It exploits a stack-based buffer overflow in the handling of the 'pFragments' shape property within the Microsoft Word RTF parser. The Bat! users should not be worried, as the program is invulnerable to the recently reported pFragments Microsoft Office exploit. The Bat! uses its own component to handle RTF messages.
To learn more on this exploit follow this link.