Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] AOL Nullsoft Winamp IT Module Heap Memory Corruption (IN_MOD.DLL)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] AOL Nullsoft Winamp IT Module Heap Memory Corruption (IN_MOD.DLL)
Date: 8 Apr 2007 13:14:19 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  AOL Nullsoft Winamp IT Module Heap Memory Corruption (IN_MOD.DLL)
------------------------------------------------------------------------


SUMMARY

 <http://www.winamp.com/> Winamp is "a proprietary media player written by 
Nullsoft, a subsidiary of Time Warner. It is skinnable, multi-format 
freeware / shareware". Successful exploitation may allow the attacker to 
run arbitrary code in context of user running AOL Nullsoft Winamp.

DETAILS

Vulnerable Systems:
 * AOL Nullsoft Winamp version 5.33 (x86) Feb 13 2007 (on Windows XP 
SP1/SP2).

The problem takes place when Winamp is trying to play specially crafted 
IT file.

IT is the proprietary module format used by Impulse Tracker, featuring 
support for more advanced features than MOD or S3M before it. These 
include a larger limit for lines in a pattern, higher quality samples, and 
other effects.

Take a look a this code snippet:
----// SNIP SNIP //-------------------------------------------------
text:00E97BCA write_looop:                            ; CODE XREF: 
sub_E97976+29D#j
text:00E97BCA                 mov     edx, [ebp+6Ch+arg_0]
text:00E97BCD                 mov     ecx, [ebx+18h]
text:00E97BD0                 mov     dx, [eax+edx*2]
text:00E97BD4                 mov     [eax+ecx*2], dx
text:00E97BD8                 mov     eax, [ebx+370h]
text:00E97BDE                 mov     ecx, [ebx+18h]
text:00E97BE1                 mov     cx, [eax+ecx*2]
text:00E97BE5                 cmp     cx, [esi+6Eh]
text:00E97BE9                 jnb     short loc_E97C09
text:00E97BEB                 mov     al, [ebx+18h]
text:00E97BEE                 mov     ecx, [ebp+6Ch+arg_0]
text:00E97BF1                 mov     [ecx+esi+148h], al     ; BANG
text:00E97BF8                 mov     eax, [ebx+370h]
text:00E97BFE                 cmp     word ptr [eax+ecx*2], 0FEh
text:00E97C04                 jnb     short loc_E97C09
text:00E97C06                 inc     dword ptr [ebx+18h]
text:00E97C09
text:00E97C09 loc_E97C09:                             ; CODE XREF: 
sub_E97976+273#j
text:00E97C09                                         ; sub_E97976+28E#j
text:00E97C09                 movzx   ecx, word ptr [esi+68h] ; 
ecx=controlled value (from offset 0x20)
text:00E97C0D                 inc     [ebp+6Ch+arg_0]
text:00E97C10                 cmp     [ebp+6Ch+arg_0], ecx
text:00E97C13                 jb      short write_looop
----// SNIP SNIP //-------------------------------------------------

The memory is overwritten at 0x00E97BF1. The description of this 
disassembly listing is pretty similar to the one written in s3m module 
files advisory.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:bania.piotr@gmail.com> Piotr 
Bania.
The original article can be found at:
 
<http://www.piotrbania.com/all/adv/nullsoft-winamp-it_module-in_mod-adv.txt> 
http://www.piotrbania.com/all/adv/nullsoft-winamp-it_module-in_mod-adv.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] AOL Nullsoft Winamp IT Module Heap Memory Corruption (IN_MOD.DLL), SecuriTeam <=
Previous by Date:  [NEWS] IBM Tivoli Provisioning Manager for OS Deployment Multiple Vulnerabilities, SecuriTeam
Next by Date:  [NEWS] Enterasys Networks Multiple NetSight Products Multiple Vulnerabilities, SecuriTeam
Previous by Thread:  [NEWS] IBM Tivoli Provisioning Manager for OS Deployment Multiple Vulnerabilities, SecuriTeam
Next by Thread:  [NEWS] Enterasys Networks Multiple NetSight Products Multiple Vulnerabilities, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]