Microsoft Word RTF Heap Corruption Remote Code Execution

This repository is a minimal single-file Python proof-of-concept for CVE-2023-21716. The only file, exploit.py, generates a malicious RTF document named malicious.rtf. The script builds a basic RTF header, appends a very large number of font table entries with font IDs ranging from 0 to 32760, and finishes with a small footer before writing the result to disk. There is no networking, command execution, shell payload, or post-exploitation logic. The exploit capability is limited to file generation: it produces a crafted document intended to trigger a vulnerability in a target RTF parser, likely Microsoft Word/Office on Windows, when the file is opened. The repository structure is extremely simple and purpose-built as a crash/trigger POC rather than a weaponized exploit.

This repository provides a proof-of-concept (PoC) exploit for CVE-2023-21716, a critical heap buffer overflow vulnerability in Microsoft Word's handling of RTF files with oversized font tables. The repository contains two files: a detailed README.md explaining the vulnerability, affected products, and exploitation steps, and a Python script (RTF-creator.py) that generates a malicious RTF file ('malicious.rtf') with 32,761 font entries. Opening or previewing this file in a vulnerable version of Microsoft Word or Outlook triggers a crash due to heap corruption, as demonstrated by the included WinDbg analysis. The exploit is a PoC and does not include a remote code execution payload, but it effectively demonstrates the vulnerability by causing a crash. The main attack vector is via malicious file delivery (e.g., email attachment). No network endpoints or registry keys are involved; the only fingerprintable endpoint is the generated 'malicious.rtf' file.

This repository provides a proof-of-concept (POC) exploit for CVE-2023-21716, a heap corruption vulnerability in Microsoft Word's RTF parser. The main exploit is implemented in 'POC-CVE-2023-21716.py', which generates a malicious RTF file ('POC-CVE-2023-21716.rtf') containing an oversized font table. When this file is opened in a vulnerable version of Microsoft Word (Office 365, 2016, 2013, 2010, or 2007), it can trigger heap corruption and potentially allow remote code execution with the victim's privileges. The repository also includes two YARA rules ('CVE-2023-21716.yar') for detecting RTF files crafted to exploit this vulnerability, and a brief README. The exploit is a POC and does not include a weaponized payload, but demonstrates the vulnerability's trigger condition. The main attack vector is via malicious document delivery (e.g., email attachment), and the primary fingerprintable endpoint is the generated RTF file.

This repository is a proof-of-concept (POC) exploit for CVE-2023-21716, which targets a vulnerability in the RTF parser on Windows 10 systems. The repository contains three files: a LICENSE, a README.md, and the main exploit script (exploit.py). The exploit.py script generates a specially crafted RTF file ('exploit.rtf') with an extremely large font table (32,761 entries), which is designed to crash the RTF parser (such as Microsoft Word) when opened. This demonstrates a denial-of-service condition. The exploit is written in Python and is intended to be run on a system with Python 3.11. There are no network endpoints or remote attack vectors; the attack is local and requires the target to open the generated file. The repository is structured simply, with the exploit logic contained entirely in a single Python script.