cbcvebase.
CVE-2009-0133
published 2009-01-15

CVE-2009-0133: Buffer overflow in Microsoft HTML Help Workshop 4.74 and earlier allows context-dependent attackers to execute arbitrary code via a .hhp file with a long…

PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.05%
99.2th percentile
Buffer overflow in Microsoft HTML Help Workshop 4.74 and earlier allows context-dependent attackers to execute arbitrary code via a .hhp file with a long "Index file" field, possibly a related issue to CVE-2006-0564.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsofthtml_help_workshop

Detection & IOCsextracted from sources · hover to see the quote

filenamepoc.hhp
filenameeagle.hhp
filenameDevil.hhp
filenameDevil_inside.htm
bytes
\x5d\x38\x82\x7c (JMP ESP in ntdll.dll, used as EIP overwrite)
bytes
\x5d\x38\x82\x7c (JMP ESP, repeated at offsets 272-296)
bytes
\x93\x1f\x40\x00 (Call EDI in hhw.exe)
bytes
0x77E859BA (return address overwrite at overflow[280])
bytes
Egg hunter tag: \x69\x72\x61\x71\x69\x72\x61\x71 (iraqiraq)
bytes
Egg hunter stub: \x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x69\x72\x61\x71\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7
  • Malicious .hhp files exploit the 'Index file' or 'Compiled file' field in the [OPTIONS] section with an oversized value (hundreds of bytes) to trigger a stack buffer overflow in HTML Help Workshop 4.74.
  • Look for .hhp files where the 'Compiled file=' or 'Index file=' value in [OPTIONS] is abnormally long (>230 bytes), which is the overflow trigger pattern used across all known exploits.
  • Detect NOP sled patterns (0x90 repeated) followed by shellcode within .hhp file field values, a common payload delivery pattern in these exploits.
  • The Metasploit module targets this vulnerability by creating a specially crafted .hhp file; monitor for hhw.exe opening .hhp files from untrusted locations followed by unexpected child process spawning.
  • The exploit at offset 280 overwrites EIP; a return address of 0x77E859BA or 0x7c82385d appearing in crash dumps of hhw.exe is indicative of exploitation attempts.
  • Bind shell on port 13579 is spawned by one of the known shellcode payloads; detect unexpected listening on TCP/13579 after hhw.exe execution.
  • Egg hunter tag 'iraq' (bytes 0x69 0x72 0x61 0x71) repeated twice as a marker within the payload; scan .hhp file content for this byte sequence.
  • ·The JMP ESP gadget address 0x7c82385d is specific to Windows XP SP2 ntdll.dll and will not be valid on other OS versions or patch levels.
  • ·The 'Call EDI' gadget at 0x00401f93 in hhw.exe is described as 'universal' by the exploit author but is tied to a specific build of hhw.exe version 4.74.
  • ·The return address 0x77E859BA used in exploit 1495 is specific to Windows XP SP2 Russian edition.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.