CVE-2006-0564

Microsoft HTML Help Workshop 4.74.8702.0 - Stack-based Buffer Overflow via Long Contents File Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2006-0564. PoCs published by Metasploit, darkeagle, bratax, jduck, including Metasploit module exploits/windows/fileformat/hhw_hhp_contentfile_bof.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in HTML Help Workshop 4.74 by crafting a malicious .hhp project file. It uses an egghunter technique to locate and execute the payload, achieving remote code execution.

Description

Stack-based buffer overflow in Microsoft HTML Help Workshop 4.74.8702.0, and possibly earlier versions, and as included in the Microsoft HTML Help 1.4 SDK, allows context-dependent attackers to execute arbitrary code via a .hhp file with a long Contents file field.

Exploits (10)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16648

This Metasploit module exploits a stack buffer overflow in HTML Help Workshop 4.74 by crafting a malicious .hhp project file. It uses an egghunter technique to locate and execute the payload, achieving remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: HTML Help Workshop 4.74
No auth needed
Prerequisites: Victim must open the malicious .hhp file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/16683

This is a functional exploit for CVE-2006-0564, targeting a stack buffer overflow in HTML Help Workshop 4.74 via a crafted .hhp project file. It uses an egghunter technique to achieve remote code execution on Windows XP SP3.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: HTML Help Workshop 4.74
No auth needed
Prerequisites: Victim must open the malicious .hhp file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by darkeagle · c++localwindows
https://www.exploit-db.com/exploits/1495

This exploit leverages a stack overflow vulnerability in Windows HTML Help Workshop by crafting a malicious .hhp file with an oversized 'Index File' field. The payload includes shellcode and a hardcoded return address (0x77E859BA) to achieve arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Windows HTML Help Workshop (version unspecified, tested on WinXP SP2 RUS)
No auth needed
Prerequisites: Victim must open the malicious .hhp file in HTML Help Workshop
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by darkeagle · textdoswindows
https://www.exploit-db.com/exploits/1488

This exploit leverages a buffer overflow vulnerability in the handling of compiled help files (.chm) to achieve remote code execution. The long string of 'a' characters followed by a Unicode 'UUUUr0x' sequence suggests a crafted payload to trigger the overflow.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft HTML Help Workshop (compiled help files)
No auth needed
Prerequisites: Victim must open a malicious .chm file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
perllocalwindows
https://www.exploit-db.com/exploits/7727

This Perl script exploits a buffer overflow vulnerability in Microsoft HTML Workshop <= 4.74. It uses a custom shellhunter technique to locate and execute shellcode, demonstrating a reliable remote code execution (RCE) exploit.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: Microsoft HTML Workshop <= 4.74
No auth needed
Prerequisites: Victim must open a maliciously crafted .hhp file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
pythonlocalwindows
https://www.exploit-db.com/exploits/10321

This exploit targets a buffer overflow vulnerability in HTML Help Workshop 4.74 by crafting a malicious .hhp project file. It uses an egg-hunting technique to locate and execute shellcode, achieving remote code execution (RCE) by launching calc.exe.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: HTML Help Workshop 4.74
No auth needed
Prerequisites: Victim must open the malicious .hhp file
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/1490

This exploit demonstrates a buffer overflow in Microsoft HTML Help Workshop by crafting a malicious .hhp file with an oversized 'Compiled file' field. The payload includes NOP sleds, shellcode (spawning calc.exe), and a jump instruction to trigger arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft HTML Help Workshop (version unspecified, tested on Win XP SP2)
No auth needed
Prerequisites: Victim must open the malicious .hhp file in Microsoft Help Workshop
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
clocalwindows
https://www.exploit-db.com/exploits/1470

This exploit leverages a buffer overflow in Microsoft HTML Help Workshop by crafting a malicious .hhp file with an oversized 'Contents file' field, overwriting EIP with a 'jmp esp' address and executing a bind shell payload on port 13579.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft HTML Help Workshop
No auth needed
Prerequisites: Victim must open the malicious .hhp file in Microsoft HTML Help Workshop
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC GOOD
by bratax, jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/hhw_hhp_contentfile_bof.rb

This Metasploit module exploits a stack buffer overflow in HTML Help Workshop 4.74 via a crafted .hhp file, using an egghunter to locate and execute the payload. It targets Windows XP SP3 with a specific return address to achieve remote code execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: HTML Help Workshop 4.74
No auth needed
Prerequisites: Victim must open the malicious .hhp file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GOOD
by bratax, jduck · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/hhw_hhp_compiledfile_bof.rb

This Metasploit module exploits a stack buffer overflow in HTML Help Workshop 4.74 via a crafted .hhp file, allowing arbitrary code execution. It uses an egghunter technique to locate and execute the payload in memory.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: HTML Help Workshop 4.74
No auth needed
Prerequisites: Victim must open the malicious .hhp file
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/18740
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/22941
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015585
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/24481
Various Sources x_refsource_misc
http://users.pandora.be/bratax/advisories/b008.html
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/124460
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/0446

Scores

EPSS 0.8271
EPSS Percentile 99.3%

Details

Status published
Products (2)
microsoft/html_help 1.4
microsoft/html_help_workshop 4.74.8702.0
Published Feb 06, 2006
Tracked Since Feb 18, 2026