Skip to content
This repository has been archived by the owner on May 14, 2022. It is now read-only.
/ MsFontsFuzz Public archive

OpenType font file format fuzzer for Windows

Notifications You must be signed in to change notification settings

Cr4sh/MsFontsFuzz

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 

Repository files navigation

*********************************************************

  MsFontsFuzz: OpenType font format fuzzer for Windows

  By Oleksiuk Dmytro (aka Cr4sh)
  https://twitter.com/d_olex
  https://blog.cr4.sh
  mailto:[email protected]
  
*********************************************************

USAGE:

  > MsFontsFuzz.exe <font_name> <font_file_path> [options]

... where <font_name> and <font_file_path> – Text name of the font and path to the .TTF/.OTF font file.

The [options] can be:

  --test – Just draw font characters and print file information without fuzzing.

  --text – String that will be drawn during fuzzing using the specified font. By default - ASCII ñcharacters string in range 20h – 7Fh.

  --noisy – Print detailed information about each fuzzing iteration.

  --fix-crcs – Fix invalid checksums in specified font file without fuzzing.
  
  
EXAMPLE:

See Release\BrushScriptStd_Fuzzing.bat - you can run this scenario to start fuzzing with the Brush Script Std Regular font.

This fuzzer helps me to find remote (client-side) DoS 0day vulnerability in Windows kernel, with invalid decoding of 0x0d byte in the Type 2 Charstring Format Glyph, that drops ATMFD.DLL code into the infinite loop.

PoC code: https://dl.dropbox.com/u/22903093/blog/CFF_Type-1_0x0d_expl/CFF_Type-1_0x0d_expl.rar

Detailed analysis (russian): https://blog.cr4.sh/2012/06/0day-windows.html



Releases

No releases published

Packages

No packages published

Languages