cbcvebase.
CVE-2006-0564
published 2006-02-06

CVE-2006-0564: Stack-based buffer overflow in Microsoft HTML Help Workshop 4.74.8702.0, and possibly earlier versions, and as included in the Microsoft HTML Help 1.4 SDK…

PriorityP348high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.46%
99.3th percentile
Stack-based buffer overflow in Microsoft HTML Help Workshop 4.74.8702.0, and possibly earlier versions, and as included in the Microsoft HTML Help 1.4 SDK, allows context-dependent attackers to execute arbitrary code via a .hhp file with a long Contents file field.

Affected

4 ranges
VendorProductVersion rangeFixed in
gnumailman>= 0 < 1:2.1.10~b3-11:2.1.10~b3-1
microsofthtml_help
microsofthtml_help_workshop
microsofthtml_help_workshop

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.hhp
port13579
versionMicrosoft HTML Help Workshop 4.74.8702.0
bytes
\x5d\x38\x82\x7c (JMP ESP return address, repeated)
bytes
\x5d\x38\x82\x7c (JMP ESP, used at offsets 272-292)
bytes
\x77\xe8\x59\xba (return address at overflow[280])
bytes
\x93\x1f\x40\x00 (Call EDI - hhw.exe universal)
bytes
Egg hunter stub: \x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x69\x72\x61\x71\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7
bytes
Egg tag marker: \x69\x72\x61\x71\x69\x72\x61\x71 (iraqiraq)
  • Exploit .hhp files contain NOP sleds (0x90) followed by shellcode in the 'Compiled file=' or 'Contents file=' field; look for large blocks of 0x90 bytes in .hhp file fields.
  • Exploit .hhp files use the egg-hunter tag bytes 'iraq' (\x69\x72\x61\x71) doubled as the egg marker preceding shellcode in the [FILES] section.
  • Return address 0x7C82385D (JMP ESP in a Windows XP system DLL) appears repeatedly at the EIP overwrite offset (~272 bytes into the overflow buffer); flag .hhp files containing this byte sequence.
  • Return address 0x00401F93 (CALL EDI in hhw.exe v4.74.8702.0) is used by the Metasploit module at offset 242 bytes into the overflow; presence of bytes \x93\x1f\x40\x00 at that offset in a .hhp file is a strong indicator.
  • ·The Metasploit module sets BadChars to null bytes, newlines, carriage returns, SUB, forward-slash, and backslash, meaning shellcode containing these bytes will not work; payloads must be encoded to avoid them.
  • ·The Metasploit module uses a StackAdjustment of -4800 bytes to ensure the stack pointer does not corrupt the payload during execution.
  • ·The return address 0x7C82385D (JMP ESP) is specific to Windows XP SP2 system DLLs and will not be valid on other OS versions or patch levels.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.