Eagle Werros

\*
/ Unl0ck Research Team Security Advisory
\
/ product: HTML Help Workshop (1994-1999)
\ bug : stack overflow
/ vendor : Microsoft Corp. (http://microsoft.com)
\ date : 13.02.06
/ author : darkeagle
\

/ Info:
\ stack based buffer overflows were founded in HTML HW.
/ HTML HW crashes when user opens specially crafted .hhp file.
\

/ Details:
\ another buffer overflows were founded in parsing tag's arguments.

	Index File=aaaaaaaaaaaaaaaa..
	Sample list file=aaaaaaaa....

  maybe others. I'm too lazy to continue my HTML Workshop researching.

Look at below code:

.text:0041C60F loc_41C60F: ; CODE XREF: sub_41C4FA+111j
.text:0041C60F test eax, eax
.text:0041C611 jz short loc_41C626
.text:0041C613 push dword ptr [ebx+68h]
.text:0041C616 push offset aIndexFile ; "Index file="
.text:0041C61B push dword ptr [ebx+0D4h]
.text:0041C621 call sub_41CC27

// sub_41CC27
.text:0041CC35 mov ebx, 400h // 1024 bytes
…
.text:0041CC54 sub edi, ecx
.text:0041CC56 push ebx ; size_t
.text:0041CC57 mov eax, ecx
.text:0041CC59 mov esi, edi
.text:0041CC5B mov edi, [ebp-10h]
.text:0041CC5E push dword ptr [ebp+10h] ; char *
.text:0041CC61 shr ecx, 2
.text:0041CC64 rep movsd
.text:0041CC66 mov ecx, eax
.text:0041CC68 and ecx, 3
.text:0041CC6B rep movsb
.text:0041CC6D push dword ptr [ebp-10h] ; char *
.text:0041CC70 call ds:strncat

  vulnerable program uses strncat() to copying tags. it looks like:

…
strncat(aIndexFile, ebx+0D4, 1024);
…

/
\ Microsoft coders codes so secure code. Keep continue coding like this.
/
\

/ PoC:
\ Proof of Concept code can be downloaded from http://eagle.blacksecurity.org

/ Greets:
\ rst/ghc { ed, uf0, fost },
uKt { choix, nekd0, payhash, antq },
blacksecurity { #black } ,
0x557 { kaka, swan, sam, nolife },
sowhat, tty64 { izik };
/
\
/ (c) 2004 [-] 2006
\
*/