cbcvebase.
CVE-2002-0693
published 2002-10-10

CVE-2002-0693: Buffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server…

PriorityP342high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
52.42%
98.8th percentile
Buffer overflow in the HTML Help ActiveX Control (hhctrl.ocx) in Microsoft Windows 98, 98 Second Edition, Millennium Edition, NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute code via (1) a long parameter to the Alink function, or (2) script containing a long argument to the showHelp function.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_nt

Detection & IOCsextracted from sources · hover to see the quote

filenamehhctrl.ocx
commandshowHelp("<long argument>")
bytes
\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45\xFD\x6D\xC6\x45\xFE\x64\x57\xC6\x45\xF8\x03\x80\x6D\xF8\x50\x8D\x45\xFC\x50\x90\xB8
bytes
\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45\xFD\x6D\xC6\x45\xFE\x64\x57\xC6\x45\xF8\x53\x80\x6D\xF8\x50\x8D\x45\xFC\x50\x90\xB8
  • ·The hardcoded fallback JMP EDI gadget address (0x77e79d02) is specific to a particular version of kernel32.dll; the exploit dynamically searches for the gadget at runtime, so the address will vary across patch levels.
  • ·Two shellcode variants exist (plain and encoded); the encoded variant adjusts function addresses by adding 0x78 to avoid certain byte values, so byte-signature detection must account for both forms.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.