiting ‘pFragments’ in unpatched MS-Office: Old – But Still Toxic

by MalwareSecurity Research & Analysis

I still see malware exploiting the CVE-2010-3333 vulnerability even though it’s over a year old.  Why do attackers still use this exploit? Mainly because it’s very simple to exploit and many users have still not applied the MS10-087 update (or maybe they are using cracked versions of MS Office).

Exploit Overview


The exploit sample usually arrives via an enticing email to lure recipients into opening the attachment file which is usually a “.doc” extension. Some of the attachment filenames we have seen are as follows:

  • traking_doc_MW421330771CA.doc
  • aircanada_eticket_[random_number].doc
  • efax__[random_number].doc
  • file-_[random_number]_doc
  • President Obama’s Speech.doc
  • and so on…

Some background about how the exploit works. Following the metasploit framework for CVE-2010-3333, the ‘pFragments’ property format is as follows:

{shp{sp{sn pFragments}{sv #{sploit}}}

Where “#{sploit}” = “;;”.  The “” and “” are random integers between 1 and 9 that are not 2, 4, or 8 that don’t follow the RTF guidelines.  This leads to a Stack Overflow in the RTF parser.

Code Snippet:


The “” is the content of the exploit’s shellcode with the starting 12 characters “11111111acc8″. Where the last four characters “acc8″ or 0xc8ac (in hex) is the size of the data array to copy that triggers the vulnerability.

Code Snippet:


As of this writing, the exploit samples we’ve seen this month dismantle the structure of ‘pFragments’ in the RTF in order to avoid being detected as seen in the image below.


Tracing the Exploit

 A call to memcpy() in MSO.DLL triggered the overwriting of a return address in the stack while processing a crafted ‘pFragments’ shape property under the RTF parser function. This is because there is no checking on the size of source data buffer versus the length of destination data buffer. Since the content of the source data is longer than the buffer destination (double word in size) and the initialized stack, this causes the overwriting of the correct return address in the stack. (See picture below)

Call to memcpy() in MSO.DLL RTF parser function that overflows the stack:


Code Snippet:


Keeping your antivirus definitions up to date and applying the latest Microsoft Windows and Office updates, will protect you from toxic malware such as this.

Go back